-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate default TLS ciphers for SecureTransport #2091
Comments
Can you please clarify what you would like me to test? |
@pquentin Seeing if we can remove the section where we explicitly configure ciphers and SecureTransport chooses mostly secure ciphers by default. If that's the case then we can rely on Apple/system defaults, otherwise we'll continue configuring our own. |
SecureTransport in macOS 10.15 and 11.0 enables the following list by default:
Travis supports many older macOS versions, I can run my script there if there's interest |
Since Travis supports macOS 10.11+, I asked it to print ciphers for macOS 10.11 to 10.15. The result : all versions from macOS 10.12 to 10.15 support precisely the ciphers mentioned above. macOS 10.11 supports those too:
But macOS 10.11 was EOL'd in September 2018, so we can probably ignore those extra ciphers. |
As discussed on Discord today, this investigation is over: SecureTransport uses sensible ciphers and can remove one it it's broken. There's no need to set our own cipher list here. |
#2082 makes system ciphers the default with stdlib SSLContext implementation. Can we take a similar approach with SecureTransport or should we still rely on urllib3's default list?
If we're relying on urllib3's default list we only need to make securetransport.inject_into_urllib3() set USE_SYSTEM_SSL_CIPHERS to False unconditionally.
We should remove all the RSA ciphers from the list if we end up not using system ciphers.
cc @pquentin would be great if you could test this out as our resident macOS owner :)
The text was updated successfully, but these errors were encountered: