How to set ciphers in ssl python socket
Question:
I want to create my own list of ciphersuites using the cipher strings. The following code works if I put only one string in the set_ciphers function. But I want a customized list of ciphers. There is other format like: ALL:!COMPLEMENTOFDEFAULT:!eNULL but this does not do the purpose I need. I have a customized list of different ciphers that I can not combine using the second format.
import socket, ssl
import pprint
context = ssl.create_default_context()
cipher = ['DHE-RSA-AES128-SHA', 'DHE-RSA-AES256-SHA', 'ECDHE-ECDSA-AES128-GCM-SHA256']
context.set_ciphers(cipher)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
domain = 'google.com'
sslSocket = context.wrap_socket(s, server_hostname = domain)
sslSocket.connect((domain, 443))
sslSocket.close()
print('closed')
The function set_ciphers can be found here.
Answers:
I could include more than one cipher simple by separating the ciphers with : and send all the ciphers as one string.
cipher = 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256'
context.set_ciphers(cipher)
This way, the client offers all the ciphers. You can make sure from this by calling context.get_ciphers() and you will see only the ciphers you inserted using set_cipher.
Even if ssl.SSLContext.get_ciphers returns the ciphers in a friendly format (a list of dictionaries), the other way around, things don’t work quite the same.
According to [Python.Docs]: ssl – SSLContext.set_ciphers(ciphers):
Set the available ciphers for sockets created with this context. It should be a string in the OpenSSL cipher list format.
Following [OpenSSL]: CIPHER LIST FORMAT:
The cipher list consists of one or more cipher strings separated by colons. Commas or spaces are also acceptable separators but colons are normally used.
Therefore, strings like "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256" should be used.
Translated to (your) code:
context.set_ciphers(":".join(cipher))
I want to create my own list of ciphersuites using the cipher strings. The following code works if I put only one string in the set_ciphers function. But I want a customized list of ciphers. There is other format like: ALL:!COMPLEMENTOFDEFAULT:!eNULL but this does not do the purpose I need. I have a customized list of different ciphers that I can not combine using the second format.
import socket, ssl
import pprint
context = ssl.create_default_context()
cipher = ['DHE-RSA-AES128-SHA', 'DHE-RSA-AES256-SHA', 'ECDHE-ECDSA-AES128-GCM-SHA256']
context.set_ciphers(cipher)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
domain = 'google.com'
sslSocket = context.wrap_socket(s, server_hostname = domain)
sslSocket.connect((domain, 443))
sslSocket.close()
print('closed')
The function set_ciphers can be found here.
I could include more than one cipher simple by separating the ciphers with : and send all the ciphers as one string.
cipher = 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256'
context.set_ciphers(cipher)
This way, the client offers all the ciphers. You can make sure from this by calling context.get_ciphers() and you will see only the ciphers you inserted using set_cipher.
Even if ssl.SSLContext.get_ciphers returns the ciphers in a friendly format (a list of dictionaries), the other way around, things don’t work quite the same.
According to [Python.Docs]: ssl – SSLContext.set_ciphers(ciphers):
Set the available ciphers for sockets created with this context. It should be a string in the OpenSSL cipher list format.
Following [OpenSSL]: CIPHER LIST FORMAT:
The cipher list consists of one or more cipher strings separated by colons. Commas or spaces are also acceptable separators but colons are normally used.
Therefore, strings like "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256" should be used.
Translated to (your) code:
context.set_ciphers(":".join(cipher))