From: Antoine Pitrou Date: Wed, 4 Jan 2012 01:53:44 +0000 (+0100) Subject: Add a subsection explaning cipher selection. X-Git-Tag: v3.2.3rc1~214 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b7ffed8a506a6a98e59e5f23bd6d4fe706b40bc3;p=python Add a subsection explaning cipher selection. --- diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 497c5ba621..00322cf2a1 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -984,6 +984,25 @@ SSLv2 explicitly using the :data:`SSLContext.options` attribute:: The SSL context created above will allow SSLv3 and TLSv1 connections, but not SSLv2. +Cipher selection +^^^^^^^^^^^^^^^^ + +If you have advanced security requirements, fine-tuning of the ciphers +enabled when negotiating a SSL session is possible through the +:meth:`SSLContext.set_ciphers` method. Starting from Python 3.2.3, the +ssl module disables certain weak ciphers by default, but you may want +to further restrict the cipher choice. For example:: + + context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context.set_ciphers('HIGH:!aNULL:!eNULL') + +The ``!aNULL:!eNULL`` part of the cipher spec is necessary to disable ciphers +which don't provide both encryption and authentication. Be sure to read +OpenSSL's documentation about the `cipher list +format `_. +If you want to check which ciphers are enabled by a given cipher list, +use the ``openssl ciphers`` command on your system. + .. seealso::