How to disable SSL3 and weak ciphers using the cherrypy built-in ssl module (python 3)

Question

How to disable SSL3 and weak ciphers using the cherrypy built-in ssl module (python 3)

I installed Cherrypy 3.8.0 with Python 3 to use SSL / TLS. However, I want to disable SSL3 to avoid POODLE. I looked through the documentation, but I'm not sure how to implement it.

I am using the ssl built-in module built in cherrypy / python and not pyOpenSSL which I cannot use in Python 3.

+6

python python-3.x cherrypy ssl

gc5 Jan 12 '16 at 10:19

source share

1 answer

Michael recachinas · Answer 1 · 2016-01-14T20:42:34+0000

To disable SSL3, you must set the ssl_context variable yourself, and not accept the default value. Here is an example of using the Python ssl built-in module (instead of the cherrypy ssl built-in module).

 import cherrypy import ssl ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx.options |= ssl.OP_NO_SSLv2 ctx.options |= ssl.OP_NO_SSLv3 cherrypy.config.update(server_config)

where in this case ssl is from the OpenSSL module.

It is worth noting that, starting with Python 3.2.3, the ssl module disables some weak ciphers by default.

In addition, you can set all the necessary ciphers with

 ciphers = { 'DHE-RSA-AE256-SHA', ... 'RC4-SHA' } ctx.set_ciphers(':'.join(ciphers))

If you use CherryPyWSGIServer from the web.wsgiserver module, you must set the default ciphers with

 CherryPyWSGIServer.ssl_adapter.context.set_cipher_list(':'.join(ciphers))

Here is a part of the documentation described in detail above: http://docs.cherrypy.org/en/latest/pkg/cherrypy.wsgiserver.html#module-cherrypy.wsgiserver.ssl_builtin

Finally, here are some sources (asking similar questions) that you can see:

How to disable SSL3 and weak ciphers using the cherrypy built-in ssl module (python 3)

More articles: