Question
Update: it seems that do_handshake is reseting the cipher list
Admittedly this a very specific scenario, but maybe someone will have an idea. I'm trying to force a server to only accept RC4-SHA (for debug reasons only). My code looks something like:
https://stackoverflow.com/questions/18313420
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian ctx.set_cipher_list('RC4-SHA')
self.connection = SSL.Connection(ctx, self.connection)
print self.connection.getpeername(), self.connection.get_cipher_list()
According to the printout, everything works, and indeed the connection is set up with RC4-SHA. However, looking at Wireshark, I can see that the server replied with another suite (TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)). Needless to say, the client proposed, TLS_RSA_WITH_RC4_128_SHA (0x0005), so there was no reason not to use it.
I'm using Python 2.7, pyOpenSSL 0.13, OpenSSL 1.0.1e. The code I'm working on is part of mitmproxy.
Any ideas?
Solution
apparently there was a callback defined for the context in case the client specifies a server name:
ctx.set_tlsext_servername_callback(handle_sni)
that callback defined a new context that apparently overrides the context with the defined ciphers during the handshake. The solution was to add the ciphers definition into that callback.
