Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Python SSL stack doesn't support ordering of Ciphers #57844

Closed
naif mannequin opened this issue Dec 19, 2011 · 5 comments
Closed

Python SSL stack doesn't support ordering of Ciphers #57844

naif mannequin opened this issue Dec 19, 2011 · 5 comments
Labels
stdlib Python modules in the Lib dir type-feature A feature request or enhancement

Comments

@naif
Copy link
Mannequin

naif mannequin commented Dec 19, 2011

BPO 13635
Nosy @jcea, @pitrou

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2011-12-19.12:34:22.126>
created_at = <Date 2011-12-19.10:44:02.596>
labels = ['type-feature', 'library']
title = "Python SSL stack doesn't support ordering of Ciphers"
updated_at = <Date 2011-12-20.01:32:13.507>
user = 'https://bugs.python.org/naif'

bugs.python.org fields:

activity = <Date 2011-12-20.01:32:13.507>
actor = 'jcea'
assignee = 'none'
closed = True
closed_date = <Date 2011-12-19.12:34:22.126>
closer = 'pitrou'
components = ['Library (Lib)']
creation = <Date 2011-12-19.10:44:02.596>
creator = 'naif'
dependencies = []
files = []
hgrepos = []
issue_num = 13635
keywords = []
message_count = 5.0
messages = ['149831', '149835', '149837', '149848', '149850']
nosy_count = 4.0
nosy_names = ['jcea', 'pitrou', 'python-dev', 'naif']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue13635'
versions = ['Python 3.3']

@naif
Copy link
Mannequin Author

naif mannequin commented Dec 19, 2011

The list of Ciphers for Python SSL binding for OpenSSL cannot be ordered in a specific list of preference.

This is a requirement for strict security environment where the ordered cipher list it's very important.

Apache support the ordering of ciphers trough the configuration of SSLHonorCipherOrder:
http://www.carbonwind.net/blog/post/Setting-the-preferred-cipher-suite-on-Apache-22x.aspx

Also Internet Explorer 7 support Ciphers order configuration:
https://blogs.technet.com/b/steriley/archive/2007/11/06/changing-the-ssl-cipher-order-in-internet-explorer-7-on-windows-vista.aspx?Redirected=true

Not having the ordered cipher list doesn't allow Python SSL stack configuration to be compliant with high security environment, de-facto representing a security vulnerability.

We suggest to fix the issue of lacking that feature.

@naif naif mannequin added type-security A security issue stdlib Python modules in the Lib dir labels Dec 19, 2011
@pitrou
Copy link
Member

pitrou commented Dec 19, 2011

Apparently it's just a matter of exposing SSL_OP_CIPHER_SERVER_PREFERENCE?

@pitrou pitrou added type-feature A feature request or enhancement and removed type-security A security issue labels Dec 19, 2011
@naif
Copy link
Mannequin Author

naif mannequin commented Dec 19, 2011

Looking at the code from mod_ssl i would say that this is the preference required https://issues.apache.org/bugzilla/show_bug.cgi?id=28665

@python-dev
Copy link
Mannequin

python-dev mannequin commented Dec 19, 2011

New changeset c706f76c9ea8 by Antoine Pitrou in branch 'default':
Issue bpo-13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
http://hg.python.org/cpython/rev/c706f76c9ea8

@pitrou
Copy link
Member

pitrou commented Dec 19, 2011

The new option is now committed in 3.3. Thanks for the report!

@pitrou pitrou closed this as completed Dec 19, 2011
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
stdlib Python modules in the Lib dir type-feature A feature request or enhancement
Projects
None yet
Development

No branches or pull requests

1 participant