On Thursday, January 12, 2017, Christian Heimes <christ...@cheimes.de> wrote:
> On 2017-01-12 15:09, Nick Coghlan wrote: > > On 12 January 2017 at 22:44, Cory Benfield <c...@lukasa.co.uk > <javascript:;>> wrote: > >> We can do that. > >> > >> I should note that MINIMUM_SUPPORTED and MAXIMUM_SUPPORTED are not > intended > >> to be equal to SSLv2 and TLSv1_3, or indeed to any other value in this > enum. > >> They are future-proofing tools that allow users to say “I want TLSv1 *or > >> higher*” without setting an upper bound on what “higher” means. > > > > Cool, I wasn't sure how you intended to handle that, and supplying the > > values will make it explicit that those are really only useful in > > "version_range" and not anywhere else. Although at that point the > > question becomes whether or not they're offering any benefit beyond > > just using "None" in the appropriate location. > > > I have a working PoC patch for a TLS version enum and set version range > method on https://bugs.python.org/issue27876. ``` def __init__(self, prettyname, wireprotocol, offset): self.prettyname = prettyname self.wireprotocol = wireprotocol self.noflag = OP_NO_FLAGS[offset] self.minflag = sum(OP_NO_FLAGS[:offset]) self.maxflag = sum(OP_NO_FLAGS[offset+1:]) ``` - Do these need a __cmp__()? - Are there concrete-implementation-specific const constants for each library? > We have to consider different kinds of min and max version: > > 1) min and max offical SSL/TLS standards > 2) min and max supported standards for a TLS implementation > 3) min and max version we consider as secure enough The Apache HTTPD `SSLProtocol` and Nginx `ssl_protocols` options support different methods of whitelisting and blacklisting. https://mozilla.github.io/server-side-tls/ssl-config-generator/ modern (2017): - SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 - ssl_protocols TLSv1.2; > > As of now (1) is SSLv2 / TLSv1.2 because TLSv1.3 is still a draft. > (2) depends on the library, it is SSLv3 / TLSv1.2 for OpenSSL and SSLv3 > / TLSv1.3 for NSS on the client side and SSLv3 / TLSv1.2 for NSS on the > server side for default builds. > > (3) is TLSv1.0 and max of (2). > > Contrary to my PoC we should also differentiate between > MAXIMUM_SUPPORTED and whatever the maximum supported TLS version for a > TLS implementation is. For example > set_version_range(max=MAXIMUM_SUPPORTED) should never fail but > set_version_range(max=TLS_1_3) should fail for OpenSSL. > > Christian > _______________________________________________ > Security-SIG mailing list > Security-SIG@python.org <javascript:;> > https://mail.python.org/mailman/listinfo/security-sig >
_______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig