This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author eighthave
Recipients christian.heimes, eighthave, njs, steve.dower
Date 2022-03-20.14:22:54
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1647786174.28.0.857937610968.issue43902@roundup.psfhosted.org>
In-reply-to
Content
This general idea sounds nice to have, I hope it can be included.  `ctx._call_with_ctypes("SSL_CTX_set_ciphersuites"...` also sounds totally workable to me, if that has the best security profile.

Defense in depth is important, but it is not a reason to prevent key functionality from landing.  For example, "export_keying_material" is an RFC and widely implemented (Go crypto/tls, Rustls, Conscrypt, nodejs, boringssl, openssl, BouncyCastle, etc see links here https://github.com/python/cpython/pull/25255#issuecomment-1073256270).  It is used in IETF protocols like SRTP and NTS.

Perhaps that could be a concrete use case here for thinking about the security profile?
History
Date User Action Args
2022-03-20 14:22:54eighthavesetrecipients: + eighthave, christian.heimes, njs, steve.dower
2022-03-20 14:22:54eighthavesetmessageid: <1647786174.28.0.857937610968.issue43902@roundup.psfhosted.org>
2022-03-20 14:22:54eighthavelinkissue43902 messages
2022-03-20 14:22:54eighthavecreate