Message 305380 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	alex, christian.heimes, dstufft, hanno, janssen
Date	2017-11-01.13:19:31
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1509542371.7.0.213398074469.issue31892@psf.upfronthosting.co.za>
In-reply-to

Content
Thanks for your feature request, Hanno. It's fairly easy to implement with current API for TLS protocols up to TLS 1.2, e.g. cipher suite "DEFAULT:!aRSA:!aDSS" or "aECDSA:!NULL" for ECDSA certs. However TLS 1.3 cipher suites no longer specify authentication and KE/KX algorithms, e.g. TLS13-AES-256-GCM-SHA384. I have to find a way to force OpenSSL's state machine to establish a connection with a specific authentication algorithm. Memo to me: TLS 1.3 also has EdDSA.

Thanks for your feature request, Hanno.

It's fairly easy to implement with current API for TLS protocols up to TLS 1.2, e.g. cipher suite "DEFAULT:!aRSA:!aDSS" or "aECDSA:!NULL" for ECDSA certs.

However TLS 1.3 cipher suites no longer specify authentication and KE/KX algorithms, e.g. TLS13-AES-256-GCM-SHA384. I have to find a way to force OpenSSL's state machine to establish a connection with a specific authentication algorithm.

Memo to me: TLS 1.3 also has EdDSA.

History
Date	User	Action	Args
2017-11-01 13:19:31	christian.heimes	set	recipients: + christian.heimes, janssen, alex, dstufft, hanno
2017-11-01 13:19:31	christian.heimes	set	messageid: <1509542371.7.0.213398074469.issue31892@psf.upfronthosting.co.za>
2017-11-01 13:19:31	christian.heimes	link	issue31892 messages
2017-11-01 13:19:31	christian.heimes	create