Disable Weak Ciphers With Cherrypy (python 2)

I'm using Cherrypy 3.8.0 with Python 2 to use SSL/TLS using pyOpenSSL. I want to disable SSL3 to avoid POODLE (or other weak ciphers). Here's what I have so far: server_config={

Solution 1:

To disable SSL3, you should set the ssl_context variable yourself rather than accepting the default. Here's an example using Python's built-in ssl module (in lieu of the built-in cherrypy ssl module).

import cherrypy
from OpenSSL importSSLctx= SSL.Context(SSL.SSLv23_METHOD)
ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)

...

server_config = {
    'server.socket_host': '0.0.0.0',
    'server.socket_port': 443,
    'server.ssl_context': ctx
}

cherrypy.config.update(server_config)

where in this case, SSL is from the OpenSSL module.

It's worth noting that beginning in Python 3.2.3, the ssl module disables certain weak ciphers by default.

Furthermore, you can specifically set all the ciphers you want with

ciphers = {
    'DHE-RSA-AE256-SHA',
    ...
    'RC4-SHA'
}

ctx.set_cipher_list(':'.join(ciphers))

If you're using the CherryPyWSGIServer from the web.wsgiserver module, you would set the default ciphers with

CherryPyWSGIServer.ssl_adapter.context.set_cipher_list(':'.join(ciphers))

Lastly, here are some sources (asking similar questions) that you may want to look at:

• How to block SSL protocols in favor of TLS?
• https://review.cloudera.org/r/4739/diff/
• http://roadha.us/2014/10/disable-sslv3-avoid-poodle-attack-web-py/
• http://blog.gosquadron.com/use-tls
• http://www.experts-exchange.com/questions/28073251/Disable-weak-SSL-cipher-on-CherryPy-pyOpenSSL-Windows-2008-Server.html