➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2021-08-02 12:25 by anis.gandoura, last changed 2022-04-11 14:59 by admin.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 27550 | open | python-dev, 2021-08-02 13:00 | |
| Messages (4) | |||
|---|---|---|---|
| msg398762 - (view) | Author: Anis Gandoura (anis.gandoura) * | Date: 2021-08-02 12:25 | |
Expose the OpenSSL function SSL_CTX_set1_sigalgs_list to allow the user to modify the supported signature algorithms for a given SSL Context. OpenSSL documentation: https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set1_sigalgs_list.html |
|||
| msg398769 - (view) | Author: Christian Heimes (christian.heimes) *  |
Date: 2021-08-02 13:53 | |
Thanks for your PR. Before we move forward, let's discuss reasoning and API design first. Why should a Python application be able to modify the signature algorithms? The default settings are safe and sane. Security properties should rather be set system-wide with a crypto policy in OpenSSL's global config file. Application specific settings can cause security or compatibility issues. **If** there is a solid reason to expose the feature, then - the API should be modeled after SSLContext.set_alpn_protocols() and accept a sequence of strings. - the API should also be able to return currently enabled and perhaps currently available algorithms. - the ssl module should get an enum of common algorithms with names based on IANA's TLS parameter list. - the PR needs tests and documentation |
|||
| msg398772 - (view) | Author: Anis Gandoura (anis.gandoura) * | Date: 2021-08-02 14:10 | |
Hello, thank you for your message. The default signatures list is very different from what a usual Internet Browser (like Chrome or Firefox) displays. Here is an example: With Chrome I have: SHA256/ECDSA, RSA_PSS_SHA256, SHA256/RSA, SHA384/ECDSA, RSA_PSS_SHA384, SHA384/RSA, RSA_PSS_SHA512, SHA512/RSA With default SSL settings: SHA256/ECDSA, SHA384/ECDSA, SHA512/ECDSA, Ed25519, Ed448, Unknown (0x8)/Unknown (0x9), Unknown (0x8)/Unknown (0xa), Unknown (0x8)/Unknown (0xb), RSA_PSS_SHA256, RSA_PSS_SHA384, RSA_PSS_SHA512, SHA256/RSA, SHA384/RSA, SHA512/RSA, SHA224/ECDSA, SHA1/ECDSA, SHA224/RSA, SHA1/RSA, SHA224/DSA, SHA1/DSA, SHA256/DSA, SHA384/DSA, SHA512/DSA You can use this website for testing: https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html We are building a security suite in Python to protect websites from DDOS attacks and we are not able to run "Chrome like" tests due to this limitation. |
|||
| msg403016 - (view) | Author: (ramikg) * | Date: 2021-10-01 14:03 | |
As a side note, while the ideal solution would be for Python to expose the appropriate API, there exists a hacky solution using ctypes: https://github.com/ramikg/ssl-context-configurator |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:48 | admin | set | github: 88974 |
| 2021-10-01 14:03:30 | ramikg | set | nosy:
+ ramikg messages: + msg403016 |
| 2021-08-02 14:10:30 | anis.gandoura | set | messages: + msg398772 |
| 2021-08-02 13:53:56 | christian.heimes | set | type: enhancement messages: + msg398769 |
| 2021-08-02 13:00:29 | python-dev | set | keywords:
+ patch nosy: + python-dev pull_requests: + pull_request26056 stage: patch review |
| 2021-08-02 12:28:48 | anis.gandoura | set | assignee: christian.heimes nosy: + christian.heimes components: + SSL versions: + Python 3.11 |
| 2021-08-02 12:25:20 | anis.gandoura | create | |