Message214300
> I disagree. Python only provides an interface to OpenSSL, so the OpenSSL
> system defaults should be used.
Python is already changing the OpenSSL defaults, also you're advocating that
Python should support 40bit encryption that can be brute forced in a matter of
days.
> Maintaining system security is an easier and more scalable approach than
> trying to properly configure half a dozen sub-systems which happen to use
> OpenSSL as basis for their SSL configuration. By forcing a specific
> set of ciphers, we're breaking this approach.
Again, Python is already forcing a set of ciphers. I don't know what sort of
Systems you use, but even RHEL 6.5 has *horrible* ciphers by in the OpenSSL
default set. Things like DES (not 3DES, DES) and 40bit RC4.
> By restricting the set of allowed ciphers you can also create the
> situation that Python in its default configuration cannot talk to
> certain web servers which use a different set of ciphers than the
> one you are proposing.
Of course, any restriction does that, that's not reason to also allow aNULL
or eNULL by default just because somewhere someone out there might be running
a server that only speaks them. Secure, Sane Defaults and the Ability to
override.
> We shouldn't do this in Python for the same reason we're not including
> a predefined set of CA root certificates with the distribution.
The difference here is that there are properly maintained alternatives to
Python including a predefined set of CA root certificates. This isn't the
case with OpenSSL. OpenSSL doesn't provide good defaults and I'm not aware of
a single OS which ships with OpenSSL that patches it to provide good defaults.
Python exposes this API, it's Python's job to properly secure it. |
|
Date |
User |
Action |
Args |
2014-03-20 23:10:48 | dstufft | set | recipients:
+ dstufft, lemburg, ncoghlan, pitrou, vstinner, christian.heimes, benjamin.peterson, ezio.melotti, Arfrever, alex, r.david.murray |
2014-03-20 23:10:48 | dstufft | set | messageid: <1395357048.5.0.0382883591735.issue20995@psf.upfronthosting.co.za> |
2014-03-20 23:10:48 | dstufft | link | issue20995 messages |
2014-03-20 23:10:48 | dstufft | create | |
|