Bug#1026802: python3.10: Should be built with --with-ssl-default-suites=openssl

Wed, 21 Dec 2022 03:27:14 -0800 

Package: python3.10
Version: 3.10.9-1
Severity: wishlist
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: de...@kali.org

Hello Mathias (and other Python maintainers),

it would be nice if python3.10 (and future versions) could be built with
--with-ssl-default-suites=openssl.

Starting with Python 3.10, with the default configuration
("--with-ssl-default-suites=python"), Python not only enforces its own
cipher list but also requires TLS1.2 as a minimal protocol version.

This is certainly a sensible thing to do in the context of Python upstream
where you don't know much about the rest of the environment but in the
context of Debian, it makes sense to not duplicate such restrictions at
all levels and leave that to the sane defaults that are regularly reviewed
in the openssl source package itself (which currently sets
OPENSSL_TLS_SECURITY_LEVEL=2).

This also means that it's possible for users to actually override the
system wide defaults through changes to /etc/ssl/openssl.cnf and we are
actually making this possible in Kali to reduce the security level and
make it possible to access old insecure servers. However despite our
changes, the Python applications are not able to use old TLS versions,
due to the restrictions imposed by Python itself.

Credit goes to Adrian Vollmer who reported this to Kali here:
https://bugs.kali.org/view.php?id=8097

Let me know if you are open to this idea, and if you want a merge request.

Cheers,

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.0.0-6-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3.10 depends on:
ii  libpython3.10-stdlib  3.10.9-1
ii  media-types           8.0.0
ii  mime-support          3.66
ii  python3.10-minimal    3.10.9-1

python3.10 recommends no packages.

Versions of packages python3.10 suggests:
ii  binutils         2.39.50.20221208-5
ii  python3.10-doc   3.10.9-1
pn  python3.10-venv  <none>

-- no debconf information

-- 
Raphaƫl Hertzog

Reply via email to