From b7ffed8a506a6a98e59e5f23bd6d4fe706b40bc3 Mon Sep 17 00:00:00 2001 From: Antoine Pitrou Date: Wed, 4 Jan 2012 02:53:44 +0100 Subject: Add a subsection explaning cipher selection. --- Doc/library/ssl.rst | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 497c5ba..00322cf 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -984,6 +984,25 @@ SSLv2 explicitly using the :data:`SSLContext.options` attribute:: The SSL context created above will allow SSLv3 and TLSv1 connections, but not SSLv2. +Cipher selection +^^^^^^^^^^^^^^^^ + +If you have advanced security requirements, fine-tuning of the ciphers +enabled when negotiating a SSL session is possible through the +:meth:`SSLContext.set_ciphers` method. Starting from Python 3.2.3, the +ssl module disables certain weak ciphers by default, but you may want +to further restrict the cipher choice. For example:: + + context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context.set_ciphers('HIGH:!aNULL:!eNULL') + +The ``!aNULL:!eNULL`` part of the cipher spec is necessary to disable ciphers +which don't provide both encryption and authentication. Be sure to read +OpenSSL's documentation about the `cipher list +format `_. +If you want to check which ciphers are enabled by a given cipher list, +use the ``openssl ciphers`` command on your system. + .. seealso:: -- cgit v0.12