Lukasa
commented
10 years ago I think this approach is OK because client cipher suites aren't authoritative anyway, the server makes the choice, so all I can really do is ensure that the server made a good choice.
Setting ourselves to a really restricted cipher list as mandated by the specification breaks on Ubuntu 12.04 because Ubuntu are fucking terrible. I've spent all of yesterday trying to fix this and come up blank, so I'm going to take a new option:
HTTP20Connectionproperty called 'strict TLS' (or similar), defaulting toTrue.HTTP20Connection.connect(), if that parameter isTrue, check the selected cipher.Unfortunately, I can't do this yet because PyOpenSSL doesn't support checking the used cipher until 0.15, which isn't out yet. Sigh.