问题
I have configured Cherrypy 3.8.0 with Python 3 to use SSL/TLS. However, I want to disable SSL3 to avoid POODLE. I searched through the documentation but I am unsure on how to implement it.
I am using the cherrypy/python builtin ssl module, not pyOpenSSL which I am unable to use under Python 3.
回答1:
To disable SSL3, you should set the ssl_context variable yourself rather than accepting the default. Here's an example using Python's built-in ssl module (in lieu of the built-in cherrypy ssl module).
import cherrypy
import ssl
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
ctx.options |= ssl.OP_NO_SSLv2
ctx.options |= ssl.OP_NO_SSLv3
cherrypy.config.update(server_config)
where in this case, SSL is from the OpenSSL module.
It's worth noting that beginning in Python 3.2.3, the ssl module disables certain weak ciphers by default.
Furthermore, you can specifically set all the ciphers you want with
ciphers = {
'DHE-RSA-AE256-SHA',
...
'RC4-SHA'
}
ctx.set_ciphers(':'.join(ciphers))
If you're using the CherryPyWSGIServer from the web.wsgiserver module, you would set the default ciphers with
CherryPyWSGIServer.ssl_adapter.context.set_cipher_list(':'.join(ciphers))
Here is part of the documentation detailing the above: http://docs.cherrypy.org/en/latest/pkg/cherrypy.wsgiserver.html#module-cherrypy.wsgiserver.ssl_builtin
Lastly, here are some sources (asking similar questions) that you may want to look at:
- How to block SSL protocols in favor of TLS?
- https://review.cloudera.org/r/4739/diff/
- http://roadha.us/2014/10/disable-sslv3-avoid-poodle-attack-web-py/
- http://blog.gosquadron.com/use-tls
- http://www.experts-exchange.com/questions/28073251/Disable-weak-SSL-cipher-on-CherryPy-pyOpenSSL-Windows-2008-Server.html
来源:https://stackoverflow.com/questions/34740951/how-to-disable-ssl3-and-weak-ciphers-with-cherrypy-builtin-ssl-module-python-3