classification
Title: server-specific SSL context configuration
Type: enhancement Stage: resolved
Components: Library (Lib) Versions: Python 3.5, Python 3.4
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: alex, christian.heimes, dstufft, pitrou, python-dev
Priority: normal Keywords: patch

Created on 2014-03-21 19:07 by pitrou, last changed 2015-04-13 19:02 by pitrou. This issue is now closed.

Files
File name Uploaded Description Edit
ssl-server-defaults.diff dstufft, 2014-03-22 16:26 review
ssl-context-defaults-ssl3-diff dstufft, 2014-03-23 02:25 review
ssl-context-defaults-ssl3-guards.diff dstufft, 2014-03-23 17:32 review
Messages (17)
msg214405 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-03-21 19:07
Currently, create_default_context() doesn't do anything special for server use. It seems the configuration could be improved, though:

- PROTOCOL_TLSv1 is suboptimal for servers: a "TLSv1" server can't accept a TLSv1.2 client, but a "SSLv23" server will; so we should use PROTOCOL_SSLv23 (!)

- we could enable ECDH by calling SSLContext.set_ecdh_curve(<something>)
msg214407 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-03-21 19:19
(also perhaps enable OP_CIPHER_SERVER_PREFERENCE, although it seems it could cause interoperability problems with some clients)
msg214408 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-03-21 19:21
Nah it should be fine to enable that, and it's preferable to do so. The server selects the cipher anyways in the TLS handshake. That just tells the server to prefer it's list for precedence and not the client list.
msg214487 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-03-22 16:26
Attached is a patch that:

* Switches the protocol to SSLv23 so that we can negotiate a TLS1.1 or TLS1.2 connection.
* Sets OP_CIPHER_SERVER_PREFERENCE for Purpose.CLIENT_AUTH so that our carefully selected cipher priority gives us better encryption and PFS
* Sets OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE for Purpose.CLIENT_AUTH to prevent re-use of the DH and ECDH keys in distinct sessions.
msg214493 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-03-22 17:26
(as an aside, Donald, perhaps you want to consider adding yourself to relevant topics in http://docs.python.org/devguide/experts.html )
msg214498 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-03-22 18:10
I'll do that :)

To be clear about this patch, it raises the upper bounds of security by enabling TLS 1.1, and 1.2 as well as the single use for (EC)DH and preferring the server ciphers.

However it also lowers the lower bounds of security and includes SSLv3 which has some issues (see https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_3.0). However there exists clients who only support SSL3 (The primary one I'm aware of is IE6 on Windows XP).

We can add OP_NO_SSLv3 to the default context to prevent SSL3 but it's sort of a situational thing. If you're doing something where you need SSL3 clients you don't want OP_NO_SSLv3.

So I guess the question is, do we want to be more secure by default and *not* lower the lower bounds of security and require people to add context.options & ~ssl.OP_NO_SSLv3 if they want to support SSLv3 connections?
msg214499 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-03-22 18:13
> We can add OP_NO_SSLv3 to the default context to prevent SSL3 but it's
> sort of a situational thing. If you're doing something where you need
> SSL3 clients you don't want OP_NO_SSLv3.
> 
> So I guess the question is, do we want to be more secure by default
> and *not* lower the lower bounds of security and require people to add
> context.options & ~ssl.OP_NO_SSLv3 if they want to support SSLv3
> connections?

Most people won't understand the symptoms if some clients can't connect,
so I'd say no.
Also, clients should always use the higher possible protocol version, so
I don't think security is at stake here.
msg214500 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2014-03-22 18:19
Unfortunately most TLS implementations (particularly those in browser stacks) are vulnerable to downgrade attacks, whereby an attacker can send some malicious packets to simulate a connection failure and cause a lower version of the protocol to be negotiated, https://crypto.stackexchange.com/questions/10493/why-is-tls-susceptible-to-protocol-downgrade-attacks has some info on it. As a result, whenever possible it's really desirable to completely disallow as many poor choices as possible.
msg214501 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-03-22 18:21
That's not entirely true unfortunately :(

There are downgrade attacks that work all the way up through TLS 1.2. These are not strictly a problem of the protocol specs but instead of the implementations.

