CODEWITHSUNDEEP
pythonsocketssslopenssltls1.2
user9371654
user9371654

Reputation: 2398

How to set ciphers in ssl python socket

I want to create my own list of ciphersuites using the cipher strings. The following code works if I put only one string in the set_ciphers function. But I want a customized list of ciphers. There is other format like: ALL:!COMPLEMENTOFDEFAULT:!eNULL but this does not do the purpose I need. I have a customized list of different ciphers that I can not combine using the second format. 

import socket, ssl
import pprint

context = ssl.create_default_context()

cipher = ['DHE-RSA-AES128-SHA', 'DHE-RSA-AES256-SHA', 'ECDHE-ECDSA-AES128-GCM-SHA256']
context.set_ciphers(cipher)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

domain = 'google.com'

sslSocket = context.wrap_socket(s, server_hostname = domain)

sslSocket.connect((domain, 443))
sslSocket.close()
print('closed')

The function set_ciphers can be found here.

Upvotes: 6

Views: 19644

Answers (2)

CristiFati
CristiFati

Reputation: 41116

Even if ssl.SSLContext.get_ciphers returns the ciphers in a friendly format (a list of dictionaries), the other way around, things don't work quite the same.

According to [Python.Docs]: ssl - SSLContext.set_ciphers(ciphers):

Set the available ciphers for sockets created with this context. It should be a string in the OpenSSL cipher list format.

Following [OpenSSL]: CIPHER LIST FORMAT (emphasis is mine):

The cipher list consists of one or more cipher strings separated by colons. Commas or spaces are also acceptable separators but colons are normally used.

Therefore, strings like "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256" should be used.
Translated to (your) code:

ciphers = ["DHE-RSA-AES128-SHA", "DHE-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-GCM-SHA256"]
ciphers_str = ":".join(ciphers)  # "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256"
context.set_ciphers(ciphers_str)

Upvotes: 3

user9371654
user9371654

Reputation: 2398

I could include more than one cipher simple by separating the ciphers with : and send all the ciphers as one string.

cipher = 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256'
context.set_ciphers(cipher)

This way, the client offers all the ciphers. You can make sure from this by calling context.get_ciphers() and you will see only the ciphers you inserted using set_cipher.

Upvotes: 8

Related Questions