Disable TLS1.0 and TLS1.1 on Cherrypy, Python3

Question

I am trying to disable TLS1.0, TLS1.1, SSL2, and SSL3 on my cherrypy server. I have seen the other stack over flow posts regarding how to disable them however, when I follow the code samples, I get the following error "ValueError: certfile must be specified for server-side operations". The windows service is still running, however I cannot load any pages. I've tried adding the certificate_chain as well, but that prevents cherrypy from running at all.

I am running cherrypy as a windows service, python 3.4.4, cherrypy 5.0.1, pyOpenSSL 19.0.0.

I've tried using the built in SSl library and with pyOpenSSL, they both result in the same error.

import OpenSSL.SSL as ssl

context = ssl.Context(ssl.SSLv23_METHOD)
context.set_cipher_list('ECDHE-RSA-AES256-GCM-SHA384')
context.set_options(ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
context.use_privatekey_file('myfile.key')
context.use_certificate_file('myfile.cer')

cherrypy.config.update({
    'global':{
        'server.socket_host':'0.0.0.0',
        'server.socket_port': 0000, # https, however not using the port 443
        'server.ssl_context' : context,
    },
})

Answer 1

Looks like there may be some issues in syntax: ssl.OP_NO_TLSv1 s/b ssl.SSL.OP_NO_TLSv1 (per the pyOpenSSL documentation). This affects all of the OP* variables.

Oh, wait... nvrmd that.

Answer 2

Is myfile.cer in PEM format? According to the docs it appears that PEM is the default filetype, which may be the cause of the error.

I'm also trying to figure out how to use ECDHE with Cherrypy, but with other web servers to use ECDHE there needs to be a curve file to generate the ephemeral key instead of a static key file (RSA style). It doesn't appear that Cherrypy has built-in capabilities for the curve file so it may only be possible with pyOpenSSL. The command to get the supported curves is OpenSSL.crypto.get_elliptic_curves() and you can specify the curve you want with context.set_tmp_ecdh(curve) .