Message 149844 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	naif
Recipients	gregory.p.smith, naif, pitrou
Date	2011-12-19.11:32:58
SpamBayes Score	2.0711332e-06
Marked as misclassified	No
Message-id	<1324294379.35.0.440410647503.issue13636@psf.upfronthosting.co.za>
In-reply-to

Content
From Antoine Pitrou (pitrou): > Why don't you simple define your own default ciphers and call the > set_ciphers() method? > That said, we could perhaps call set_ciphers("HIGH") by default. This > excludes legacy ciphers (such as RC4, DES) without having us maintain an > explicit list. I would suggest to follow a future proof approach that would consider: * Disable SSLv2 (no one support it anymore) * Enable Elliptic Curve Crypto and provide it as a priority (maximum security with strong performance gain) * Enable Perfect Forward Secrecy ciphers first (DH ephemeral DHE) * Provide an ordered cipher list for TLSv1 - First ECC/DHE ciphers (Future Proof, PFS, with maximum performance) - Second DHE ciphers (Non-future proof, PFS, less performance) - Third TLSv1 AES ciphers (AES-128/AES-256, max compatibility, max performance) * Then provide an ordered cipher list for SSLv3 (No AES support) - First 3DES DHE ciphers (PFS security) SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA - Second 3DES non-DHE cipher SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA - Third RC4 based encryption SSL_RSA_WITH_RC4_128_SHA That way (but this is an approach to be discussed) we will pick-up a set of widely secure ciphers, high performance ciphers, highly compatible ciphers, but with a selection logic that's optimized for existing set of application and servers. Or eventually hide that complexity for the Python developers by providing a set of "pre-configured" profiles to be used? I always find ppl having difficulties in dealing with SSL/TLS, as a result SSL/TLS configuration it's often "by default" .

From Antoine Pitrou (pitrou):
> Why don't you simple define your own default ciphers and call the
> set_ciphers() method?
> That said, we could perhaps call set_ciphers("HIGH") by default. This
> excludes legacy ciphers (such as RC4, DES) without having us maintain an
> explicit list.

I would suggest to follow a future proof approach that would consider:
* Disable SSLv2 (no one support it anymore)
* Enable Elliptic Curve Crypto and provide it as a priority (maximum security with strong performance gain)
* Enable Perfect Forward Secrecy ciphers first (DH ephemeral DHE)

* Provide an ordered cipher list for TLSv1
 - First ECC/DHE ciphers (Future Proof, PFS, with maximum performance)
 - Second DHE ciphers (Non-future proof, PFS, less performance)
 - Third TLSv1 AES ciphers (AES-128/AES-256, max compatibility, max performance)

* Then provide an ordered cipher list for SSLv3 (No AES support)
 - First 3DES DHE ciphers (PFS security)
 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA

 - Second 3DES non-DHE cipher 
 SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA

 - Third RC4 based encryption
 SSL_RSA_WITH_RC4_128_SHA


That way (but this is an approach to be discussed) we will pick-up a set of widely secure ciphers, high performance ciphers, highly compatible ciphers, but with a selection logic that's optimized for existing set of application and servers.

Or eventually hide that complexity for the Python developers by providing a set of "pre-configured" profiles to be used?

I always find ppl having difficulties in dealing with SSL/TLS, as a result SSL/TLS configuration it's often "by default" .

History
Date	User	Action	Args
2011-12-19 11:32:59	naif	set	recipients: + naif, gregory.p.smith, pitrou
2011-12-19 11:32:59	naif	set	messageid: <1324294379.35.0.440410647503.issue13636@psf.upfronthosting.co.za>
2011-12-19 11:32:58	naif	link	issue13636 messages
2011-12-19 11:32:58	naif	create