How to disable SSL3 and weak ciphers with cherrypy builtin ssl module (python 3)

Question

I have configured Cherrypy 3.8.0 with Python 3 to use SSL/TLS. However, I want to disable SSL3 to avoid POODLE. I searched through the documentation but I am unsure on how to implement it.

I am using the cherrypy/python builtin ssl module, not pyOpenSSL which I am unable to use under Python 3.

Answer 1

To disable SSL3, you should set the ssl_context variable yourself rather than accepting the default. Here's an example using Python's built-in ssl module (in lieu of the built-in cherrypy ssl module).

import cherrypy
import ssl

ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
ctx.options |= ssl.OP_NO_SSLv2 
ctx.options |= ssl.OP_NO_SSLv3

cherrypy.config.update(server_config)

where in this case, SSL is from the OpenSSL module.

It's worth noting that beginning in Python 3.2.3, the ssl module disables certain weak ciphers by default.

Furthermore, you can specifically set all the ciphers you want with

ciphers = {
    'DHE-RSA-AE256-SHA',
    ...
    'RC4-SHA'
}

ctx.set_ciphers(':'.join(ciphers))

If you're using the CherryPyWSGIServer from the web.wsgiserver module, you would set the default ciphers with

CherryPyWSGIServer.ssl_adapter.context.set_cipher_list(':'.join(ciphers))

Here is part of the documentation detailing the above: http://docs.cherrypy.org/en/latest/pkg/cherrypy.wsgiserver.html#module-cherrypy.wsgiserver.ssl_builtin

Lastly, here are some sources (asking similar questions) that you may want to look at:

• How to block SSL protocols in favor of TLS?
• https://review.cloudera.org/r/4739/diff/
• http://roadha.us/2014/10/disable-sslv3-avoid-poodle-attack-web-py/
• http://blog.gosquadron.com/use-tls
• http://www.experts-exchange.com/questions/28073251/Disable-weak-SSL-cipher-on-CherryPy-pyOpenSSL-Windows-2008-Server.html