summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAntoine Pitrou <solipsis@pitrou.net>2012-01-04 01:53:44 (GMT)
committerAntoine Pitrou <solipsis@pitrou.net>2012-01-04 01:53:44 (GMT)
commitb7ffed8a506a6a98e59e5f23bd6d4fe706b40bc3 (patch)
treec63d4d49490a21162beb4d1d8c16cfa3e353c0e7
parenta12d5c62f78640c274e7babd5b20744af5008837 (diff)
downloadcpython-b7ffed8a506a6a98e59e5f23bd6d4fe706b40bc3.zip
cpython-b7ffed8a506a6a98e59e5f23bd6d4fe706b40bc3.tar.gz
cpython-b7ffed8a506a6a98e59e5f23bd6d4fe706b40bc3.tar.bz2
Add a subsection explaning cipher selection.
-rw-r--r--Doc/library/ssl.rst19
1 files changed, 19 insertions, 0 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 497c5ba..00322cf 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -984,6 +984,25 @@ SSLv2 explicitly using the :data:`SSLContext.options` attribute::
The SSL context created above will allow SSLv3 and TLSv1 connections, but
not SSLv2.
+Cipher selection
+^^^^^^^^^^^^^^^^
+
+If you have advanced security requirements, fine-tuning of the ciphers
+enabled when negotiating a SSL session is possible through the
+:meth:`SSLContext.set_ciphers` method. Starting from Python 3.2.3, the
+ssl module disables certain weak ciphers by default, but you may want
+to further restrict the cipher choice. For example::
+
+ context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+ context.set_ciphers('HIGH:!aNULL:!eNULL')
+
+The ``!aNULL:!eNULL`` part of the cipher spec is necessary to disable ciphers
+which don't provide both encryption and authentication. Be sure to read
+OpenSSL's documentation about the `cipher list
+format <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`_.
+If you want to check which ciphers are enabled by a given cipher list,
+use the ``openssl ciphers`` command on your system.
+
.. seealso::