[issue13636] Python SSL Stack doesn't have a Secure Default set of ciphers
naif
report at bugs.python.org
Mon Dec 19 14:31:33 CET 2011
naif <naif at globaleaks.org> added the comment:
We could also disable all the ciphers that use MD5 for authentication:
MD5 has been disabled for SSL use due to it's weakness by:
- Firefox (All mozilla products now refuse any MD5 ciphers)
https://www.thesslstore.com/blog/index.php/firefox-to-stop-supporting-md5-based-ssl/
- Duracon by Jacob Appelbaum (Tor Project)
https://github.com/ioerror/duraconf
"HIGH:!aNULL:!eNULL:!SSLv2:!MD5" would do the magic, so we update the default to a modern, yet compatible set of SSL ciphers supported.
I don't want in any case to break compatibilities, but by default a software, should not support vulnerable, weak ciphers and this seems a good compromise.
Then the last fine tuning would be have the right preferred orders of ciphers to always prefer ECDHE (if available).
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13636>
_______________________________________
More information about the Python-bugs-list
mailing list