0

I am using python ssl library which is built on openssl. I use Ubuntu which has OpenSSL 1.1.0g.

In OpenSSL 1.1.0g the following cipher DES-CBC3-SHA is disabled by default. I need to configure my client with this cipher enabled. I need it for testing. In SSL context, I found some ways that allow enabling some disabled options by default. For example, in this documentation the following negate SSL 3.0 which is disabled by default: 

ctx = ssl.create_default_context(Purpose.CLIENT_AUTH)
ctx.options &= ~ssl.OP_NO_SSLv3

How can I enable the cipher I need? I used:

ctx.set_cipher(myciphers)

Where myciphers contains list of ciphers. But this did not help. Because the cipher is disabled by OpenSSL.

How to enable disabled ciphersuites in OpenSSL?

EDIT: Additionally, the python ssl module documentation state 3DES is not enabled by default since version 3.4, and I amusing 3.6:

3DES was dropped from the default cipher string.

I need to enable a 3DES cipher for my client purpose. How to do this? is there any way to do this using the ssl context options?

user9371654
  • 2,160
  • 16
  • 45
  • 78
  • 3DES is disabled in newer Debian and Ubuntu versions during compilation of OpenSSL. This means it is not possible to enable it from within Python since the necessary code is simply not compiled into the OpenSSL library. To have support for 3DES with system Python you need to rebuild the OpenSSL library with 3DES enabled. – Steffen Ullrich Aug 04 '18 at 13:54
  • @ Steffen Ullrich thanks. Any useful links for easy definite steps about building OpenSSL? which versions? Any idea of what is the latest version of Ubuntu that has OpenSSL that support 3DES and Chacha? because I tried Ubuntu 16 but ChaCha was missing. – user9371654 Aug 04 '18 at 14:00
  • @Steffen Ullrich the other problem is: how to manage python to be use the compiled OpenSSL not the built-in? – user9371654 Aug 04 '18 at 14:01
  • An explanation on how to compile both OpenSSL and Python: https://stackoverflow.com/questions/23548188/how-do-i-compile-python-3-4-with-custom-openssl#23550964 (adapt for other version of OpenSSL and enable your cipher)I would advise, in order not to pollute your system, to do that in a container, or at least a chroot. Of course the better solution for all of that would be to understand if/how you can do something to remove your constraint on DES-CBC3-SHA. For temporary solutions you could also use something like `stunnel` to deal with the TLS part and let Python not deal with all that. – Patrick Mevzek Aug 04 '18 at 18:47

0 Answers0