[issue31429] TLS cipher suite compile time option for downstream

Tue, 12 Sep 2017 06:23:46 -0700 

New submission from Christian Heimes:

Python overrides OpenSSL's default cipher suites because the default selection 
used to be pretty bad and insecure. Python disables cipher suites with insecure 
algorithm such as RC4, MD5, DES, and 3DES. The SSL module has hard-coded cipher 
strings for SSLContext and ssl.create_default_context() in multiple places:

* https://github.com/python/cpython/blob/v3.6.2/Modules/_ssl.c#L2693
* https://github.com/python/cpython/blob/v3.6.2/Lib/ssl.py#L387
* https://github.com/python/cpython/blob/v3.6.2/Lib/ssl.py#L503

However the cipher suite overrides makes it harder for vendors and downstream 
to enforce consistent policies. For example the hard-coded strings disable 
Fedora's crypto policy, https://fedoraproject.org/wiki/Changes/CryptoPolicy . 
Fedora has patched OpenSSL to support a "PROFILE=SYSTEM" cipher suite string. 
The string causes OpenSSL to read crypto settings from a system wide 
configuration file.

In order to make it easier to override the default string, Python should have a 
configure option --with-ssl-default-suite that defines a PY_SSL_DEFAULT_SUITE 
macro. In the absence of the option / macro, Python shall set a sensible 
default suite. Application are encouraged to use this default suite list. They 
are still free to override the default by calling SSLContext's set_ciphers() 
method.

Fedora's OpenSSL patch: 
https://src.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.1.0-system-cipherlist.patch?h=f26

----------
assignee: christian.heimes
components: SSL
messages: 301957
nosy: christian.heimes
priority: normal
severity: normal
stage: needs patch
status: open
title: TLS cipher suite compile time option for downstream
type: security
versions: Python 3.7

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31429>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to