[Security-sig] Unified TLS API for Python

Wes Turner wes.turner at gmail.com
Fri Jan 13 01:32:26 EST 2017 

On Fri, Jan 13, 2017 at 12:09 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:

> On 13 January 2017 at 07:05, Wes Turner <wes.turner at gmail.com> wrote:
> > +1 for start simple and iterate;
> > but expecting a config object is not easy to add later.
>
> Yes, it is - all that is necessary is to add a "make_ssl_context"
> helper function that translates from the declarative configuration
> format (however defined) to the programmatic API and returns a
> configured context of the requested type.
>
> The appropriate time to define that lowest-common-denominator
> configuration format is *after* there is a working programmatic API
> that covers at least the 3 major implementations of interest (OpenSSL,
> SecureTransport, SChannel), and hopefully a few other implementations
> as well (e.g. NSS, BoringSSL).
>

So, rather than scattered throughout each implementation,
I think it would be wise to provide guidance regarding configuration
validation.

Enumerating the parameters into a common schema certainly will require
actual implementations to define a superset of common dict keys; which I
believe would be easier with a standard SSLConfig object.

Another reason I believe there should be a configuration object with a
.validate() method for centralized SSL configuration:

- Having one .validate() method (with as many necessary subvalidators)
provides a hook for security-conscious organizations to do SSL/TLS
configuration validation in one place. (Otherwise, this type of
configuration-validation must be frequently-re-implemented in an ad-hoc
way; which inopportunely admits errors)

   - Examples of SSL/TLS configuration validation criteria:
     -
https://en.wikipedia.org/wiki/FIPS_140-2#Cryptographic_Module_Validation_Program
     - https://mozilla.github.io/server-side-tls/ssl-config-generator/

   - "CIS Critical Security Controls"
https://www.cisecurity.org/critical-controls.cfm
     - CSC 3.[*]
     - Least-privilege dictates that this type of config is separate from
the code.py files

   - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" (2011 Top
25 #19)
      https://cwe.mitre.org/top25/#CWE-327
      https://cwe.mitre.org/data/definitions/327.html

      - ... "improper configuration" is basically this issue; so,
validation should be encouraged where possible.

Again, I think we should encourage validation of SSL/TLS configuration
settings;
and pointing to SSLConfig.validate() as the method to subclass makes that
very easy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/security-sig/attachments/20170113/268bed7e/attachment.html>

More information about the Security-SIG mailing list