pprint.pprint(context.get_ciphers(((也打印其他密码。我们如何强制使用密码和扩展?
import socket, ssl
import pprint
import ssl
context = ssl.create_default_context()
CIPHERS ="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-CBC-SHA:ECDHE-ECDSA-AES128-CBC-SHA:ECDHE-RSA-AES256-CBC-SHA:ECDHE-ECDSA-AES256-CBC-SHA:RSA-AES128-GCM-SHA256:RSA-AES256-GCM-SHA384:RSA-AES128-CBC-SHA:RSA-AES256-CBC-SHA:ECDHE-RSA-3DES-EDE-CBC-SHA:RSA-3DES-EDE-CBC-SHA:AES128-GCM-SHA256:CHACHA20-POLY1305-SHA256:AES:256-GCM-SHA384"
context.set_ciphers(CIPHERS)
pprint.pprint(context.get_ciphers())
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
domain = 'google.com'
sslSocket = context.wrap_socket(s, server_hostname = domain)
sslSocket.connect((domain, 443))
#context.options |= ssl.OP_NO_SSLv2
#context.options |= ssl.OP_NO_SSLv3
print(sslSocket.cipher())
print(sslSocket.version())
print(ssl.OPENSSL_VERSION)
sslSocket.close()
虽然还不清楚您对";我们看到除了上述"加密"之外的其他加密;你可能指的是像TLS_AES_128_GCM_SHA256这样的TLS 1.3密码。来自set_ciphers:的文档
OpenSSL 1.1.1默认启用TLS 1.3密码套件。不能使用set_ciphers((禁用套件。
如果你想禁用TLS 1.3密码,你必须禁用TLS 1.3:
context.options |= ssl.OP_NO_TLSv1_3
注意,这实际上并没有从get_ciphers的输出中删除密码,但它使这些密码不可用。要实际设置这些密码,需要调用OpenSSL API SSL_CTX_set_iphersuites。这个API还不能从Python中获得。