Message 214277 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	dstufft
Recipients	Arfrever, alex, benjamin.peterson, christian.heimes, dstufft, ezio.melotti, lemburg, ncoghlan, pitrou, r.david.murray, vstinner
Date	2014-03-20.20:48:48
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1395348529.12.0.0276048871185.issue20995@psf.upfronthosting.co.za>
In-reply-to

Content
Another bit of maintenance here: If a new cipher suite is added to OpenSSL it won' be generally available for a long while so very few if any services are going to be willing to depend on only it. For the very rare and unlikely case that somebody does setup a service that requires some brand new cipher they can override this list easily. Using the default or the "wide" open strings are inherently more dangerous because of the wide range of OpenSSL's that are in production use. It's hard without auditing every version of OpenSSL to figure out what ciphers will be available in what circumstances. It also means that if OpenSSL adds a new cipher that ends up being insecure that it will be picked up automatically. Therefore the strings I've posted take the opinion that a whitelist is more secure than a blacklist and whitelist the cipher suites to a very specific set that happen to be best practices at this current time. The only required maintenance would be if one of the selected ciphers are found to be insecure. However that was already a required maintenance because (again) of the wide range of OpenSSL versions available and the fact that these strings don't add any new ciphers, only remove some and create an explicit priority.

Another bit of maintenance here:

If a new cipher suite is added to OpenSSL it won' be generally available for a long while so very few if any services are going to be willing to depend on *only* it. For the very rare and unlikely case that somebody does setup a service that requires some brand new cipher they can override this list easily.

Using the default or the "wide" open strings are inherently more dangerous because of the wide range of OpenSSL's that are in production use. It's hard without auditing every version of OpenSSL to figure out what ciphers will be available in what circumstances. It also means that if OpenSSL adds a new cipher that ends up being insecure that it will be picked up automatically. Therefore the strings I've posted take the opinion that a whitelist is more secure than a blacklist and whitelist the cipher suites to a very specific set that happen to be best practices at this current time.

The only *required* maintenance would be if one of the selected ciphers are found to be insecure. However that was already a required maintenance because (again) of the wide range of OpenSSL versions available and the fact that these strings don't *add* any new ciphers, only remove some and create an explicit priority.

History
Date	User	Action	Args
2014-03-20 20:48:49	dstufft	set	recipients: + dstufft, lemburg, ncoghlan, pitrou, vstinner, christian.heimes, benjamin.peterson, ezio.melotti, Arfrever, alex, r.david.murray
2014-03-20 20:48:49	dstufft	set	messageid: <1395348529.12.0.0276048871185.issue20995@psf.upfronthosting.co.za>
2014-03-20 20:48:49	dstufft	link	issue20995 messages
2014-03-20 20:48:48	dstufft	create