Issue 28043: Sane defaults for SSLContext options and ciphers - Python tracker

classification

Title:	Sane defaults for SSLContext options and ciphers
Type:	security	Stage:	commit review
Components:	Extension Modules, Library (Lib)	Versions:	Python 3.7, Python 3.6

process

Status:	open	Resolution:
Dependencies:		Superseder:
Assigned To:	christian.heimes	Nosy List:	alex, christian.heimes, dstufft, giampaolo.rodola, janssen, ncoghlan, python-dev
Priority:	high	Keywords:	patch

Created on 2016-09-09 11:18 by christian.heimes, last changed 2017-09-06 00:53 by christian.heimes.

Files
File name	Uploaded	Description	Edit
Sane-defaults-for-SSLContext-options-and-ciphers.patch	christian.heimes, 2016-09-09 11:18		review

Messages (5)
msg275310 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2016-09-09 11:18
I like to introduce sane defaults for SSLContext options and ciphers: Changed in version 3.6: The context is created with more secure default values. PROTOCOL_TLS is the default protocol. The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
msg275604 - (view)	Author: Nick Coghlan (ncoghlan) *	Date: 2016-09-10 09:20
+1 from me for a model where ssl.get_default_context() can change in maintenance releases, while the ssl.SSLContext defaults get updated for feature releases.
msg275637 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2016-09-10 13:57
I'm planning to remove PROTOCOL_TLS again and replace it with something more sensible.
msg275694 - (view)	Author: Roundup Robot (python-dev)	Date: 2016-09-10 20:43
New changeset 1b4c5d06c028 by Christian Heimes in branch 'default': Issue 28043: SSLContext has improved default settings https://hg.python.org/cpython/rev/1b4c5d06c028
msg301419 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2017-09-06 00:53
3.6 and master are looking good. Should I backport the fix to 2.7, too?

History
Date	User	Action	Args
2017-09-06 00:55:56	christian.heimes	link	issue20994 superseder
2017-09-06 00:53:37	christian.heimes	set	status: pending -> open messages: + msg301419
2016-09-10 20:44:30	christian.heimes	set	status: open -> pending assignee: christian.heimes stage: patch review -> commit review
2016-09-10 20:43:56	python-dev	set	nosy: + python-dev messages: + msg275694
2016-09-10 13:57:44	christian.heimes	set	messages: + msg275637
2016-09-10 09:20:43	ncoghlan	set	messages: + msg275604
2016-09-09 11:18:41	christian.heimes	create