Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sane defaults for SSLContext options and ciphers #72230

Closed
tiran opened this issue Sep 9, 2016 · 6 comments
Closed

Sane defaults for SSLContext options and ciphers #72230

tiran opened this issue Sep 9, 2016 · 6 comments
Assignees
Labels
3.7 extension-modules C modules in the Modules dir stdlib Python modules in the Lib dir type-security A security issue

Comments

@tiran
Copy link
Member

tiran commented Sep 9, 2016

BPO 28043
Nosy @ncoghlan, @vstinner, @giampaolo, @tiran, @alex, @dstufft
PRs
  • [2.7] bpo-28043: improved default settings for SSLContext #10608
  • Files
  • Sane-defaults-for-SSLContext-options-and-ciphers.patch
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
    closed_at = <Date 2019-04-08.22:50:22.723>
    created_at = <Date 2016-09-09.11:18:41.770>
    labels = ['type-security', 'extension-modules', '3.7', 'library']
    title = 'Sane defaults for SSLContext options and ciphers'
    updated_at = <Date 2019-04-08.22:50:22.722>
    user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2019-04-08.22:50:22.722>
    actor = 'cheryl.sabella'
    assignee = 'christian.heimes'
    closed = True
    closed_date = <Date 2019-04-08.22:50:22.723>
    closer = 'cheryl.sabella'
    components = ['Extension Modules', 'Library (Lib)']
    creation = <Date 2016-09-09.11:18:41.770>
    creator = 'christian.heimes'
    dependencies = []
    files = ['44500']
    hgrepos = []
    issue_num = 28043
    keywords = ['patch']
    message_count = 6.0
    messages = ['275310', '275604', '275637', '275694', '301419', '335615']
    nosy_count = 8.0
    nosy_names = ['ncoghlan', 'janssen', 'vstinner', 'giampaolo.rodola', 'christian.heimes', 'alex', 'python-dev', 'dstufft']
    pr_nums = ['10608']
    priority = 'high'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'security'
    url = 'https://bugs.python.org/issue28043'
    versions = ['Python 3.6', 'Python 3.7']

    @tiran
    Copy link
    Member Author

    tiran commented Sep 9, 2016

    I like to introduce sane defaults for SSLContext options and ciphers:

    Changed in version 3.6: The context is created with more secure default values. PROTOCOL_TLS is the default protocol. The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).

    @tiran tiran added 3.7 extension-modules C modules in the Modules dir stdlib Python modules in the Lib dir type-security A security issue labels Sep 9, 2016
    @ncoghlan
    Copy link
    Contributor

    ncoghlan commented Sep 10, 2016

    +1 from me for a model where ssl.get_default_context() can change in maintenance releases, while the ssl.SSLContext defaults get updated for feature releases.

    @tiran
    Copy link
    Member Author

    tiran commented Sep 10, 2016

    I'm planning to remove PROTOCOL_TLS again and replace it with something more sensible.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Sep 10, 2016

    New changeset 1b4c5d06c028 by Christian Heimes in branch 'default':
    bpo-28043: SSLContext has improved default settings
    https://hg.python.org/cpython/rev/1b4c5d06c028

    @tiran tiran self-assigned this Sep 10, 2016
    @tiran
    Copy link
    Member Author

    tiran commented Sep 6, 2017

    3.6 and master are looking good. Should I backport the fix to 2.7, too?

    @vstinner
    Copy link
    Member

    vstinner commented Feb 15, 2019

    New changeset b8eaec6 by Victor Stinner (stratakis) in branch '2.7':
    [2.7] bpo-28043: improved default settings for SSLContext (GH-10608)
    b8eaec6

    @csabella csabella closed this as completed Apr 8, 2019
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.7 extension-modules C modules in the Modules dir stdlib Python modules in the Lib dir type-security A security issue
    Projects
    None yet
    Development

    No branches or pull requests

    4 participants