I have configured Cherrypy 3.8.0 with Python 3 to use SSL/TLS. However, I want to disable SSL3 to avoid POODLE. I searched through the documentation but I am unsure on how to implement it.
I am using the cherrypy/python builtin ssl
module, not pyOpenSSL
which I am unable to use under Python 3.
To disable SSL3, you should set the ssl_context
variable yourself rather than accepting the default. Here's an example using Python's built-in ssl
module (in lieu of the built-in cherrypy
ssl module).
import cherrypy
import ssl
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
ctx.options |= ssl.OP_NO_SSLv2
ctx.options |= ssl.OP_NO_SSLv3
cherrypy.config.update(server_config)
where in this case, SSL
is from the OpenSSL
module.
It's worth noting that beginning in Python 3.2.3, the ssl
module disables certain weak ciphers by default.
Furthermore, you can specifically set all the ciphers you want with
ciphers = {
'DHE-RSA-AE256-SHA',
...
'RC4-SHA'
}
ctx.set_ciphers(':'.join(ciphers))
If you're using the CherryPyWSGIServer
from the web.wsgiserver
module, you would set the default ciphers with
CherryPyWSGIServer.ssl_adapter.context.set_cipher_list(':'.join(ciphers))
Here is part of the documentation detailing the above: http://docs.cherrypy.org/en/latest/pkg/cherrypy.wsgiserver.html#module-cherrypy.wsgiserver.ssl_builtin
Lastly, here are some sources (asking similar questions) that you may want to look at:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With