No cipher can be selected

0
votes

I am having problems making ssl connections with IDEA-CBC-SHA on python 2.7 / Win XP.

This is the code:

ciphers = "IDEA-CBC-SHA"

ssl_sock = ssl.wrap_socket(self.sock,
                           keyfile  = keyfile,
                           certfile = certfile,
                           ciphers  = ciphers)

ssl_sock.connect((address, port))

And this is the result:

SSLError: _ssl.c:319: No cipher can be selected.

When I query openssl, I see IDEA-CBC-SHA as one of the listed ciphers

OpenSSL> ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:IDEA-CBC-MD5:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5

I've tested with other ciphers (DES-CBC3-SHA ,RC4-SHA, AES256-SHA, AES128-SHA), and they all worked fine.

Any idea why my ssl connection might be failing for this specific cipher?

Is there some way to disable (and then enable) ciphers?

Thanks!

1
pythonsslopenssl
IDEA support (and MDC2 & RC5) is somewhat uncommon because of patent concerns. Most distros build their OpenSSL libs without it, and naturally most servers use whatever comes with their distro. Browsers don't support it for the same reason.SilverbackNet
@SilverbackNet so what does it mean when I run the ciphers command on the OpenSSl command line? Is that not the list of ciphers it supports? If IDEA-CBC-SHA is listed, does that not confirm it is supported? If not, then is there some way to determine what ciphers my system supports? Thanks.Mark Irvine

1 Answers

2
votes

Any idea why my ssl connection might be failing for this specific cipher?

Perhaps the server you are connecting to does not support IDEA. A packet capture would confirm this.

EDIT: In an ssl connection, the client suggests a list of cipher options it is willing to use. The server selects one of the options from that list that the server finds acceptable. If the server does not like any options the client proposed, then the connection will fail, because the server is unable to select a cipher suite.