禁用带有Cherrypy的弱密码(python 2) [英] Disable weak ciphers with cherrypy (python 2)
问题描述
我正在将Cherrypy 3.8.0与Python 2结合使用,以通过pyOpenSSL使用SSL/TLS.
I'm using Cherrypy 3.8.0 with Python 2 to use SSL/TLS using pyOpenSSL.
我想禁用SSL3以避免POODLE(或其他弱密码).
I want to disable SSL3 to avoid POODLE (or other weak ciphers).
这是我到目前为止所拥有的:
Here's what I have so far:
server_config={
'server.socket_port': 443,
'server.ssl_module':'pyopenssl',
'server.ssl_certificate':'/path/myserver.crt',
'server.ssl_private_key':'/path/myserver.key',
}
This is similar to this question but for python 2 and pyopenssl.
如何指定或排除特定密码?谢谢!
How can I specify or exclude specific ciphers? Thanks!
推荐答案
要禁用SSL3,您应该自己设置ssl_context
变量,而不是接受默认值.这是一个使用Python的内置ssl
模块(代替内置的cherrypy
ssl模块)的示例.
To disable SSL3, you should set the ssl_context
variable yourself rather than accepting the default. Here's an example using Python's built-in ssl
module (in lieu of the built-in cherrypy
ssl module).
import cherrypy
from OpenSSL import SSL
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
...
server_config = {
'server.socket_host': '0.0.0.0',
'server.socket_port': 443,
'server.ssl_context': ctx
}
cherrypy.config.update(server_config)
在这种情况下,SSL
来自OpenSSL
模块.
where in this case, SSL
is from the OpenSSL
module.
值得注意的是,从Python 3.2.3开始,ssl
模块默认禁用某些弱密码.
It's worth noting that beginning in Python 3.2.3, the ssl
module disables certain weak ciphers by default.
此外,您可以专门设置所需的所有密码
Furthermore, you can specifically set all the ciphers you want with
ciphers = {
'DHE-RSA-AE256-SHA',
...
'RC4-SHA'
}
ctx.set_cipher_list(':'.join(ciphers))
如果您使用的是web.wsgiserver
模块中的CherryPyWSGIServer
,则应使用以下方式设置默认密码
If you're using the CherryPyWSGIServer
from the web.wsgiserver
module, you would set the default ciphers with
CherryPyWSGIServer.ssl_adapter.context.set_cipher_list(':'.join(ciphers))
最后,您可能想看看以下一些来源(提出类似问题):
Lastly, here are some sources (asking similar questions) that you may want to look at:
- 如何阻止SSL协议以支持TLS?
- https://review.cloudera.org/r/4739/diff/
- http://roadha.us/2014/10/disable-sslv3-avoid-poodle-attack-web-py/
- http://blog.gosquadron.com/use-tls
- How to block SSL protocols in favor of TLS?
- https://review.cloudera.org/r/4739/diff/
- http://roadha.us/2014/10/disable-sslv3-avoid-poodle-attack-web-py/
- http://blog.gosquadron.com/use-tls
- http://www.experts-exchange.com/questions/28073251/Disable-weak-SSL-cipher-on-CherryPy-pyOpenSSL-Windows-2008-Server.html
这篇关于禁用带有Cherrypy的弱密码(python 2)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!