classification
Title: TLS cipher suite compile time option for downstream
Type: security Stage: resolved
Components: SSL Versions: Python 3.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: alex, christian.heimes, cstratak, dstufft, janssen
Priority: normal Keywords: patch

Created on 2017-09-12 13:22 by christian.heimes, last changed 2018-01-29 13:10 by christian.heimes. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 3532 merged christian.heimes, 2017-09-13 06:54
Messages (3)
msg301957 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-12 13:22
Python overrides OpenSSL's default cipher suites because the default selection used to be pretty bad and insecure. Python disables cipher suites with insecure algorithm such as RC4, MD5, DES, and 3DES. The SSL module has hard-coded cipher strings for SSLContext and ssl.create_default_context() in multiple places:

* https://github.com/python/cpython/blob/v3.6.2/Modules/_ssl.c#L2693
* https://github.com/python/cpython/blob/v3.6.2/Lib/ssl.py#L387
* https://github.com/python/cpython/blob/v3.6.2/Lib/ssl.py#L503

However the cipher suite overrides makes it harder for vendors and downstream to enforce consistent policies. For example the hard-coded strings disable Fedora's crypto policy, https://fedoraproject.org/wiki/Changes/CryptoPolicy . Fedora has patched OpenSSL to support a "PROFILE=SYSTEM" cipher suite string. The string causes OpenSSL to read crypto settings from a system wide configuration file.

In order to make it easier to override the default string, Python should have a configure option --with-ssl-default-suite that defines a PY_SSL_DEFAULT_SUITE macro. In the absence of the option / macro, Python shall set a sensible default suite. Application are encouraged to use this default suite list. They are still free to override the default by calling SSLContext's set_ciphers() method.

Fedora's OpenSSL patch: https://src.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.1.0-system-cipherlist.patch?h=f26
msg310351 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-01-20 15:08
My PR is ready for review.
msg311126 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-01-29 13:10
New changeset 892d66e422d5367673163d62ba40cd70a37d5cf7 by Christian Heimes in branch 'master':
bpo-31429: Define TLS cipher suite on build time (#3532)
https://github.com/python/cpython/commit/892d66e422d5367673163d62ba40cd70a37d5cf7
History
Date User Action Args
2018-01-29 13:10:35christian.heimessetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2018-01-29 13:10:21christian.heimessetmessages: + msg311126
2018-01-20 15:08:05christian.heimessetnosy: + janssen, alex, dstufft
messages: + msg310351
2017-09-13 12:27:49cstrataksetnosy: + cstratak
2017-09-13 06:54:31christian.heimessetkeywords: + patch
stage: needs patch -> patch review
pull_requests: + pull_request3529
2017-09-12 13:22:45christian.heimescreate