Message 214538 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	dstufft
Recipients	alex, christian.heimes, dstufft, pitrou
Date	2014-03-23.02:25:51
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1395541553.64.0.555735734555.issue21013@psf.upfronthosting.co.za>
In-reply-to

Content
Attached is a new patch. It has: * Switches the protocol to SSLv23 so that we can negotiate a TLS1.1 or TLS1.2 connection. * Sets OP_CIPHER_SERVER_PREFERENCE for Purpose.CLIENT_AUTH so that our carefully selected cipher priority gives us better encryption and PFS * Sets OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE for Purpose.CLIENT_AUTH to prevent re-use of the DH and ECDH keys in distinct sessions. * Disables SSLv3 connections explicitly to match lower bounds of the original security of the created context * Moves the "restricted" ciphers to only apply to servers. Servers can be much more picky about which ciphers they accept than clients can, and further more with how our ciphers are laid out now if RC4 is selected it is entirely the fault of the server we are connecting to. * Document what the type of error message would be if a SSL 3.0 connection is required and how to re-enable it.

Attached is a new patch. It has:

* Switches the protocol to SSLv23 so that we can negotiate a TLS1.1 or TLS1.2 connection.
* Sets OP_CIPHER_SERVER_PREFERENCE for Purpose.CLIENT_AUTH so that our carefully selected cipher priority gives us better encryption and PFS
* Sets OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE for Purpose.CLIENT_AUTH to prevent re-use of the DH and ECDH keys in distinct sessions.
* Disables SSLv3 connections explicitly to match lower bounds of the original security of the created context
* Moves the "restricted" ciphers to only apply to servers. Servers can be much more picky about which ciphers they accept than clients can, and further more with how our ciphers are laid out now if RC4 is selected it is entirely the fault of the server we are connecting to.
* Document what the type of error message would be if a SSL 3.0 connection is required and how to re-enable it.

History
Date	User	Action	Args
2014-03-23 02:25:54	dstufft	set	recipients: + dstufft, pitrou, christian.heimes, alex
2014-03-23 02:25:53	dstufft	set	messageid: <1395541553.64.0.555735734555.issue21013@psf.upfronthosting.co.za>
2014-03-23 02:25:53	dstufft	link	issue21013 messages
2014-03-23 02:25:53	dstufft	create