1

Update: it seems that do_handshake is reseting the cipher list

Admittedly this a very specific scenario, but maybe someone will have an idea. I'm trying to force a server to only accept RC4-SHA (for debug reasons only). My code looks something like:

    ctx.set_cipher_list('RC4-SHA')
    self.connection = SSL.Connection(ctx, self.connection)
    print self.connection.getpeername(), self.connection.get_cipher_list()

According to the printout, everything works, and indeed the connection is set up with RC4-SHA. However, looking at Wireshark, I can see that the server replied with another suite (TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)). Needless to say, the client proposed, TLS_RSA_WITH_RC4_128_SHA (0x0005), so there was no reason not to use it.

I'm using Python 2.7, pyOpenSSL 0.13, OpenSSL 1.0.1e. The code I'm working on is part of mitmproxy.

Any ideas?

Improve this question
2
  • The server will always try and offer what it thinks is the best possible crypto-alogrithm despite what you say you want. But in the end it's the joint selection of an algorithm that will be put into use. Correct me if i'm wrong but isn't that how it goes down? sorta like the old SMTP handshake where the server sad "i support X, X, X and X" and then it's up to the client to negotiate one of the options given. I'm no expert on SSL traffic but i'd assume it would go down something like that. Commented Aug 19, 2013 at 12:21
  • In SSL it's the other way around. The client proposes, and server chooses one. Since I'm working on the server side, I expect it to choose the suite I "hint" it to use. Commented Aug 19, 2013 at 12:27

1 Answer 1

Reset to default
1

apparently there was a callback defined for the context in case the client specifies a server name:

ctx.set_tlsext_servername_callback(handle_sni)

that callback defined a new context that apparently overrides the context with the defined ciphers during the handshake. The solution was to add the ciphers definition into that callback.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.