如何使用cherrypy内置ssl模块(Python 3)禁用SSL3和弱密码

本文介绍了如何使用cherrypy内置ssl模块(Python 3)禁用SSL3和弱密码的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我已将Python 3的Cherrypy 3.8.0配置为使用SSL/TLS.但是，我想禁用SSL3以避免POODLE.我搜索了文档，但不确定如何实现.

I have configured Cherrypy 3.8.0 with Python 3 to use SSL/TLS. However, I want to disable SSL3 to avoid POODLE. I searched through the documentation but I am unsure on how to implement it.

我正在使用cherrypy/python内置的 ssl 模块，而不是在Python 3下无法使用的 pyOpenSSL .

I am using the cherrypy/python builtin ssl module, not pyOpenSSL which I am unable to use under Python 3.

推荐答案

要禁用SSL3，您应该自己设置 ssl_context 变量，而不是接受默认值.这是一个使用Python的内置 ssl 模块(代替内置的 cherrypy ssl模块)的示例.

To disable SSL3, you should set the ssl_context variable yourself rather than accepting the default. Here's an example using Python's built-in ssl module (in lieu of the built-in cherrypy ssl module).

import cherrypy
import ssl

ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
ctx.options |= ssl.OP_NO_SSLv2
ctx.options |= ssl.OP_NO_SSLv3

cherrypy.config.update(server_config)

在这种情况下， SSL 来自 OpenSSL 模块.

where in this case, SSL is from the OpenSSL module.

值得注意的是，从Python 3.2.3开始， ssl 模块默认禁用某些弱密码.

It's worth noting that beginning in Python 3.2.3, the ssl module disables certain weak ciphers by default.

此外，您可以专门设置所需的所有密码

Furthermore, you can specifically set all the ciphers you want with

ciphers = {
    'DHE-RSA-AE256-SHA',
    ...
    'RC4-SHA'
}

ctx.set_ciphers(':'.join(ciphers))

如果您使用的是 web.wsgiserver 模块中的 CherryPyWSGIServer ，则可以使用

If you're using the CherryPyWSGIServer from the web.wsgiserver module, you would set the default ciphers with

CherryPyWSGIServer.ssl_adapter.context.set_cipher_list(':'.join(ciphers))

以下是详细说明上述内容的文档的一部分: http://docs.cherrypy.org/en/latest/pkg/cherrypy.wsgiserver.html#module-cherrypy.wsgiserver.ssl_builtin

Here is part of the documentation detailing the above: http://docs.cherrypy.org/en/latest/pkg/cherrypy.wsgiserver.html#module-cherrypy.wsgiserver.ssl_builtin

最后，您可能想看看以下一些来源(提出类似问题):

Lastly, here are some sources (asking similar questions) that you may want to look at:

如何阻止SSL协议以支持TLS?
https://review.cloudera.org/r/4739/diff/
http://roadha.us/2014/10/disable-sslv3-avoid-poodle-attack-web-py/
http://blog.gosquadron.com/use-tls
http://www.experts-exchange.com/questions/28073251/Disable-weak-SSL-cipher-on-CherryPy-pyOpenSSL-Windows-2008-Server.html

这篇关于如何使用cherrypy内置ssl模块(Python 3)禁用SSL3和弱密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！