Improve simple_httpclient ssl configuration to pass howsmyssl.com.

Remove insecure cipher suites and disable TLS compression.  The option
to disable compression was only added in Python 3.3 so we do not
pass the test on older versions, but we come as close as possible with
the APIs available.

Closes #1014.

diff --git a/tornado/netutil.py b/tornado/netutil.py
index 171873e66e4f27f40767a0c4bbcd3a692b62b378..d12a21602ab8cd377b063a98ce5a79e8d4c80489 100644 (file)
--- a/tornado/netutil.py
+++ b/tornado/netutil.py
@@ -390,6 +390,10 @@ def ssl_options_to_context(ssl_options):
         context.load_verify_locations(ssl_options['ca_certs'])
     if 'ciphers' in ssl_options:
         context.set_ciphers(ssl_options['ciphers'])
+    if hasattr(ssl, 'OP_NO_COMPRESSION'):
+        # Disable TLS compression to avoid CRIME and related attacks.
+        # This constant wasn't added until python 3.3.
+        context.options |= ssl.OP_NO_COMPRESSION
     return context
 
 

diff --git a/tornado/simple_httpclient.py b/tornado/simple_httpclient.py
index 73bfee89e4c26b12cefeb12e90af6db2e6c30eba..c7e6f1a940f3c38c4f6fcd6ed728971ae3696852 100644 (file)
--- a/tornado/simple_httpclient.py
+++ b/tornado/simple_httpclient.py
@@ -236,7 +236,9 @@ class _HTTPConnection(object):
             # but nearly all servers support both SSLv3 and TLSv1:
             # http://blog.ivanristic.com/2011/09/ssl-survey-protocol-support.html
             if sys.version_info >= (2, 7):
-                ssl_options["ciphers"] = "DEFAULT:!SSLv2"
+                # In addition to disabling SSLv2, we also exclude certain
+                # classes of insecure ciphers.
+                ssl_options["ciphers"] = "DEFAULT:!SSLv2:!EXPORT:!DES"
             else:
                 # This is really only necessary for pre-1.0 versions
                 # of openssl, but python 2.6 doesn't expose version