[issue20995] Use Better Default Ciphers for the SSL Module
Donald Stufft
report at bugs.python.org
Fri Mar 21 00:10:48 CET 2014
Donald Stufft added the comment:
> I disagree. Python only provides an interface to OpenSSL, so the OpenSSL
> system defaults should be used.
Python is already changing the OpenSSL defaults, also you're advocating that
Python should support 40bit encryption that can be brute forced in a matter of
days.
> Maintaining system security is an easier and more scalable approach than
> trying to properly configure half a dozen sub-systems which happen to use
> OpenSSL as basis for their SSL configuration. By forcing a specific
> set of ciphers, we're breaking this approach.
Again, Python is already forcing a set of ciphers. I don't know what sort of
Systems you use, but even RHEL 6.5 has *horrible* ciphers by in the OpenSSL
default set. Things like DES (not 3DES, DES) and 40bit RC4.
> By restricting the set of allowed ciphers you can also create the
> situation that Python in its default configuration cannot talk to
> certain web servers which use a different set of ciphers than the
> one you are proposing.
Of course, any restriction does that, that's not reason to also allow aNULL
or eNULL by default just because somewhere someone out there might be running
a server that only speaks them. Secure, Sane Defaults and the Ability to
override.
> We shouldn't do this in Python for the same reason we're not including
> a predefined set of CA root certificates with the distribution.
The difference here is that there are properly maintained alternatives to
Python including a predefined set of CA root certificates. This isn't the
case with OpenSSL. OpenSSL doesn't provide good defaults and I'm not aware of
a single OS which ships with OpenSSL that patches it to provide good defaults.
Python exposes this API, it's Python's job to properly secure it.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue20995>
_______________________________________
More information about the Python-bugs-list
mailing list