On 17 Feb 2015, at 2:52, Glyph Lefkowitz wrote:
I need to loosen up the default cipher list to allow RC4 (some sites
our customers use like myaccounts.socalgas.com still use it).
I was going to pass the following dict into the
extraCertificateOptions argument of ssl.optionsForClientTLS, but was
curious if there as a better way:
{"acceptableCiphers" : <IAcceptableCiphers object>}
As the documentation for extraCertificateOptions says, if you need to
use it it's a bug in the interface. As such, please file it :-).
This escape-hatch was presented specifically so we could discover
which features of that interface were really necessary customizations
and which were just unfortunate compromises with OpenSSL's API.
In this case, no, there's no other way to get acceptable ciphers in
there, and this should probably just be added to optionsForClientTLS.
Yes.
Another reasonable fix might be to allow RC4, since I think the
default cipher suites that we have selected might be more appropriate
for servers than for clients; the major browsers will still negotiate
RC4 so we might want a slightly more permissive list. Hopefully
someone more cryptographically enlightened than I am can opine as to
whether this is a reasonable thing to do in 2015...
I’m still maintaining that watering down the defaults is an invitation
to downgrade attacks that affect *everyone*. And RC4 looks worse with
every month passing.
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
