#2782: HTTPS negotiates with incorrect cipher
--------------------+--------------------
Reporter: Cas | Owner:
Type: bug | Status: new
Priority: minor | Milestone: 1.3.13
Component: Web-UI | Version: 1.3.12
Keywords: |
--------------------+--------------------
Snippet from original forum thread: http://forum.deluge-
torrent.org/viewtopic.php?f=7&t=51545
I recently updated to v 1.3.12 and noticed that the problem was still
occurring which brought me back here.
It's been quite a while since I looked at this but, my recollection of the
problem was that the web-ui server was using some old/weird stuff to
initialise twisted which meant it wasn't getting a full list of available
safe cipher suites. I believe the problem was caused by the "safe" cipher
suites provided by the latest version of openssl not overlapping
particularly well with those being allowed by the implementation of
twisted in place in deluge and those that firefox would allow.
I removed the ServerContextFactory class (which was what I saw causing the
problem) and re-wrote start_ssl() to set the certificate options itself
and let twisted handle everything else like deciding which cipher suites
were OK to use. This added a whole bunch of additional cipher suites
available for negotiation.
With the current configuration the cipher that is negotiated is
TLS_RSA_WITH_AES_128_CBC_SHA which probably shouldn't be used even if it
did work, with my update it negotiates
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
At the time I had planned on submitting a patch to the git repository but
I wasn't able to get the develop branch to run even before I implemented
my changes so I just left it as there didn't seem to be any active
development at the time.
--
Ticket URL: <http://dev.deluge-torrent.org/ticket/2782>
Deluge <http://deluge-torrent.org/>
Deluge Project
--
You received this message because you are subscribed to the Google Groups
"Deluge Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/deluge-dev.
For more options, visit https://groups.google.com/d/optout.
