Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Interface to OpenSSL's security level #85367

Closed
matthewhughes934 mannequin opened this issue Jul 2, 2020 · 7 comments
Closed

Interface to OpenSSL's security level #85367

matthewhughes934 mannequin opened this issue Jul 2, 2020 · 7 comments
Assignees
@tiran
Labels
3.10 only security fixes topic-SSL type-feature A feature request or enhancement

Comments

@matthewhughes934
Copy link
Mannequin

matthewhughes934 mannequin commented Jul 2, 2020

BPO 41195
Nosy @pitrou, @tiran, @miss-islington, @matthewhughes934
PRs
  • bpo-41195: Add getter for Openssl security level #21282
    		•
    Files
  • add_ssl_context_security_level.patch
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
closed_at = <Date 2021-04-17.18:20:31.534>
created_at = <Date 2020-07-02.10:28:17.380>
labels = ['expert-SSL', 'type-feature', '3.10']
title = "Interface to OpenSSL's security level"
updated_at = <Date 2021-04-17.18:20:31.533>
user = 'https://github.com/matthewhughes934'

    bugs.python.org fields:

    activity = <Date 2021-04-17.18:20:31.533>
actor = 'christian.heimes'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2021-04-17.18:20:31.534>
closer = 'christian.heimes'
components = ['SSL']
creation = <Date 2020-07-02.10:28:17.380>
creator = 'mhughes'
dependencies = []
files = ['49291']
hgrepos = []
issue_num = 41195
keywords = ['patch']
message_count = 7.0
messages = ['372839', '372841', '372844', '372992', '373037', '373804', '391299']
nosy_count = 4.0
nosy_names = ['pitrou', 'christian.heimes', 'miss-islington', 'mhughes']
pr_nums = ['21282']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue41195'
versions = ['Python 3.10']
    @matthewhughes934
    Copy link
    Mannequin Author

    matthewhughes934 mannequin commented Jul 2, 2020

    While investigating Python's SSL I noticed there was no interface for interacting with OpenSSL's SSL_CTX_{get,set}_security_level (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html) so I thought I'd look into adding one (see attached patch). I'd be happy to put up a PR, but I have node idea if this feature would actually be desired.

    @matthewhughes934 matthewhughes934 mannequin assigned tiran Jul 2, 2020
    @matthewhughes934 matthewhughes934 mannequin added topic-SSL type-feature A feature request or enhancement labels Jul 2, 2020
    @matthewhughes934 matthewhughes934 mannequin assigned tiran Jul 2, 2020
    @matthewhughes934 matthewhughes934 mannequin added topic-SSL type-feature A feature request or enhancement labels Jul 2, 2020
    @tiran
    Copy link
    Member

    tiran commented Jul 2, 2020

    I'm not sure it's a good idea to expose a setter for security level. In general the security level is a system-wide policy decision that should be controlled by administrators. Applications should not change this setting.

    Python libraries tend to follow bad practices and cargo cult when it comes to TLS settings. Many years ago OpenSSL and Linux distributions had bad default settings. Nowadays OpenSSL has good defaults and distributions often set even stricter defaults.

    A read-only getter for the policy sounds like a good idea, though.

    @matthewhughes934
    Copy link
    Mannequin Author

    matthewhughes934 mannequin commented Jul 2, 2020

    Applications should not change this setting
    A read-only getter for the policy sounds like a good idea, though.

    Thanks for the feedback, sounds reasonable to me. I'll happily work on getting a PR up for the read-only setter.

    @pitrou
    Copy link
    Member

    pitrou commented Jul 4, 2020

    No strong feelings on this, but the OpenSSL runtime is not always packaged by a Linux distribution. (macOS, Windows and Anaconda come to mind)

    If one wants to retain the setter facility, one could raise a RuntimeWarning if the user *lowers* the actual security level.

    @tiran
    Copy link
    Member

    tiran commented Jul 5, 2020

    Users can set the current security level in either an OpenSSL config file or with ctx.set_cipher("@SECLEVEL=i:...").

    @tiran tiran added 3.10 only security fixes labels Jul 5, 2020
    @miss-islington
    Copy link
    Contributor

    New changeset 8e836bb by matthewhughes934 in branch 'master':
    bpo-41195: Add getter for Openssl security level (GH-21282)
    8e836bb

    @tiran
    Copy link
    Member

    tiran commented Apr 17, 2021

    The getter is available in 3.10. Thanks for your contribution!

    @tiran tiran closed this as completed Apr 17, 2021
    @tiran tiran closed this as completed Apr 17, 2021
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @tiran tiran

    Labels
    3.10 only security fixes topic-SSL type-feature A feature request or enhancement
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    3 participants
    @tiran @pitrou @miss-islington