Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS cipher suite compile time option for downstream #75610

tiran opened this issue Sep 12, 2017 · 3 comments

TLS cipher suite compile time option for downstream #75610

tiran opened this issue Sep 12, 2017 · 3 comments


Copy link

@tiran tiran commented Sep 12, 2017

BPO 31429
Nosy @tiran, @alex, @dstufft, @stratakis
  • #3532
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = ''
    closed_at = <Date 2018-01-29.13:10:35.723>
    created_at = <Date 2017-09-12.13:22:45.087>
    labels = ['type-security', 'expert-SSL', '3.7']
    title = 'TLS cipher suite compile time option for downstream'
    updated_at = <Date 2018-01-29.13:10:35.722>
    user = '' fields:

    activity = <Date 2018-01-29.13:10:35.722>
    actor = 'christian.heimes'
    assignee = 'christian.heimes'
    closed = True
    closed_date = <Date 2018-01-29.13:10:35.723>
    closer = 'christian.heimes'
    components = ['SSL']
    creation = <Date 2017-09-12.13:22:45.087>
    creator = 'christian.heimes'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 31429
    keywords = ['patch']
    message_count = 3.0
    messages = ['301957', '310351', '311126']
    nosy_count = 5.0
    nosy_names = ['janssen', 'christian.heimes', 'alex', 'dstufft', 'cstratak']
    pr_nums = ['3532']
    priority = 'normal'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'security'
    url = ''
    versions = ['Python 3.7']

    Copy link
    Member Author

    @tiran tiran commented Sep 12, 2017

    Python overrides OpenSSL's default cipher suites because the default selection used to be pretty bad and insecure. Python disables cipher suites with insecure algorithm such as RC4, MD5, DES, and 3DES. The SSL module has hard-coded cipher strings for SSLContext and ssl.create_default_context() in multiple places:

    However the cipher suite overrides makes it harder for vendors and downstream to enforce consistent policies. For example the hard-coded strings disable Fedora's crypto policy, . Fedora has patched OpenSSL to support a "PROFILE=SYSTEM" cipher suite string. The string causes OpenSSL to read crypto settings from a system wide configuration file.

    In order to make it easier to override the default string, Python should have a configure option --with-ssl-default-suite that defines a PY_SSL_DEFAULT_SUITE macro. In the absence of the option / macro, Python shall set a sensible default suite. Application are encouraged to use this default suite list. They are still free to override the default by calling SSLContext's set_ciphers() method.

    Fedora's OpenSSL patch:

    @tiran tiran added the 3.7 label Sep 12, 2017
    @tiran tiran self-assigned this Sep 12, 2017
    @tiran tiran added expert-SSL type-security labels Sep 12, 2017
    Copy link
    Member Author

    @tiran tiran commented Jan 20, 2018

    My PR is ready for review.

    Copy link
    Member Author

    @tiran tiran commented Jan 29, 2018

    New changeset 892d66e by Christian Heimes in branch 'master':
    bpo-31429: Define TLS cipher suite on build time (bpo-3532)

    @tiran tiran closed this as completed Jan 29, 2018
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    None yet

    No branches or pull requests

    1 participant