I'm trying to use anonymous Diffie-Hellman (ADH-AES256-GCM-SHA384) to wrap an http connection in python. I do need to use this specific cipher suite for my application. So here's what I'm starting with.
Server:
import ssl
from http.server import HTTPServer, SimpleHTTPRequestHandler
context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1_2)
context.set_ciphers("ADH-AES256-GCM-SHA384")
server = HTTPServer(("localhost", 8080), SimpleHTTPRequestHandler)
server.socket = context.wrap_socket(server.socket)
server.serve_forever()
Client:
import ssl
import http.client
context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1_2)
context.set_ciphers("ADH-AES256-GCM-SHA384")
connection = http.client.HTTPSConnection("localhost", "8080", context=context)
connection.connect()
And this is the error I get:
Traceback (most recent call last):
File "main.py", line 8, in <module>
connection.connect()
File "/usr/lib/python3.8/http/client.py", line 1424, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:1123)
Why are there no ciphers available if I'm setting the cipher on both client and server?
EDIT: I've changed the cipher list to "ADH-AES256-GCM-SHA384:@SECLEVEL=0" on both client and server. Now there is a different error:
Traceback (most recent call last):
File "main.py", line 8, in <module>
connection.connect()
File "/usr/lib/python3.8/http/client.py", line 1424, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1123)
I found the solution here: Python SSL Server - Client Hello w/ only Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a) Fails
My new server code looks like:
sslContext = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
sslContext.set_ciphers("ADH-AES256-GCM-SHA384:@SECLEVEL=0")
sslContext.load_dh_params("params.pem")
server = socketserver.TCPServer(("localhost", 8080), SimpleHTTPRequestHandler)
server.socket = sslContext.wrap_socket(server.socket, server_side=True)
server.serve_forever()
with params.pem containing diffie hellman parameters with a 3072 bit key length generated and serialized by the cryptography module