pyOpenSSL

pyOpenSSL does not offer possiblity to enable supported cipherlist ordered precedence

Bug #1245455 reported by Giovanni Pellerano on 2013-10-28

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	pyOpenSSL	New	Undecided	Unassigned

Bug Description

pyOpenSSL does not offer possiblity to enable supported cipherlist ordered precedence.

Currently in fact pyOpenSSL permits only the definition of the supported list but does not export the option needed to enable ordered preference, that is "SSL_OP_CIPHER_SERVER_PREFERENCE = 0x00400000L".

Due to this pyOpenSSL is prone to the following two issues:

- Security issue: When more than one cipher are enabled (one secure and one more insecure) the one more insecure may be suggested as first.

- Performance issue: When more than one one ciphers are enabled (only secure ones but some faster than the others like ECDH with respect to EDH) the one slowe may be suggested as first.

The bug has been spotted while developing Tor2web: https://github.com/globaleaks/Tor2web-3.0/issues/124

A workaround until the symbol won't be exported by pyOpenSSL is: https://github.com/globaleaks/Tor2web-3.0/commit/52652d1872e944591f9dfebf40935c499f43769d

Giovanni Pellerano (evilaliv3) on 2013-11-27

information type:	Private Security → Public
information type:	Public → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.