Antoine Pitrou added the comment: > create_default_context is about best practices, though, so it seems to > me it wouldn't be crazy to do it there.
Agreed, but the real problem here is maintenance. Hardcoding a list of specific ciphers means someone must follow closely the introduction of new ciphers in OpenSSL, and choose whether or not to include them in the list. I'd prefer an open-ended cipher string. Here is a proposal: 'ECDH:EDH:AESGCM:HIGH:!eNULL:!aNULL:!DSS' It prioritizes Diffie-Hellman key exchange (for perfect forward secrecy), and AESGCM for the symmetric cipher; it also lets OpenSSL append other possible ciphers. BTW, apparently removing RC4 prevents ECDHE in SSv23 mode: $ ./python -c 'import ssl, socket; ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23); ctx.set_ciphers("EECDH:EDH:AESGCM:HIGH:!eNULL:!aNULL"); s = ctx.wrap_socket(socket.socket()); s.connect(("linuxfr.org", 443)); print(s.cipher()); s.close()' ('ECDHE-RSA-RC4-SHA', 'TLSv1/SSLv3', 128) $ ./python -c 'import ssl, socket; ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23); ctx.set_ciphers("EECDH:EDH:AESGCM:HIGH:!eNULL:!aNULL:!RC4"); s = ctx.wrap_socket(socket.socket()); s.connect(("linuxfr.org", 443)); print(s.cipher()); s.close()' ('DHE-RSA-AES256-SHA', 'TLSv1/SSLv3', 256) ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue20995> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com