On 06/22/2017 01:04 AM, Victor Stinner wrote:
About the cipher list in ssl, the change itself is simple but it's to
blacklist DES and 3DES since it has been proved that these ciphers are
really too weak nowadays:
http://python-security.readthedocs.io/vuln/cve-2016-2183_sweet32_attack_des_3des.html
Not "blacklist"--IIUC the user can still manually specify whatever
cipher suites they like. And not DES... who knows how long ago that was
removed from the list.
This change in 3.4 removes 3DES from the /default/ permissible cipher
list, changing those entries to use "HIGH cipher suites" instead
(OpenSSL's term for "cipher suites with key sizes >= 128 bytes"). It
also adds ChaCha20 to the default cipher list.
By the way, is Larry the only one to be able to merge changes in 3.4?
Before GitHub, all core dev were technically allowed to push in
security-only branches.
Oh? Am I? **insert evil laugh** Ladies and gentlemen, get out your
checkbooks! 3.4 is about to get... expensive.
Seriously, though, I was mostly hoping other people would handle the
security stuff and just keep me informed. If I'm the only one permitted
to accept PRs into 3.4 (and soon 3.5), okay, I can work with that. I'm
still probably gonna delegate the actual judgment of the validity of the
PRs. But obviously it'll mean I'll have to be more hands-on, where so
far I was assuming I could just let other people handle it.
//arry/
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
