Message214297
On 20.03.2014 23:36, Donald Stufft wrote:
>
> Donald Stufft added the comment:
>
> I'm still looking into what "HIGH" entails across all the various OpenSSLs that are in production that I can access. That "FUD" was responding to the attitude that it's not Python's job to do this. Python is exposing a security sensitive API, it is it's job.
I disagree. Python only provides an interface to OpenSSL, so the OpenSSL
system defaults should be used.
Maintaining system security is an easier and more scalable approach than
trying to properly configure half a dozen sub-systems which happen to use
OpenSSL as basis for their SSL configuration. By forcing a specific
set of ciphers, we're breaking this approach.
By restricting the set of allowed ciphers you can also create the
situation that Python in its default configuration cannot talk to
certain web servers which use a different set of ciphers than the
one you are proposing.
We shouldn't do this in Python for the same reason we're not including
a predefined set of CA root certificates with the distribution. |
|
Date |
User |
Action |
Args |
2014-03-20 22:51:45 | lemburg | set | recipients:
+ lemburg, ncoghlan, pitrou, vstinner, christian.heimes, benjamin.peterson, ezio.melotti, Arfrever, alex, r.david.murray, dstufft |
2014-03-20 22:51:45 | lemburg | link | issue20995 messages |
2014-03-20 22:51:45 | lemburg | create | |
|