From fcd3f7ece64fb9654c569e98997af873a6346094 Mon Sep 17 00:00:00 2001 From: Jakub Roztocil Date: Fri, 19 May 2023 22:26:33 +0200 Subject: [PATCH] Generate default ciphers using approach from #1501 --- httpie/cli/definition.py | 6 ++--- httpie/ssl_.py | 51 +++++++++------------------------------- tests/test_ssl.py | 4 ++-- 3 files changed, 16 insertions(+), 45 deletions(-) diff --git a/httpie/cli/definition.py b/httpie/cli/definition.py index 0e5f91ed..78e968f6 100644 --- a/httpie/cli/definition.py +++ b/httpie/cli/definition.py @@ -20,7 +20,7 @@ from httpie.output.formatters.colors import (AUTO_STYLE, DEFAULT_STYLE, BUNDLED_ get_available_styles) from httpie.plugins.builtin import BuiltinAuthPlugin from httpie.plugins.registry import plugin_manager -from httpie.ssl_ import AVAILABLE_SSL_VERSION_ARG_MAPPING, DEFAULT_SSL_CIPHERS +from httpie.ssl_ import AVAILABLE_SSL_VERSION_ARG_MAPPING, DEFAULT_SSL_CIPHERS_STRING options = ParserSpec( 'http', @@ -832,9 +832,9 @@ ssl.add_argument( help=f""" A string in the OpenSSL cipher list format. By default, the following - is used: + ciphers are used on your system: - {DEFAULT_SSL_CIPHERS} + {DEFAULT_SSL_CIPHERS_STRING} """, ) diff --git a/httpie/ssl_.py b/httpie/ssl_.py index f82d2826..af71dfb9 100644 --- a/httpie/ssl_.py +++ b/httpie/ssl_.py @@ -8,46 +8,7 @@ from urllib3.util.ssl_ import ( resolve_ssl_version, ) -# We used to import default SSL ciphers via `SSL_CIPHERS` from `urllib3` but it’s been removed, -# so we’ve copied the original list here. -# Our issue: -# Removal commit: -DEFAULT_SSL_CIPHERS = ":".join([ - # - # A secure default. - # Sources for more information on TLS ciphers: - # - # - https://wiki.mozilla.org/Security/Server_Side_TLS - # - https://www.ssllabs.com/projects/best-practices/index.html - # - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ - # - # The general intent is: - # - prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE), - # - prefer ECDHE over DHE for better performance, - # - prefer any AES-GCM and ChaCha20 over any AES-CBC for better performance and - # security, - # - prefer AES-GCM over ChaCha20 because hardware-accelerated AES is common, - # - disable NULL authentication, MD5 MACs, DSS, and other - # insecure ciphers for security reasons. - # - NOTE: TLS 1.3 cipher suites are managed through a different interface - # not exposed by CPython (yet!) and are enabled by default if they're available. - "ECDHE+AESGCM", - "ECDHE+CHACHA20", - "DHE+AESGCM", - "DHE+CHACHA20", - "ECDH+AESGCM", - "DH+AESGCM", - "ECDH+AES", - "DH+AES", - "RSA+AESGCM", - "RSA+AES", - "!aNULL", - "!eNULL", - "!MD5", - "!DSS", - "!AESCCM", - # -]) + SSL_VERSION_ARG_MAPPING = { 'ssl2.3': 'PROTOCOL_SSLv23', 'ssl3': 'PROTOCOL_SSLv3', @@ -119,6 +80,10 @@ class HTTPieHTTPSAdapter(HTTPAdapter): cert_reqs=ssl.CERT_REQUIRED if verify else ssl.CERT_NONE ) + @classmethod + def get_default_ciphers_names(cls): + return [cipher['name'] for cipher in cls._create_ssl_context(verify=False).get_ciphers()] + def _is_key_file_encrypted(key_file): """Detects if a key file is encrypted or not. @@ -132,3 +97,9 @@ def _is_key_file_encrypted(key_file): return True return False + + +# We used to import the default set of TLS ciphers from urllib3, but they removed it. +# Instead, now urllib3 uses the list of ciphers configured by the system. +# +DEFAULT_SSL_CIPHERS_STRING = ':'.join(HTTPieHTTPSAdapter.get_default_ciphers_names()) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index ef72e2be..bf20a96d 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -7,7 +7,7 @@ import urllib3 from unittest import mock -from httpie.ssl_ import AVAILABLE_SSL_VERSION_ARG_MAPPING, DEFAULT_SSL_CIPHERS +from httpie.ssl_ import AVAILABLE_SSL_VERSION_ARG_MAPPING, DEFAULT_SSL_CIPHERS_STRING from httpie.status import ExitStatus from .utils import HTTP_OK, TESTS_ROOT, IS_PYOPENSSL, http @@ -146,7 +146,7 @@ def test_ciphers(httpbin_secure): r = http( httpbin_secure.url + '/get', '--ciphers', - DEFAULT_SSL_CIPHERS, + DEFAULT_SSL_CIPHERS_STRING, ) assert HTTP_OK in r