See: https://crypto.stackexchange.com/questions/10493/why-is-tls-susceptible-to-protocol-downgrade-attacks

The general gist of it is some servers/firewalls/etc have buggy implementations that cause a TLS1.0+ handshake to fail and some clients (browsers being a big one) decided to handle this by restarting the connection with SSL3.0 instead of TLS1.0+. So thus it is possible to effectively downgrade a client, even one that supports TLS1.2. It is not however possible to do it within a single connection.

The version selection process should not be considered a security feature but should instead be looked at as a way to opportunistically add newer features.
msg214502 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-03-22 18:25
To be clear though, a lot of TLS servers out there still have SSL3.0 enabled by default, primarily because of IE6 / XP. I'm on the fence about what the right answer is for create_default_context. From a strictly "best practices for security" sense of view you want to disable SSLv3 (and this matches what create_default_context did prior to my patch).

Can we perhaps split the difference and disable SSL3.0 and document what the error looks like when you try to connect with SSL3.0 and how to re-enable it?
msg214504 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-03-22 18:32
Well, I suppose IE6/XP is starting to look very old (though probably deployed quite widely), and TLS 1.0 was standardized in 1999.
msg214505 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-03-22 18:32
(by which I mean: ok, let's disable SSLv3)
msg214538 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-03-23 02:25
Attached is a new patch. It has:

* Switches the protocol to SSLv23 so that we can negotiate a TLS1.1 or TLS1.2 connection.
* Sets OP_CIPHER_SERVER_PREFERENCE for Purpose.CLIENT_AUTH so that our carefully selected cipher priority gives us better encryption and PFS
* Sets OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE for Purpose.CLIENT_AUTH to prevent re-use of the DH and ECDH keys in distinct sessions.
* Disables SSLv3 connections explicitly to match lower bounds of the original security of the created context
* Moves the "restricted" ciphers to only apply to servers. Servers can be much more picky about which ciphers they accept than clients can, and further more with how our ciphers are laid out now if RC4 is selected it is entirely the fault of the server we are connecting to.
* Document what the type of error message would be if a SSL 3.0 connection is required and how to re-enable it.
msg214614 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-03-23 17:12
I think I'm happy with this patch, if anyone has a chance to review it and see if it looks OK I'd love that and then I can commit it :)
msg214620 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-03-23 17:32
Added guards to protect against constants not existing.
msg214649 - (view) Author: Roundup Robot (python-dev) Date: 2014-03-23 23:05
New changeset 92efd86d1a38 by Donald Stufft in branch '3.4':
Issue #21013: Enhance ssl.create_default_context() for server side contexts
http://hg.python.org/cpython/rev/92efd86d1a38
msg214650 - (view) Author: Roundup Robot (python-dev) Date: 2014-03-23 23:12
New changeset aa2eb034c4f7 by Donald Stufft in branch 'default':
Merge the patch for issue #21013 into default
http://hg.python.org/cpython/rev/aa2eb034c4f7
History
Date User Action Args
2015-04-13 19:02:56pitrousetstatus: open -> closed
resolution: fixed
stage: resolved
2014-03-23 23:12:25python-devsetmessages: + msg214650
2014-03-23 23:05:41python-devsetnosy: + python-dev
messages: + msg214649
2014-03-23 17:32:30dstufftsetfiles: + ssl-context-defaults-ssl3-guards.diff

messages: + msg214620
2014-03-23 17:12:04dstufftsetmessages: + msg214614
2014-03-23 02:25:53dstufftsetfiles: + ssl-context-defaults-ssl3-diff

messages: + msg214538
2014-03-22 18:32:39pitrousetmessages: + msg214505
2014-03-22 18:32:14pitrousetmessages: + msg214504
2014-03-22 18:25:25dstufftsetmessages: + msg214502
2014-03-22 18:21:03dstufftsetmessages: + msg214501
2014-03-22 18:19:21alexsetmessages: + msg214500
2014-03-22 18:13:39pitrousetmessages: + msg214499
2014-03-22 18:10:47dstufftsetmessages: + msg214498
2014-03-22 17:26:31pitrousetmessages: + msg214493
2014-03-22 16:38:03alexsetnosy: + alex
2014-03-22 16:26:50dstufftsetfiles: + ssl-server-defaults.diff
keywords: + patch
messages: + msg214487
2014-03-21 19:21:52dstufftsetmessages: + msg214408
2014-03-21 19:19:06pitrousetmessages: + msg214407
2014-03-21 19:07:46pitroucreate