Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increase security of TLS settings in 3.10 #88164

Closed
tiran opened this issue May 1, 2021 · 4 comments
Closed

Increase security of TLS settings in 3.10 #88164

tiran opened this issue May 1, 2021 · 4 comments
Assignees
@tiran
Labels
3.10 only security fixes 3.11 only security fixes topic-SSL type-security A security issue

Comments

@tiran
Copy link
Member

tiran commented May 1, 2021

BPO 43998
Nosy @tiran, @hynek
PRs
  • bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778) #25778
  • bpo-43998: Fix testing without ssl module (GH-25790) #25790
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
closed_at = <Date 2021-05-01.18:53:40.368>
created_at = <Date 2021-05-01.10:41:52.117>
labels = ['type-security', 'expert-SSL', '3.10', '3.11']
title = 'Increase security of TLS settings in 3.10'
updated_at = <Date 2021-05-01.20:17:08.005>
user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2021-05-01.20:17:08.005>
actor = 'christian.heimes'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2021-05-01.18:53:40.368>
closer = 'christian.heimes'
components = ['SSL']
creation = <Date 2021-05-01.10:41:52.117>
creator = 'christian.heimes'
dependencies = []
files = []
hgrepos = []
issue_num = 43998
keywords = ['patch']
message_count = 4.0
messages = ['392582', '392586', '392616', '392629']
nosy_count = 2.0
nosy_names = ['christian.heimes', 'hynek']
pr_nums = ['25778', '25790']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue43998'
versions = ['Python 3.10', 'Python 3.11']
    @tiran
    Copy link
    Member Author

    tiran commented May 1, 2021

    It's 2021. TLS 1.0 and 1.1 have been deprecated in RFC 8996. Browsers have disabled TLS 1.0 and 1.1, too. Python should no longer enable TLS 1.1 by default and require strong TLS ciphers with forward secrecy.

    I'm going to update Python's default cipher suite based on Hynek's excellent blog post https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ . I'll deviate in two minor points:

    • keep ephemeral, finite field Diffie-Hellman for legacy hardware. It's not that insecure, just slow.
    • enforce security level 2 to require strong RSA and DH keys. @SECLEVEL=2 enforced minimum of 112 bits security. Almost all common RSA certificates use 2048 bits RSA signature.

    I'm also going to set TLS 1.2 as minimum protocol version with Python is compiled with --with-ssl-default-suites=python or --with-ssl-default-suites=custom_string. Distro vendors can use --with-ssl-default-suites=openssl to override the setting.

    @tiran tiran added 3.10 only security fixes 3.11 only security fixes labels May 1, 2021
    @tiran tiran self-assigned this May 1, 2021
    @tiran tiran added topic-SSL type-security A security issue 3.10 only security fixes 3.11 only security fixes labels May 1, 2021
    @tiran tiran self-assigned this May 1, 2021
    @tiran tiran added topic-SSL type-security A security issue labels May 1, 2021
    @tiran
    Copy link
    Member Author

    tiran commented May 1, 2021 

    $ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256

    @tiran
    Copy link
    Member Author

    tiran commented May 1, 2021

    New changeset e983252 by Christian Heimes in branch 'master':
    bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)
    e983252

    @tiran tiran closed this as completed May 1, 2021
    @tiran tiran closed this as completed May 1, 2021
    @tiran
    Copy link
    Member Author

    tiran commented May 1, 2021

    New changeset a5669b3 by Christian Heimes in branch 'master':
    bpo-43998: Fix testing without ssl module (GH-25790)
    a5669b3

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    @bdraco bdraco mentioned this issue Jul 7, 2022
    Merged
    22 tasks
    @chrisburr chrisburr mentioned this issue Jul 15, 2022
    Closed
    @chrisburr chrisburr mentioned this issue Aug 16, 2022
    Merged
    @mib1185 mib1185 mentioned this issue Oct 9, 2022
    Closed
    @HLFH HLFH mentioned this issue Nov 10, 2022
    Closed
    @ktmzcpl ktmzcpl mentioned this issue Dec 24, 2022
    Open
    @FlorentClarret FlorentClarret mentioned this issue Nov 24, 2023
    Merged
    3 tasks
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @tiran tiran

    Labels
    3.10 only security fixes 3.11 only security fixes topic-SSL type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @tiran