Message149844
From Antoine Pitrou (pitrou):
> Why don't you simple define your own default ciphers and call the
> set_ciphers() method?
> That said, we could perhaps call set_ciphers("HIGH") by default. This
> excludes legacy ciphers (such as RC4, DES) without having us maintain an
> explicit list.
I would suggest to follow a future proof approach that would consider:
* Disable SSLv2 (no one support it anymore)
* Enable Elliptic Curve Crypto and provide it as a priority (maximum security with strong performance gain)
* Enable Perfect Forward Secrecy ciphers first (DH ephemeral DHE)
* Provide an ordered cipher list for TLSv1
- First ECC/DHE ciphers (Future Proof, PFS, with maximum performance)
- Second DHE ciphers (Non-future proof, PFS, less performance)
- Third TLSv1 AES ciphers (AES-128/AES-256, max compatibility, max performance)
* Then provide an ordered cipher list for SSLv3 (No AES support)
- First 3DES DHE ciphers (PFS security)
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA
- Second 3DES non-DHE cipher
SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
- Third RC4 based encryption
SSL_RSA_WITH_RC4_128_SHA
That way (but this is an approach to be discussed) we will pick-up a set of widely secure ciphers, high performance ciphers, highly compatible ciphers, but with a selection logic that's optimized for existing set of application and servers.
Or eventually hide that complexity for the Python developers by providing a set of "pre-configured" profiles to be used?
I always find ppl having difficulties in dealing with SSL/TLS, as a result SSL/TLS configuration it's often "by default" . |
|
Date |
User |
Action |
Args |
2011-12-19 11:32:59 | naif | set | recipients:
+ naif, gregory.p.smith, pitrou |
2011-12-19 11:32:59 | naif | set | messageid: <1324294379.35.0.440410647503.issue13636@psf.upfronthosting.co.za> |
2011-12-19 11:32:58 | naif | link | issue13636 messages |
2011-12-19 11:32:58 | naif | create | |
|