jingrow/gunicorn
1
0
Fork 0
mirror of https://github.com/frappe/gunicorn.git synced 2026-01-14 11:09:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

Use Python's default SSL cipher list by default (#1970)

Browse Source
This commit is contained in:
Daniel Pope 2019-01-24 21:41:04 +00:00 committed by Benoit Chesneau
parent 7af6f651c0
commit 2ea5fbdc86
3 changed files with 31 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/source/settings.rst
View File

@ -506,9 +506,22 @@ ciphers
~~~~~~~ ~~~~~~~
* ``--ciphers`` * ``--ciphers``
* ``TLSv1`` * ``None``
Ciphers to use (see stdlib ssl module's) SSL Cipher suite to use, in the format of an OpenSSL cipher list.
By default we use the default cipher list from Python's ``ssl`` module,
which contains ciphers considered strong at the time of each Python
release.
As a recommended alternative, the Open Web App Security Project (OWASP)
offers `a vetted set of strong cipher strings rated A+ to C-
<https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet>`_.
OWASP provides details on user-agent compatibility at each security level.
See the `OpenSSL Cipher List Format Documentation
<https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-LIST-FORMAT>`_
for details on the format of an OpenSSL cipher list.
Security Security
-------- --------

17
gunicorn/config.py
View File

@ -1963,9 +1963,22 @@ class Ciphers(Setting):
section = "SSL" section = "SSL"
cli = ["--ciphers"] cli = ["--ciphers"]
validator = validate_string validator = validate_string
default = 'TLSv1' default = None
desc = """\ desc = """\
Ciphers to use (see stdlib ssl module's) SSL Cipher suite to use, in the format of an OpenSSL cipher list.
By default we use the default cipher list from Python's ``ssl`` module,
which contains ciphers considered strong at the time of each Python
release.
As a recommended alternative, the Open Web App Security Project (OWASP)
offers `a vetted set of strong cipher strings rated A+ to C-
<https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet>`_.
OWASP provides details on user-agent compatibility at each security level.
See the `OpenSSL Cipher List Format Documentation
<https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-LIST-FORMAT>`_
for details on the format of an OpenSSL cipher list.
""" """

2
tests/test_ssl.py
View File

@ -72,4 +72,4 @@ def test_ciphers():
assert Ciphers.name == 'ciphers' assert Ciphers.name == 'ciphers'
assert Ciphers.section == 'SSL' assert Ciphers.section == 'SSL'
assert Ciphers.cli == ['--ciphers'] assert Ciphers.cli == ['--ciphers']
assert Ciphers.default == 'TLSv1' assert Ciphers.default is None