pythonsslopensslself-signed-certificate

generate self-signed cert with TLS_AES_128_GCM_SHA256


i want create a self-signed cert with chipher:TLS_AES_128_GCM_SHA256 and using for python webserver

my python code:

from socket import *
import ssl


sslContext = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
sslContext.load_cert_chain(certfile = "ssl/cert.crt",keyfile="ssl/key.pem")


server = socket(2,1)
server.bind(("0.0.0.0",443))
server.listen()


while True:
    connection,address = server.accept()
    connection = self.sslContext.wrap_socket(connection,server_side=True)

Solution

  • The cipher is mostly independent of the certificate. For protocols TLS 1.2 and less the only part of the cipher depending on certificate is the authentication method, i.e. RSA or ECSDA. For TLS 1.3 even this dependency is gone.

    In other words: it is not possible to create a certificate with TLS_AES_128_GCM_SHA256. Since this is a TLS 1.3 cipher one could create a TLS connection with this cipher basically using arbitrary certificates (including self-signed) though.

    sslContext = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)

    But, this explicit restriction to TLS 1.2 in the code means that this TLS 1.3 cipher will not be used, no matter the certificate.