-
-
Notifications
You must be signed in to change notification settings - Fork 30.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Interface to OpenSSL's security level #85367
Comments
While investigating Python's SSL I noticed there was no interface for interacting with OpenSSL's SSL_CTX_{get,set}_security_level (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html) so I thought I'd look into adding one (see attached patch). I'd be happy to put up a PR, but I have node idea if this feature would actually be desired. |
I'm not sure it's a good idea to expose a setter for security level. In general the security level is a system-wide policy decision that should be controlled by administrators. Applications should not change this setting. Python libraries tend to follow bad practices and cargo cult when it comes to TLS settings. Many years ago OpenSSL and Linux distributions had bad default settings. Nowadays OpenSSL has good defaults and distributions often set even stricter defaults. A read-only getter for the policy sounds like a good idea, though. |
Thanks for the feedback, sounds reasonable to me. I'll happily work on getting a PR up for the read-only setter. |
No strong feelings on this, but the OpenSSL runtime is not always packaged by a Linux distribution. (macOS, Windows and Anaconda come to mind) If one wants to retain the setter facility, one could raise a RuntimeWarning if the user *lowers* the actual security level. |
Users can set the current security level in either an OpenSSL config file or with ctx.set_cipher("@SECLEVEL=i:..."). |
The getter is available in 3.10. Thanks for your contribution! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: