禁用带有Cherrypy的弱密码(python 2) [英] Disable weak ciphers with cherrypy (python 2)

问题描述

我正在将Cherrypy 3.8.0与Python 2结合使用，以通过pyOpenSSL使用SSL/TLS.

I'm using Cherrypy 3.8.0 with Python 2 to use SSL/TLS using pyOpenSSL.

我想禁用SSL3以避免POODLE(或其他弱密码).

I want to disable SSL3 to avoid POODLE (or other weak ciphers).

这是我到目前为止所拥有的:

Here's what I have so far:

  server_config={
          'server.socket_port': 443,
          'server.ssl_module':'pyopenssl',
          'server.ssl_certificate':'/path/myserver.crt',
          'server.ssl_private_key':'/path/myserver.key',
      }

这类似于

This is similar to this question but for python 2 and pyopenssl.

如何指定或排除特定密码?谢谢！

How can I specify or exclude specific ciphers? Thanks!

推荐答案

要禁用SSL3，您应该自己设置ssl_context变量，而不是接受默认值.这是一个使用Python的内置ssl模块(代替内置的cherrypy ssl模块)的示例.

To disable SSL3, you should set the ssl_context variable yourself rather than accepting the default. Here's an example using Python's built-in ssl module (in lieu of the built-in cherrypy ssl module).

import cherrypy
from OpenSSL import SSL

ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)

...

server_config = {
    'server.socket_host': '0.0.0.0',
    'server.socket_port': 443,
    'server.ssl_context': ctx
}

cherrypy.config.update(server_config)

在这种情况下，SSL来自OpenSSL模块.

where in this case, SSL is from the OpenSSL module.

值得注意的是，从Python 3.2.3开始，ssl模块默认禁用某些弱密码.

It's worth noting that beginning in Python 3.2.3, the ssl module disables certain weak ciphers by default.

此外，您可以专门设置所需的所有密码

Furthermore, you can specifically set all the ciphers you want with

ciphers = {
    'DHE-RSA-AE256-SHA',
    ...
    'RC4-SHA'
}

ctx.set_cipher_list(':'.join(ciphers))

如果您使用的是web.wsgiserver模块中的CherryPyWSGIServer，则应使用以下方式设置默认密码

If you're using the CherryPyWSGIServer from the web.wsgiserver module, you would set the default ciphers with

CherryPyWSGIServer.ssl_adapter.context.set_cipher_list(':'.join(ciphers))

最后，您可能想看看以下一些来源(提出类似问题):

Lastly, here are some sources (asking similar questions) that you may want to look at:

• 如何阻止SSL协议以支持TLS?
• https://review.cloudera.org/r/4739/diff/
• http://roadha.us/2014/10/disable-sslv3-avoid-poodle-attack-web-py/
• http://blog.gosquadron.com/use-tls

• How to block SSL protocols in favor of TLS?
• https://review.cloudera.org/r/4739/diff/
• http://roadha.us/2014/10/disable-sslv3-avoid-poodle-attack-web-py/
• http://blog.gosquadron.com/use-tls
• http://www.experts-exchange.com/questions/28073251/Disable-weak-SSL-cipher-on-CherryPy-pyOpenSSL-Windows-2008-Server.html

这篇关于禁用带有Cherrypy的弱密码(python 2)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！