subject:"\[issue36484\] Can't reorder TLS 1.3 ciphersuites"

[issue36484] Can't reorder TLS 1.3 ciphersuites

2022-02-28 Thread Sanchayan Ghosh



Change by Sanchayan Ghosh :


Added file: 
https://bugs.python.org/file50652/0001-Add-TLS-v1.3-cipher-suite-set-function.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36484] Can't reorder TLS 1.3 ciphersuites

2022-02-28 Thread Sanchayan Ghosh



Change by Sanchayan Ghosh :


Removed file: 
https://bugs.python.org/file50650/0001-Add-TLS-v1.3-cipher-suite-set-function.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36484] Can't reorder TLS 1.3 ciphersuites

2022-02-27 Thread Sanchayan Ghosh



Sanchayan Ghosh  added the comment:

Here is the PR as well. While I agree that there is no more a reason to reorder 
cipher suites and that we should use our certificates to basically ensure a 
secure connection, the advantage of the OpenSSL API is it provides us the 
function to influence the selection of cipher suites.

So, as a first step, I have added the binding for selecting TLS v1.3 cipher 
suites. And in 2 other pull requests, I will provide the API implementation for 
the other, for users who may just want a way to access OpenSSL through Python.

--
message_count: 4.0 -> 5.0
pull_requests: +29730
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/31607

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36484] Can't reorder TLS 1.3 ciphersuites

2022-02-27 Thread Sanchayan Ghosh



Sanchayan Ghosh  added the comment:

I have written a function that will allow us to reorder TLS v1.3. Since I have 
tried to keep a 1-1 binding, you will have to first remove the cipher suites 
entirely by giving a blank string, and then add TLS v1.2 and v1.3 cipher suites.

--
keywords: +patch
nosy: +sanchayanghosh
Added file: 
https://bugs.python.org/file50650/0001-Add-TLS-v1.3-cipher-suite-set-function.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36484] Can't reorder TLS 1.3 ciphersuites

2020-05-31 Thread Sam Bull



Change by Sam Bull :


--
nosy: +dreamsorcerer

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36484] Can't reorder TLS 1.3 ciphersuites

2019-04-05 Thread Terry J. Reedy



Change by Terry J. Reedy :


--
type:  -> enhancement
versions: +Python 3.8 -Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36484] Can't reorder TLS 1.3 ciphersuites

2019-03-31 Thread Eman Alashwali

Eman Alashwali  added the comment:

Thanks. Just to clarify regarding your comment: "Applications shouldn't
modify the cipher suites any more.":
I use python to develop scripts for running experiments, which requires me
to simulate specific clients precisely including their TLS 1.3 ciphers
order.
As you know, TLS 1.3 can not have weak ciphers and only 3 or 4 secure ones
are permitted by design. But still the order should be accurate in
simulation experiment settings. This is different from ordinary
development. It is a bit disappointing that the developer can re-order the
weaker ones (in TLS 1.2) but not TLS 1.3.
However, thanks again for your reply.

On Sun, Mar 31, 2019 at 8:46 PM Christian Heimes 
wrote:

>
> Christian Heimes  added the comment:
>
> I don't have plans to implement cipher suite selection for TLS 1.3 any
> time soon, maybe not at all. TLS 1.3 changed cipher selection a lot, making
> the API more complicated. The signature algorithm and key agreement groups
> are handled as separate extensions, resulting in three additional APIs.
>
> Applications shouldn't modify the cipher suites any more. These days TLS
> libraries provide a good and safe selection of suites. Weak ciphers should
> be disabled by either a security update of the TLS library or system-wide
> settings.
>
> There is one workaround: You can influence connection parameters with an
> OpenSSL config file [1][2] by setting OPENSSL_CONF env var. OpenSSL parses
> the file only once, so you have to set it before you start Python.
>
> [1] https://www.openssl.org/docs/manmaster/man5/config.html
> [2] https://fedoraproject.org/wiki/Changes/CryptoPolicy
>
> --
>
> ___
> Python tracker 
> 
> ___
>

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36484] Can't reorder TLS 1.3 ciphersuites

2019-03-31 Thread Christian Heimes



Christian Heimes  added the comment:

I don't have plans to implement cipher suite selection for TLS 1.3 any time 
soon, maybe not at all. TLS 1.3 changed cipher selection a lot, making the API 
more complicated. The signature algorithm and key agreement groups are handled 
as separate extensions, resulting in three additional APIs.

Applications shouldn't modify the cipher suites any more. These days TLS 
libraries provide a good and safe selection of suites. Weak ciphers should be 
disabled by either a security update of the TLS library or system-wide 
settings. 

There is one workaround: You can influence connection parameters with an 
OpenSSL config file [1][2] by setting OPENSSL_CONF env var. OpenSSL parses the 
file only once, so you have to set it before you start Python.

[1] https://www.openssl.org/docs/manmaster/man5/config.html
[2] https://fedoraproject.org/wiki/Changes/CryptoPolicy

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36484] Can't reorder TLS 1.3 ciphersuites

2019-03-30 Thread Eman Alashwali



New submission from Eman Alashwali :

Wen using the SSL module, I need to be able to reorder the ciphersuites list in 
TLS 1.3. I was able to do this with python using 
SSLContext.set_ciphers(ciphers) when working with TLS 1.2. But this is not 
possible with TLS 1.3 ciphersuites. The need to reorder the ciphersuites is 
needed because one might need a specific order to simulate specific TLS client 
that send the ciphersuites in specific order. Unfortunately this is seems not 
possible now in python with TLS 1.3 as the comment in the documentations says: 
https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers

Can you please consider this post as a feature request? Or clarify to me how to 
reorder the ciphersuites list when working with TLS 1.3?

--
assignee: christian.heimes
components: SSL
messages: 339188
nosy: Eman Alashwali, christian.heimes
priority: normal
severity: normal
status: open
title: Can't reorder TLS 1.3 ciphersuites
versions: Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36484] Can't reorder TLS 1.3 ciphersuites

[issue36484] Can't reorder TLS 1.3 ciphersuites

[issue36484] Can't reorder TLS 1.3 ciphersuites

[issue36484] Can't reorder TLS 1.3 ciphersuites

[issue36484] Can't reorder TLS 1.3 ciphersuites

[issue36484] Can't reorder TLS 1.3 ciphersuites

[issue36484] Can't reorder TLS 1.3 ciphersuites

[issue36484] Can't reorder TLS 1.3 ciphersuites

[issue36484] Can't reorder TLS 1.3 ciphersuites

9 matches

Site Navigation

Mail list logo

Footer information