From: Ben Darnell Date: Thu, 13 Mar 2014 14:15:41 +0000 (-0400) Subject: Improve simple_httpclient ssl configuration to pass howsmyssl.com. X-Git-Tag: v4.0.0b1~104 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d2226ff81b566d6af3df7da6a6461cf6a8356bc3;p=thirdparty%2Ftornado.git Improve simple_httpclient ssl configuration to pass howsmyssl.com. Remove insecure cipher suites and disable TLS compression. The option to disable compression was only added in Python 3.3 so we do not pass the test on older versions, but we come as close as possible with the APIs available. Closes #1014. --- diff --git a/tornado/netutil.py b/tornado/netutil.py index 171873e66..d12a21602 100644 --- a/tornado/netutil.py +++ b/tornado/netutil.py @@ -390,6 +390,10 @@ def ssl_options_to_context(ssl_options): context.load_verify_locations(ssl_options['ca_certs']) if 'ciphers' in ssl_options: context.set_ciphers(ssl_options['ciphers']) + if hasattr(ssl, 'OP_NO_COMPRESSION'): + # Disable TLS compression to avoid CRIME and related attacks. + # This constant wasn't added until python 3.3. + context.options |= ssl.OP_NO_COMPRESSION return context diff --git a/tornado/simple_httpclient.py b/tornado/simple_httpclient.py index 73bfee89e..c7e6f1a94 100644 --- a/tornado/simple_httpclient.py +++ b/tornado/simple_httpclient.py @@ -236,7 +236,9 @@ class _HTTPConnection(object): # but nearly all servers support both SSLv3 and TLSv1: # http://blog.ivanristic.com/2011/09/ssl-survey-protocol-support.html if sys.version_info >= (2, 7): - ssl_options["ciphers"] = "DEFAULT:!SSLv2" + # In addition to disabling SSLv2, we also exclude certain + # classes of insecure ciphers. + ssl_options["ciphers"] = "DEFAULT:!SSLv2:!EXPORT:!DES" else: # This is really only necessary for pre-1.0 versions # of openssl, but python 2.6 doesn't expose version