classification
Title: Increase security of TLS settings in 3.10
Type: security Stage: resolved
Components: SSL Versions: Python 3.11, Python 3.10
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, hynek
Priority: normal Keywords: patch

Created on 2021-05-01 10:41 by christian.heimes, last changed 2021-05-01 20:17 by christian.heimes. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 25778 merged christian.heimes, 2021-05-01 11:25
PR 25790 merged christian.heimes, 2021-05-01 19:24
Messages (4)
msg392582 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-05-01 10:41
It's 2021. TLS 1.0 and 1.1 have been deprecated in RFC 8996. Browsers have disabled TLS 1.0 and 1.1, too. Python should no longer enable TLS 1.1 by default and require strong TLS ciphers with forward secrecy. 

I'm going to update Python's default cipher suite based on Hynek's excellent blog post https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ . I'll deviate in two minor points:

* keep ephemeral, finite field Diffie-Hellman for legacy hardware. It's not that insecure, just slow.
* enforce security level 2 to require strong RSA and DH keys. @SECLEVEL=2 enforced minimum of 112 bits security. Almost all common RSA certificates use 2048 bits RSA signature.

I'm also going to set TLS 1.2 as minimum protocol version with Python is compiled with --with-ssl-default-suites=python or --with-ssl-default-suites=custom_string. Distro vendors can use --with-ssl-default-suites=openssl to override the setting.
msg392586 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-05-01 11:24
$ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
msg392616 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-05-01 18:53
New changeset e983252b516edb15d4338b0a47631b59ef1e2536 by Christian Heimes in branch 'master':
bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)
https://github.com/python/cpython/commit/e983252b516edb15d4338b0a47631b59ef1e2536
msg392629 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-05-01 20:17
New changeset a5669b3c627e64c9196d9bb58b733eb723d34e99 by Christian Heimes in branch 'master':
bpo-43998: Fix testing without ssl module (GH-25790)
https://github.com/python/cpython/commit/a5669b3c627e64c9196d9bb58b733eb723d34e99
History
Date User Action Args
2021-05-01 20:17:08christian.heimessetmessages: + msg392629
2021-05-01 19:24:24christian.heimessetpull_requests: + pull_request24479
2021-05-01 18:53:40christian.heimessetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2021-05-01 18:53:16christian.heimessetmessages: + msg392616
2021-05-01 11:25:29christian.heimessetkeywords: + patch
stage: patch review
pull_requests: + pull_request24469
2021-05-01 11:24:03christian.heimessetmessages: + msg392586
2021-05-01 10:41:52christian.heimescreate