I am configuring an SSL context to be HIPAA compliant. According to this document, the connection must use at least TLS 1.2+ and use one of the approved ciphers. How do I configure the context to use the right ciphers and protocol? I can't seem to find examples of this. What I am trying right now is the following:
class GmailClient:
allowed_ciphers = "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-CCM:DHE-RSA-AES128-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES128-CCM8:DH-RSA-AES256-GCM-SHA384:DH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256"
def __init__(self, email=None, app_password=None, imap_host="imap.gmail.com"):
self.email = email
self.app_password = app_password
context = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
context.options |= (ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1)
context.set_ciphers(self.allowed_ciphers)
self.imap_client = imap.IMAP4_SSL(
host=imap_host,
port=imap.IMAP4_SSL_PORT,
ssl_context=context
)
I have no idea if this will produce a properly configured ssl context or even how to troubleshoot it.