Eman Alashwali <eman.alashw...@gmail.com> added the comment:
Thanks. Just to clarify regarding your comment: "Applications shouldn't modify the cipher suites any more.": I use python to develop scripts for running experiments, which requires me to simulate specific clients precisely including their TLS 1.3 ciphers order. As you know, TLS 1.3 can not have weak ciphers and only 3 or 4 secure ones are permitted by design. But still the order should be accurate in simulation experiment settings. This is different from ordinary development. It is a bit disappointing that the developer can re-order the weaker ones (in TLS 1.2) but not TLS 1.3. However, thanks again for your reply. On Sun, Mar 31, 2019 at 8:46 PM Christian Heimes <rep...@bugs.python.org> wrote: > > Christian Heimes <li...@cheimes.de> added the comment: > > I don't have plans to implement cipher suite selection for TLS 1.3 any > time soon, maybe not at all. TLS 1.3 changed cipher selection a lot, making > the API more complicated. The signature algorithm and key agreement groups > are handled as separate extensions, resulting in three additional APIs. > > Applications shouldn't modify the cipher suites any more. These days TLS > libraries provide a good and safe selection of suites. Weak ciphers should > be disabled by either a security update of the TLS library or system-wide > settings. > > There is one workaround: You can influence connection parameters with an > OpenSSL config file [1][2] by setting OPENSSL_CONF env var. OpenSSL parses > the file only once, so you have to set it before you start Python. > > [1] https://www.openssl.org/docs/manmaster/man5/config.html > [2] https://fedoraproject.org/wiki/Changes/CryptoPolicy > > ---------- > > _______________________________________ > Python tracker <rep...@bugs.python.org> > <https://bugs.python.org/issue36484> > _______________________________________ > ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue36484> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
