Opened 9 years ago
Closed 9 years ago
#2782 closed bug (Fixed)
HTTPS negotiates with incorrect cipher
Reported by: | Calum | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | 1.3.13 |
Component: | Web UI | Version: | 1.3.12 |
Keywords: | Cc: |
Description
Snippet from original forum thread: http://forum.deluge-torrent.org/viewtopic.php?f=7&t=51545
I recently updated to v 1.3.12 and noticed that the problem was still occurring which brought me back here.
It's been quite a while since I looked at this but, my recollection of the problem was that the web-ui server was using some old/weird stuff to initialise twisted which meant it wasn't getting a full list of available safe cipher suites. I believe the problem was caused by the "safe" cipher suites provided by the latest version of openssl not overlapping particularly well with those being allowed by the implementation of twisted in place in deluge and those that firefox would allow.
I removed the ServerContextFactory class (which was what I saw causing the problem) and re-wrote start_ssl() to set the certificate options itself and let twisted handle everything else like deciding which cipher suites were OK to use. This added a whole bunch of additional cipher suites available for negotiation.
With the current configuration the cipher that is negotiated is TLS_RSA_WITH_AES_128_CBC_SHA which probably shouldn't be used even if it did work, with my update it negotiates TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
At the time I had planned on submitting a patch to the git repository but I wasn't able to get the develop branch to run even before I implemented my changes so I just left it as there didn't seem to be any active development at the time.
It might be worth looking into using this module in future to parse the cert and pkey: https://pypi.python.org/pypi/pem/