classification
Title: Can't reorder TLS 1.3 ciphersuites
Type: enhancement Stage:
Components: SSL Versions: Python 3.8
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Eman Alashwali, christian.heimes
Priority: normal Keywords:

Created on 2019-03-30 11:23 by Eman Alashwali, last changed 2019-04-05 18:22 by terry.reedy.

Messages (3)
msg339188 - (view) Author: Eman Alashwali (Eman Alashwali) Date: 2019-03-30 11:23
Wen using the SSL module, I need to be able to reorder the ciphersuites list in TLS 1.3. I was able to do this with python using SSLContext.set_ciphers(ciphers) when working with TLS 1.2. But this is not possible with TLS 1.3 ciphersuites. The need to reorder the ciphersuites is needed because one might need a specific order to simulate specific TLS client that send the ciphersuites in specific order. Unfortunately this is seems not possible now in python with TLS 1.3 as the comment in the documentations says: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers

Can you please consider this post as a feature request? Or clarify to me how to reorder the ciphersuites list when working with TLS 1.3?
msg339274 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-03-31 19:46
I don't have plans to implement cipher suite selection for TLS 1.3 any time soon, maybe not at all. TLS 1.3 changed cipher selection a lot, making the API more complicated. The signature algorithm and key agreement groups are handled as separate extensions, resulting in three additional APIs.

Applications shouldn't modify the cipher suites any more. These days TLS libraries provide a good and safe selection of suites. Weak ciphers should be disabled by either a security update of the TLS library or system-wide settings. 

There is one workaround: You can influence connection parameters with an OpenSSL config file [1][2] by setting OPENSSL_CONF env var. OpenSSL parses the file only once, so you have to set it before you start Python.

[1] https://www.openssl.org/docs/manmaster/man5/config.html
[2] https://fedoraproject.org/wiki/Changes/CryptoPolicy
msg339276 - (view) Author: Eman Alashwali (Eman Alashwali) Date: 2019-03-31 20:32
Thanks. Just to clarify regarding your comment: "Applications shouldn't
modify the cipher suites any more.":
I use python to develop scripts for running experiments, which requires me
to simulate specific clients precisely including their TLS 1.3 ciphers
order.
As you know, TLS 1.3 can not have weak ciphers and only 3 or 4 secure ones
are permitted by design. But still the order should be accurate in
simulation experiment settings. This is different from ordinary
development. It is a bit disappointing that the developer can re-order the
weaker ones (in TLS 1.2) but not TLS 1.3.
However, thanks again for your reply.

On Sun, Mar 31, 2019 at 8:46 PM Christian Heimes <report@bugs.python.org>
wrote:

>
> Christian Heimes <lists@cheimes.de> added the comment:
>
> I don't have plans to implement cipher suite selection for TLS 1.3 any
> time soon, maybe not at all. TLS 1.3 changed cipher selection a lot, making
> the API more complicated. The signature algorithm and key agreement groups
> are handled as separate extensions, resulting in three additional APIs.
>
> Applications shouldn't modify the cipher suites any more. These days TLS
> libraries provide a good and safe selection of suites. Weak ciphers should
> be disabled by either a security update of the TLS library or system-wide
> settings.
>
> There is one workaround: You can influence connection parameters with an
> OpenSSL config file [1][2] by setting OPENSSL_CONF env var. OpenSSL parses
> the file only once, so you have to set it before you start Python.
>
> [1] https://www.openssl.org/docs/manmaster/man5/config.html
> [2] https://fedoraproject.org/wiki/Changes/CryptoPolicy
>
> ----------
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <https://bugs.python.org/issue36484>
> _______________________________________
>
History
Date User Action Args
2019-04-05 18:22:24terry.reedysettype: enhancement
versions: + Python 3.8, - Python 3.6
2019-03-31 20:32:26Eman Alashwalisetmessages: + msg339276
2019-03-31 19:46:18christian.heimessetmessages: + msg339274
2019-03-30 11:23:55Eman Alashwalicreate