diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2012-01-04 01:53:44 (GMT) |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2012-01-04 01:53:44 (GMT) |
| commit | b7ffed8a506a6a98e59e5f23bd6d4fe706b40bc3 (patch) | |
| tree | c63d4d49490a21162beb4d1d8c16cfa3e353c0e7 /Doc/library/ssl.rst | |
| parent | a12d5c62f78640c274e7babd5b20744af5008837 (diff) | |
| download | cpython-b7ffed8a506a6a98e59e5f23bd6d4fe706b40bc3.zip cpython-b7ffed8a506a6a98e59e5f23bd6d4fe706b40bc3.tar.gz cpython-b7ffed8a506a6a98e59e5f23bd6d4fe706b40bc3.tar.bz2 | |
Add a subsection explaning cipher selection.
Diffstat (limited to 'Doc/library/ssl.rst')
| -rw-r--r-- | Doc/library/ssl.rst | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 497c5ba..00322cf 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -984,6 +984,25 @@ SSLv2 explicitly using the :data:`SSLContext.options` attribute:: The SSL context created above will allow SSLv3 and TLSv1 connections, but not SSLv2. +Cipher selection +^^^^^^^^^^^^^^^^ + +If you have advanced security requirements, fine-tuning of the ciphers +enabled when negotiating a SSL session is possible through the +:meth:`SSLContext.set_ciphers` method. Starting from Python 3.2.3, the +ssl module disables certain weak ciphers by default, but you may want +to further restrict the cipher choice. For example:: + + context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context.set_ciphers('HIGH:!aNULL:!eNULL') + +The ``!aNULL:!eNULL`` part of the cipher spec is necessary to disable ciphers +which don't provide both encryption and authentication. Be sure to read +OpenSSL's documentation about the `cipher list +format <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`_. +If you want to check which ciphers are enabled by a given cipher list, +use the ``openssl ciphers`` command on your system. + .. seealso:: |