No cipher can be selected

Question

I am having problems making ssl connections with IDEA-CBC-SHA on python 2.7 / Win XP.

This is the code:

ciphers = "IDEA-CBC-SHA"

ssl_sock = ssl.wrap_socket(self.sock,
                           keyfile  = keyfile,
                           certfile = certfile,
                           ciphers  = ciphers)

ssl_sock.connect((address, port))

And this is the result:

SSLError: _ssl.c:319: No cipher can be selected.

When I query openssl, I see IDEA-CBC-SHA as one of the listed ciphers

OpenSSL> ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:IDEA-CBC-MD5:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5

I've tested with other ciphers (DES-CBC3-SHA ,RC4-SHA, AES256-SHA, AES128-SHA), and they all worked fine.

Any idea why my ssl connection might be failing for this specific cipher?

Is there some way to disable (and then enable) ciphers?

Thanks!

Answer 1

Any idea why my ssl connection might be failing for this specific cipher?

Perhaps the server you are connecting to does not support IDEA. A packet capture would confirm this.

EDIT: In an ssl connection, the client suggests a list of cipher options it is willing to use. The server selects one of the options from that list that the server finds acceptable. If the server does not like any options the client proposed, then the connection will fail, because the server is unable to select a cipher suite.