Kaydet (Commit) 8f746d83 authored tarafından Antoine Pitrou's avatar Antoine Pitrou

Add a subsection explaning cipher selection.

...@@ -1174,6 +1174,25 @@ SSLv2 explicitly using the :data:`SSLContext.options` attribute:: ...@@ -1174,6 +1174,25 @@ SSLv2 explicitly using the :data:`SSLContext.options` attribute::
The SSL context created above will allow SSLv3 and TLSv1 connections, but The SSL context created above will allow SSLv3 and TLSv1 connections, but
not SSLv2. not SSLv2.
Cipher selection
^^^^^^^^^^^^^^^^
If you have advanced security requirements, fine-tuning of the ciphers
enabled when negotiating a SSL session is possible through the
:meth:`SSLContext.set_ciphers` method. Starting from Python 3.2.3, the
ssl module disables certain weak ciphers by default, but you may want
to further restrict the cipher choice. For example::
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
context.set_ciphers('HIGH:!aNULL:!eNULL')
The ``!aNULL:!eNULL`` part of the cipher spec is necessary to disable ciphers
which don't provide both encryption and authentication. Be sure to read
OpenSSL's documentation about the `cipher list
format <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`_.
If you want to check which ciphers are enabled by a given cipher list,
use the ``openssl ciphers`` command on your system.
.. seealso:: .. seealso::
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment