From 2ea5fbdc86e3e0d3d7f6d89c6da7ae0d80a36dbc Mon Sep 17 00:00:00 2001
From: Daniel Pope <lordmauve@users.noreply.github.com>
Date: Thu, 24 Jan 2019 21:41:04 +0000
Subject: [PATCH] Use Python's default SSL cipher list by default (#1970)

---
 docs/source/settings.rst | 17 +++++++++++++++--
 gunicorn/config.py       | 17 +++++++++++++++--
 tests/test_ssl.py        |  2 +-
 3 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/docs/source/settings.rst b/docs/source/settings.rst
index a9f05899..f67c5363 100644
--- a/docs/source/settings.rst
+++ b/docs/source/settings.rst
@@ -506,9 +506,22 @@ ciphers
 ~~~~~~~
 
 * ``--ciphers``
-* ``TLSv1``
+* ``None``
 
-Ciphers to use (see stdlib ssl module's)
+SSL Cipher suite to use, in the format of an OpenSSL cipher list.
+
+By default we use the default cipher list from Python's ``ssl`` module,
+which contains ciphers considered strong at the time of each Python
+release.
+
+As a recommended alternative, the Open Web App Security Project (OWASP)
+offers `a vetted set of strong cipher strings rated A+ to C-
+<https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet>`_.
+OWASP provides details on user-agent compatibility at each security level.
+
+See the `OpenSSL Cipher List Format Documentation
+<https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-LIST-FORMAT>`_
+for details on the format of an OpenSSL cipher list.
 
 Security
 --------
diff --git a/gunicorn/config.py b/gunicorn/config.py
index 00710524..e460e627 100644
--- a/gunicorn/config.py
+++ b/gunicorn/config.py
@@ -1963,9 +1963,22 @@ class Ciphers(Setting):
     section = "SSL"
     cli = ["--ciphers"]
     validator = validate_string
-    default = 'TLSv1'
+    default = None
     desc = """\
-    Ciphers to use (see stdlib ssl module's)
+    SSL Cipher suite to use, in the format of an OpenSSL cipher list.
+
+    By default we use the default cipher list from Python's ``ssl`` module,
+    which contains ciphers considered strong at the time of each Python
+    release.
+
+    As a recommended alternative, the Open Web App Security Project (OWASP)
+    offers `a vetted set of strong cipher strings rated A+ to C-
+    <https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet>`_.
+    OWASP provides details on user-agent compatibility at each security level.
+
+    See the `OpenSSL Cipher List Format Documentation
+    <https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-LIST-FORMAT>`_
+    for details on the format of an OpenSSL cipher list.
     """
 
 
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index 6c16212a..97e05d86 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -72,4 +72,4 @@ def test_ciphers():
     assert Ciphers.name == 'ciphers'
     assert Ciphers.section == 'SSL'
     assert Ciphers.cli == ['--ciphers']
-    assert Ciphers.default == 'TLSv1'
+    assert Ciphers.default is None