classification
Title: Disable TLS Compression
Type: security Stage: resolved
Components: SSL Versions: Python 3.5, Python 2.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: Sane defaults for SSLContext options and ciphers
View: 28043
Assigned To: christian.heimes Nosy List: Alex.Stapleton, Arfrever, alex, christian.heimes, dstufft, georg.brandl, ncoghlan, pitrou
Priority: high Keywords: patch

Created on 2014-03-20 13:53 by dstufft, last changed 2017-09-06 00:55 by christian.heimes. This issue is now closed.

Files
File name Uploaded Description Edit
disable-ssl-compression-default.diff dstufft, 2014-03-20 18:11
disable-ssl-compression-2.7.diff dstufft, 2014-03-20 18:41 review
Messages (14)
msg214234 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-03-20 13:53
Since Python 3.3 the ssl module has supported the ability to opt in to disabling TLS Compression [1]. However TLS Compression has the problem that it typically leaks data through an attack known as CRIME. CRIME is specific to HTTP but the type of attack it employs is not.

I believe that CPython should just flat out disable TLS Compression and it should do so in all currently active branches (2.7, 3.2+). The patch is fairly minor however there is the question of how that should be handled in 3.3+ where there would be a now useless flag and method on SSLContext. The likelhood for breakage is fairly low and all modern browsers have already permanently disabled it.

[1] http://bugs.python.org/issue13634
msg214235 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-03-20 13:58
It would probably be sufficient to add OP_NO_COMPRESSION to OP_ALL.
msg214237 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-03-20 14:01
Ah, I hadn't noticed the OP_ALL thing, in 3.3+ adding OP_NO_COMPRESSION to OP_ALL would be reasonable. That would disable TLS Compression by default, still provide people the ability to disable TLS Compression if they don't use OP_ALL, and provide a way to enable it if they want it.

Do you think it'd be OK to just disable TLS Compression in 2.7 and 3.2 without the option to turn it back on? I think that would be fine personally.
msg214238 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-03-20 14:02
> Do you think it'd be OK to just disable TLS Compression in 2.7 and 3.2
> without the option to turn it back on? I think that would be fine
> personally.

I'm not enough of a TLS expert, but it sounds ok.
msg214246 - (view) Author: Alex Stapleton (Alex.Stapleton) Date: 2014-03-20 15:28
CRIME is not universally applicable to all TLS connections and it requires some cooperation from the application to work. In fact for a Python TLS client it seems quite unlikely for an application to be vulnerable. The attack in the paper leverages an insecure website to inject JavaScript to issue crafted requests to a secure one. i.e. It requires both compression and some degree of remote code execution to work. Perhaps there are ways to extend the attack to apply to more common Python TLS client usage though?

Also some users will absolutely want to manually re-enable compression, please don't disable it entirely.
msg214248 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-03-20 15:57
To be specific it doesn't require any remote code execution to work, it just requires you to be able to influence the content of the responses that the client is receiving.
msg214254 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-03-20 18:11
This is a simple patch, it simple disables TLS Compression by default. If a user wants to add it back they can create their own SSLContext and do


ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
ctx.options &= ~ssl.OP_NO_COMPRESSION

This should be able to apply against 3.2+ although it would only be 3.3+ that ssl.OP_NO_COMPRESSION is available to disable it, although a user could still hard code the constant in themselves.

This still leaves 2.7 out in the open here, what I'd like to do is just disable it and if someone really *needs* TLS Compression they can use pyopenssl to get that back. This is a reversal of the current situation where in order to get the safer value you have to use pyopenssl.
msg214258 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-03-20 18:41
Here's the same patch for Python 2.7, it's basically the same thing just at a different location.
msg225884 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2014-08-25 18:05
Pinging on this, since the SSL backport landed, concerns about an inability to change this behavior on python2 are no longer there. At a minimum I think we should include this flag in the default and stdlib contexts.
msg225885 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-08-25 18:09
Now that the backport has landed, I think you're welcome to do any further necessary tweaks.

By the way, as mentioned in the comments, I think we could add SSL_OP_NO_COMPRESSION to ssl.OP_ALL in all versions.
msg227924 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2014-09-30 14:01
I wouldn't consider this important enough for 3.2; since it lacks the means to do the opt-back-in.
msg275037 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-08 15:06
the default context sets context.options |= getattr(_ssl, "OP_NO_COMPRESSION", 0), _create_unverified_context() is missing that line.
msg276525 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-15 07:52
For 3.6 and 3.7, _ssl__SSLContext_impl() now sets NO_COMPRESSION.
msg301420 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-06 00:55
Issue #28043 did disable compression along with other improvements. 3.5 is now out of scope but I'm considering to backport #28043 to 2.7. I'm closing this issue in favor of #28043.
History
Date User Action Args
2017-09-06 00:55:56christian.heimessetstatus: open -> closed
superseder: Sane defaults for SSLContext options and ciphers
messages: + msg301420

resolution: duplicate
stage: needs patch -> resolved
2016-09-15 07:52:56christian.heimessetassignee: christian.heimes
messages: + msg276525
components: + SSL
versions: - Python 3.6, Python 3.7
2016-09-08 15:06:23christian.heimessetpriority: normal -> high
2016-09-08 15:06:15christian.heimessettype: security
stage: needs patch
messages: + msg275037
versions: + Python 3.6, Python 3.7, - Python 3.3, Python 3.4
2014-09-30 14:01:40georg.brandlsetnosy: + georg.brandl

messages: + msg227924
versions: - Python 3.2
2014-08-25 18:09:18pitrousetmessages: + msg225885
2014-08-25 18:05:03alexsetmessages: + msg225884
2014-03-20 18:41:00dstufftsetfiles: + disable-ssl-compression-2.7.diff

messages: + msg214258
2014-03-20 18:28:13Arfreversetnosy: + Arfrever
2014-03-20 18:11:12dstufftsetfiles: + disable-ssl-compression-default.diff
keywords: + patch
messages: + msg214254
2014-03-20 15:57:09dstufftsetmessages: + msg214248
2014-03-20 15:28:02Alex.Stapletonsetnosy: + Alex.Stapleton
messages: + msg214246
2014-03-20 14:10:44alexsetnosy: + alex
2014-03-20 14:02:09pitrousetmessages: + msg214238
2014-03-20 14:01:29dstufftsetmessages: + msg214237
2014-03-20 13:58:22pitrousetmessages: + msg214235
2014-03-20 13:53:36dstufftcreate