Use OpenSSL default ciphers

Twisted default TLS options restricts the ciphers list a bit -- "a secure default" https://github.com/twisted/twisted/blob/e38cc25a67747899c6984d6ebaa8d3d134799415/src/twisted/internet/_sslverify.py#L1861 We want to be a bit more permissive with Scrapy (at least as permissive as Scrapy 1.0 was, and which used a default OpenSSL Context) See https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER_STRINGS OpenSSL's 'DEFAULT' seems to be reasonable enough. Fixes #2311

Use OpenSSL default ciphers
Twisted default TLS options restricts the ciphers list a bit -- "a secure default" https://github.com/twisted/twisted/blob/e38cc25a67747899c6984d6ebaa8d3d134799415/src/twisted/internet/_sslverify.py#L1861 We want to be a bit more permissive with Scrapy (at least as permissive as Scrapy 1.0 was, and which used a default OpenSSL Context) See https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER_STRINGS OpenSSL's 'DEFAULT' seems to be reasonable enough. Fixes #2311
c3411373 · Paul Tremberth · 3235bfeb · c3411373 · c3411373
隐藏空白更改
内联并排

Showing with 7 addition and 2 deletion

scrapy/core/downloader/contextfactory.py scrapy/core/downloader/contextfactory.py +4 -2

scrapy/core/downloader/tls.py scrapy/core/downloader/tls.py +3 -0

未找到文件。
--- a/scrapy/core/downloader/contextfactory.py
+++ b/scrapy/core/downloader/contextfactory.py
@@ -13,7 +13,7 @@ try:
    from twisted.web.client import BrowserLikePolicyForHTTPS
    from twisted.web.iweb import IPolicyForHTTPS

-    from scrapy.core.downloader.tls import ScrapyClientTLSOptions
+    from scrapy.core.downloader.tls import ScrapyClientTLSOptions, DEFAULT_CIPHERS


    @implementer(IPolicyForHTTPS)
@@ -46,7 +46,9 @@ try:
            #   not calling super(..., self).__init__
            return CertificateOptions(verify=False,
                        method=getattr(self, 'method',
-                                       getattr(self, '_ssl_method', None)))
+                                       getattr(self, '_ssl_method', None)),
+                        fixBrokenPeers=True,
+                        acceptableCiphers=DEFAULT_CIPHERS)

        # kept for old-style HTTP/1.0 downloader context twisted calls,
        # e.g. connectSSL()

--- a/scrapy/core/downloader/tls.py
+++ b/scrapy/core/downloader/tls.py
@@ -28,6 +28,7 @@ try:
        SSL_CB_HANDSHAKE_START = 0x10
        SSL_CB_HANDSHAKE_DONE = 0x20

+    from twisted.internet.ssl import AcceptableCiphers
    from twisted.internet._sslverify import (ClientTLSOptions,
                                             _maybeSetHostNameIndication,
                                             verifyHostname,
@@ -60,6 +61,8 @@ try:
                        'from host "{}" (exception: {})'.format(
                            self._hostnameASCII, repr(e)))

+    DEFAULT_CIPHERS = AcceptableCiphers.fromOpenSSLCipherString('DEFAULT')
+
 except ImportError:
    # ImportError should not matter for older Twisted versions
    # as the above is not used in the fallback ScrapyClientContextFactory