This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author naif
Recipients gregory.p.smith, naif, pitrou
Date 2011-12-19.13:31:32
SpamBayes Score 6.904496e-07
Marked as misclassified No
Message-id <1324301493.21.0.301225362541.issue13636@psf.upfronthosting.co.za>
In-reply-to
Content 
We could also disable all the ciphers that use MD5 for authentication:

MD5 has been disabled for SSL use due to it's weakness by:

- Firefox (All mozilla products now refuse any MD5 ciphers)
https://www.thesslstore.com/blog/index.php/firefox-to-stop-supporting-md5-based-ssl/
- Duracon by Jacob Appelbaum (Tor Project)
https://github.com/ioerror/duraconf

"HIGH:!aNULL:!eNULL:!SSLv2:!MD5" would do the magic, so we update the default to a modern, yet compatible set of SSL ciphers supported.

I don't want in any case to break compatibilities, but by default a software, should not support vulnerable, weak ciphers and this seems a good compromise.

Then the last fine tuning would be have the right preferred orders of ciphers to always prefer ECDHE (if available).
History
Date User Action Args
2011-12-19 13:31:33naifsetrecipients: + naif, gregory.p.smith, pitrou
2011-12-19 13:31:33naifsetmessageid: <1324301493.21.0.301225362541.issue13636@psf.upfronthosting.co.za>
2011-12-19 13:31:32naiflinkissue13636 messages
2011-12-19 13:31:32naifcreate