classification
Title: Interface to OpenSSL's security level
Type: enhancement Stage: patch review
Components: SSL Versions: Python 3.10
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, mhughes, miss-islington, pitrou
Priority: normal Keywords: patch

Created on 2020-07-02 10:28 by mhughes, last changed 2020-07-17 08:59 by miss-islington.

Files
File name Uploaded Description Edit
add_ssl_context_security_level.patch mhughes, 2020-07-02 10:28
Pull Requests
URL Status Linked Edit
PR 21282 merged mhughes, 2020-07-02 13:10
Messages (6)
msg372839 - (view) Author: Matthew Hughes (mhughes) * Date: 2020-07-02 10:28
While investigating Python's SSL I noticed there was no interface for interacting with OpenSSL's SSL_CTX_{get,set}_security_level (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html) so I thought I'd look into adding one (see attached patch). I'd be happy to put up a PR, but I have node idea if this feature would actually be desired.
msg372841 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-07-02 10:45
I'm not sure it's a good idea to expose a setter for security level. In general the security level is a system-wide policy decision that should be controlled by administrators. Applications should not change this setting.

Python libraries tend to follow bad practices and cargo cult when it comes to TLS settings. Many years ago OpenSSL and Linux distributions had bad default settings. Nowadays OpenSSL has good defaults and distributions often set even stricter defaults.

A read-only getter for the policy sounds like a good idea, though.
msg372844 - (view) Author: Matthew Hughes (mhughes) * Date: 2020-07-02 10:56
> Applications should not change this setting
> A read-only getter for the policy sounds like a good idea, though.

Thanks for the feedback, sounds reasonable to me. I'll happily work on getting a PR up for the read-only setter.
msg372992 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2020-07-04 13:47
No strong feelings on this, but the OpenSSL runtime is not always packaged by a Linux distribution.  (macOS, Windows and Anaconda come to mind)

If one wants to retain the setter facility, one could raise a RuntimeWarning if the user *lowers* the actual security level.
msg373037 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-07-05 16:58
Users can set the current security level in either an OpenSSL config file or with ctx.set_cipher("@SECLEVEL=i:...").
msg373804 - (view) Author: miss-islington (miss-islington) Date: 2020-07-17 08:59
New changeset 8e836bb21ce73f0794fd769db5883c29680dfe47 by matthewhughes934 in branch 'master':
bpo-41195: Add getter for Openssl security level (GH-21282)
https://github.com/python/cpython/commit/8e836bb21ce73f0794fd769db5883c29680dfe47
History
Date User Action Args
2020-07-17 08:59:24miss-islingtonsetnosy: + miss-islington
messages: + msg373804
2020-07-05 16:58:56christian.heimessetmessages: + msg373037
versions: + Python 3.10
2020-07-04 13:47:09pitrousetnosy: + pitrou
messages: + msg372992
2020-07-02 13:10:33mhughessetstage: patch review
pull_requests: + pull_request20431
2020-07-02 10:56:21mhughessetmessages: + msg372844
2020-07-02 10:45:03christian.heimessetmessages: + msg372841
2020-07-02 10:28:17mhughescreate