frantzcj at gmail
Sep 7, 2009, 9:09 AM
Post #1 of 8
(860 views)
Permalink
|
|
Controlling the cipher list for SSL connections
|
|
Greetings,
I would like to be able to set the cipher list when creating an SSL
connection. It appears that the current SSL module doesn't provide
this functionality.
The attached patch (against trunk) adds this ability to SSLSocket.
Thank you,
--Chris
PS: Please reply directly to me, as I'm not subscribed to this list.
Index: Python-2.7/Lib/ssl.py
===================================================================
--- Python-2.7/Lib/ssl.py (revision 74703)
+++ Python-2.7/Lib/ssl.py (working copy)
@@ -88,7 +88,7 @@
server_side=False, cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23, ca_certs=None,
do_handshake_on_connect=True,
- suppress_ragged_eofs=True):
+ suppress_ragged_eofs=True, cipher_list=None):
socket.__init__(self, _sock=sock._sock)
# the initializer for socket trashes the methods (tsk, tsk), so...
self.send = lambda data, flags=0: SSLSocket.send(self, data, flags)
@@ -110,7 +110,8 @@
# yes, create the SSL object
self._sslobj = _ssl.sslwrap(self._sock, server_side,
keyfile, certfile,
- cert_reqs, ssl_version, ca_certs)
+ cert_reqs, ssl_version,
+ ca_certs, cipher_list)
if do_handshake_on_connect:
timeout = self.gettimeout()
try:
Index: Python-2.7/Modules/_ssl.c
===================================================================
--- Python-2.7/Modules/_ssl.c (revision 74703)
+++ Python-2.7/Modules/_ssl.c (working copy)
@@ -261,7 +261,8 @@
enum py_ssl_server_or_client socket_type,
enum py_ssl_cert_requirements certreq,
enum py_ssl_version proto_version,
- char *cacerts_file)
+ char *cacerts_file,
+ char *cipher_list)
{
PySSLObject *self;
char *errstr = NULL;
@@ -366,6 +367,9 @@
SSL_CTX_set_verify(self->ctx, verification_mode,
NULL); /* set verify lvl */
+ if (cipher_list)
+ SSL_CTX_set_cipher_list(self->ctx, cipher_list);
+
PySSL_BEGIN_ALLOW_THREADS
self->ssl = SSL_new(self->ctx); /* New ssl struct */
PySSL_END_ALLOW_THREADS
@@ -407,14 +411,17 @@
char *key_file = NULL;
char *cert_file = NULL;
char *cacerts_file = NULL;
+ char *cipher_list = NULL;
- if (!PyArg_ParseTuple(args, "O!i|zziiz:sslwrap",
+
+ if (!PyArg_ParseTuple(args, "O!i|zziizz:sslwrap",
PySocketModule.Sock_Type,
&Sock,
&server_side,
&key_file, &cert_file,
&verification_mode, &protocol,
- &cacerts_file))
+ &cacerts_file,
+ &cipher_list))
return NULL;
/*
@@ -427,12 +434,12 @@
return (PyObject *) newPySSLObject(Sock, key_file, cert_file,
server_side, verification_mode,
- protocol, cacerts_file);
+ protocol, cacerts_file, cipher_list);
}
PyDoc_STRVAR(ssl_doc,
"sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n"
-" cacertsfile]) -> sslobject");
+" cacertsfile, cipherlist]) -> sslobject");
/* SSL object methods */
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com
|
signature.asc
