Message 301957 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	christian.heimes
Date	2017-09-12.13:22:44
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1505222565.12.0.626881844442.issue31429@psf.upfronthosting.co.za>
In-reply-to

Content
Python overrides OpenSSL's default cipher suites because the default selection used to be pretty bad and insecure. Python disables cipher suites with insecure algorithm such as RC4, MD5, DES, and 3DES. The SSL module has hard-coded cipher strings for SSLContext and ssl.create_default_context() in multiple places: * https://github.com/python/cpython/blob/v3.6.2/Modules/_ssl.c#L2693 * https://github.com/python/cpython/blob/v3.6.2/Lib/ssl.py#L387 * https://github.com/python/cpython/blob/v3.6.2/Lib/ssl.py#L503 However the cipher suite overrides makes it harder for vendors and downstream to enforce consistent policies. For example the hard-coded strings disable Fedora's crypto policy, https://fedoraproject.org/wiki/Changes/CryptoPolicy . Fedora has patched OpenSSL to support a "PROFILE=SYSTEM" cipher suite string. The string causes OpenSSL to read crypto settings from a system wide configuration file. In order to make it easier to override the default string, Python should have a configure option --with-ssl-default-suite that defines a PY_SSL_DEFAULT_SUITE macro. In the absence of the option / macro, Python shall set a sensible default suite. Application are encouraged to use this default suite list. They are still free to override the default by calling SSLContext's set_ciphers() method. Fedora's OpenSSL patch: https://src.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.1.0-system-cipherlist.patch?h=f26

Python overrides OpenSSL's default cipher suites because the default selection used to be pretty bad and insecure. Python disables cipher suites with insecure algorithm such as RC4, MD5, DES, and 3DES. The SSL module has hard-coded cipher strings for SSLContext and ssl.create_default_context() in multiple places:

* https://github.com/python/cpython/blob/v3.6.2/Modules/_ssl.c#L2693
* https://github.com/python/cpython/blob/v3.6.2/Lib/ssl.py#L387
* https://github.com/python/cpython/blob/v3.6.2/Lib/ssl.py#L503

However the cipher suite overrides makes it harder for vendors and downstream to enforce consistent policies. For example the hard-coded strings disable Fedora's crypto policy, https://fedoraproject.org/wiki/Changes/CryptoPolicy . Fedora has patched OpenSSL to support a "PROFILE=SYSTEM" cipher suite string. The string causes OpenSSL to read crypto settings from a system wide configuration file.

In order to make it easier to override the default string, Python should have a configure option --with-ssl-default-suite that defines a PY_SSL_DEFAULT_SUITE macro. In the absence of the option / macro, Python shall set a sensible default suite. Application are encouraged to use this default suite list. They are still free to override the default by calling SSLContext's set_ciphers() method.

Fedora's OpenSSL patch: https://src.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.1.0-system-cipherlist.patch?h=f26

History
Date	User	Action	Args
2017-09-12 13:22:45	christian.heimes	set	recipients: + christian.heimes
2017-09-12 13:22:45	christian.heimes	set	messageid: <1505222565.12.0.626881844442.issue31429@psf.upfronthosting.co.za>
2017-09-12 13:22:45	christian.heimes	link	issue31429 messages
2017-09-12 13:22:44	christian.heimes	create