➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2020-07-02 10:28 by mhughes, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| add_ssl_context_security_level.patch | mhughes, 2020-07-02 10:28 | |||
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 21282 | merged | mhughes, 2020-07-02 13:10 | |
| Messages (7) | |||
|---|---|---|---|
| msg372839 - (view) | Author: Matthew Hughes (mhughes) * | Date: 2020-07-02 10:28 | |
While investigating Python's SSL I noticed there was no interface for interacting with OpenSSL's SSL_CTX_{get,set}_security_level (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html) so I thought I'd look into adding one (see attached patch). I'd be happy to put up a PR, but I have node idea if this feature would actually be desired.
|
|||
| msg372841 - (view) | Author: Christian Heimes (christian.heimes) *  |
Date: 2020-07-02 10:45 | |
I'm not sure it's a good idea to expose a setter for security level. In general the security level is a system-wide policy decision that should be controlled by administrators. Applications should not change this setting. Python libraries tend to follow bad practices and cargo cult when it comes to TLS settings. Many years ago OpenSSL and Linux distributions had bad default settings. Nowadays OpenSSL has good defaults and distributions often set even stricter defaults. A read-only getter for the policy sounds like a good idea, though. |
|||
| msg372844 - (view) | Author: Matthew Hughes (mhughes) * | Date: 2020-07-02 10:56 | |
> Applications should not change this setting > A read-only getter for the policy sounds like a good idea, though. Thanks for the feedback, sounds reasonable to me. I'll happily work on getting a PR up for the read-only setter. |
|||
| msg372992 - (view) | Author: Antoine Pitrou (pitrou) * |
Date: 2020-07-04 13:47 | |
No strong feelings on this, but the OpenSSL runtime is not always packaged by a Linux distribution. (macOS, Windows and Anaconda come to mind) If one wants to retain the setter facility, one could raise a RuntimeWarning if the user *lowers* the actual security level. |
|||
| msg373037 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2020-07-05 16:58 | |
Users can set the current security level in either an OpenSSL config file or with ctx.set_cipher("@SECLEVEL=i:...").
|
|||
| msg373804 - (view) | Author: miss-islington (miss-islington) | Date: 2020-07-17 08:59 | |
New changeset 8e836bb21ce73f0794fd769db5883c29680dfe47 by matthewhughes934 in branch 'master': bpo-41195: Add getter for Openssl security level (GH-21282) https://github.com/python/cpython/commit/8e836bb21ce73f0794fd769db5883c29680dfe47 |
|||
| msg391299 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2021-04-17 18:20 | |
The getter is available in 3.10. Thanks for your contribution! |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:33 | admin | set | github: 85367 |
| 2021-04-17 18:20:31 | christian.heimes | set | status: open -> closed resolution: fixed messages: + msg391299 stage: patch review -> resolved |
| 2020-07-17 08:59:24 | miss-islington | set | nosy:
+ miss-islington messages: + msg373804 |
| 2020-07-05 16:58:56 | christian.heimes | set | messages:
+ msg373037 versions: + Python 3.10 |
| 2020-07-04 13:47:09 | pitrou | set | nosy:
+ pitrou messages: + msg372992 |
| 2020-07-02 13:10:33 | mhughes | set | stage: patch review pull_requests: + pull_request20431 |
| 2020-07-02 10:56:21 | mhughes | set | messages: + msg372844 |
| 2020-07-02 10:45:03 | christian.heimes | set | messages: + msg372841 |
| 2020-07-02 10:28:17 | mhughes | create | |