Customizing SSL ciphers

[splotsh]

Hi,

I'm trying to connect to a server that I have no control over, which seems to default to an insecure DH cipher, resulting in:
[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1129)

With Requests I'm able to set lower/insecure ciphers if necessary using:

requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':RC4-SHA'
requests.packages.urllib3.contrib.pyopenssl.DEFAULT_SSL_CIPHER_LIST += ':RC4-SHA'

Can I do something similar with httpx?
Thanks

[tomchristie]

You can pass a custom ssl_context to the client instance.

You probably need something like this?...

import certifi
import ssl
import httpx

def custom_ssl_context()
    context = ssl.create_default_context()
    context.load_verify_locations(certifi.where())
    context.set_ciphers(...)
    return context

ssl_context = custom_ssl_context()
client = httpx.Client(ssl_context=ssl_context)

[splotsh]

Thanks Tom. I'm guessing you meant to use the 'verify' parameter, instead of ssl_context that you've used in your code sample.

I've got it working now by setting the ciphers to 'DEFAULT:!DH' as the Diffie Hellman ciphers were the insecure ones causing the issue.
However, according to this: https://www.python-httpx.org/advanced/#changing-the-verification-defaults the verify parameter can be set to False to disable SSL verification entirely. In this specific case, setting verify to False still throws an error because of the weak cipher - maybe this only disable validity checks on the certificate ?

[tomchristie]

I've got it working now by setting the ciphers to 'DEFAULT:!DH' as the Diffie Hellman ciphers were the insecure ones causing the issue.

Great - could you give a more complete example - eg exactly how are you setting context.set_ciphers(...)?
It'd potentially be a useful reference point for someone else in the future.

In this specific case, setting verify to False still throws an error because of the weak cipher - maybe this only disable validity checks on the certificate?

Good question. Not sure without doing some digging. Wonder if there's a good set of publicly available reference URLs we could use for testing certificate issues against? (Also are you able to share the URL you're attempting to access?)

[splotsh]

Sure. I'm now using the following to enable all default ciphers except for DH:
`def custom_ssl_context():
context = ssl.create_default_context()
context.set_ciphers('DEFAULT:!DH')
return context

ssl_context = utils.custom_ssl_context()

async with httpx.AsyncClient(http2=True,timeout=10.0,verify=ssl_context) as client:
`
The server I was testing this against was www.ternua.com.