[issue23679] SSL Ciphers RC4
mogli added the comment: That was fast, great job! For the record: The SSLv3 issue I also wrote about was a false positive because the test only works with Javascript. Python 2.7.9 has SSLv3 disabled by default as it should. urllib2.urlopen(https://sslv3.dshield.org;) # fails as it should -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23679 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23679] SSL Ciphers RC4
New submission from mogli: The documentation (https://docs.python.org/2/library/ssl.html) says: The settings in Python 2.7.9 are: PROTOCOL_SSLv23, OP_NO_SSLv2, and OP_NO_SSLv3 with high encryption cipher suites without RC4 But it still seems to use RC4: https://www.howsmyssl.com/a/check Also the test at https://www.ssllabs.com/ssltest/viewMyClient.html says it still supports SSLv3 (not so sure about this one). -- messages: 238194 nosy: mogli priority: normal severity: normal status: open title: SSL Ciphers RC4 type: security versions: Python 2.7 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23679 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23679] SSL Ciphers RC4
STINNER Victor added the comment: You can explicitly disable RC4 if you create a SSLContext and then call set_ciphers() with the right list of ciphers. See for examples cipher lists of Python 2.7 (development branch): https://hg.python.org/cpython/file/0b44c749ae51/Lib/ssl.py#l150 Add :!RC4 at the end of the cipher list to disable RC4. OpenSSL cipher list format: https://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT -- nosy: +haypo ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23679 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23679] SSL Ciphers RC4
Benjamin Peterson added the comment: RC4 is dropped in the next releases. -- dependencies: +SSL module should not offer RC4 based cipher suites for clients by default nosy: +benjamin.peterson resolution: - duplicate status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23679 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23679] SSL Ciphers RC4
Changes by R. David Murray rdmur...@bitdance.com: -- nosy: +alex, dstufft ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23679 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23679] SSL Ciphers RC4
Alex Gaynor added the comment: I believe RC4 will still be used under 2.7.9 on clients, this is changed for 2.7.10 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23679 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23679] SSL Ciphers RC4
mogli added the comment: So it seems the docs are wrong. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23679 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23679] SSL Ciphers RC4
Benjamin Peterson added the comment: They're correct for the next release. :( -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23679 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23679] SSL Ciphers RC4
Roundup Robot added the comment: New changeset e1dfa5f0709f by Benjamin Peterson in branch '2.7': versionchanged for rc4 removal (closes #23679) https://hg.python.org/cpython/rev/e1dfa5f0709f New changeset 2a6a63828a40 by Benjamin Peterson in branch '3.4': versionchanged for rc4 removal (closes #23679) https://hg.python.org/cpython/rev/2a6a63828a40 New changeset 87c102d0df39 by Benjamin Peterson in branch 'default': merge 3.4 (#23679) https://hg.python.org/cpython/rev/87c102d0df39 -- nosy: +python-dev resolution: - fixed stage: needs patch - resolved status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23679 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23679] SSL Ciphers RC4
R. David Murray added the comment: But the doc explicitly says 2.7.9, so no, they are not correct. There also should be versionchanged directive, I think. -- assignee: - docs@python components: +Documentation dependencies: -SSL module should not offer RC4 based cipher suites for clients by default nosy: +docs@python, r.david.murray stage: - needs patch status: closed - open type: security - behavior ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23679 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23679] SSL Ciphers RC4
Changes by R. David Murray rdmur...@bitdance.com: -- resolution: duplicate - ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23679 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
