[Python-checkins] cpython (merge 3.4 -> default): Merge changes from 3.4 to bring in fixes for Issue #20995

donald.stufft python-checkins at python.org
Sat Mar 22 02:39:02 CET 2014 

http://hg.python.org/cpython/rev/60f696488c4f
changeset:   89911:60f696488c4f
parent:      89909:7761b3dff2e8
parent:      89910:e9749a7aa958
user:        Donald Stufft <donald at stufft.io>
date:        Fri Mar 21 21:38:50 2014 -0400
summary:
  Merge changes from 3.4 to bring in fixes for Issue #20995

files:
  Doc/library/ssl.rst |  15 +++---------
  Lib/ssl.py          |  37 ++++++++++++++++++++++++++------
  Misc/NEWS           |   6 +++++
  3 files changed, 40 insertions(+), 18 deletions(-)


diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -1665,17 +1665,10 @@
 enabled when negotiating a SSL session is possible through the
 :meth:`SSLContext.set_ciphers` method.  Starting from Python 3.2.3, the
 ssl module disables certain weak ciphers by default, but you may want
-to further restrict the cipher choice.  For example::
-
-   context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-   context.set_ciphers('HIGH:!aNULL:!eNULL')
-
-The ``!aNULL:!eNULL`` part of the cipher spec is necessary to disable ciphers
-which don't provide both encryption and authentication.  Be sure to read
-OpenSSL's documentation about the `cipher list
-format <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`_.
-If you want to check which ciphers are enabled by a given cipher list,
-use the ``openssl ciphers`` command on your system.
+to further restrict the cipher choice. Be sure to read OpenSSL's documentation
+about the `cipher list format <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`_.
+If you want to check which ciphers are enabled by a given cipher list, use the
+``openssl ciphers`` command on your system.
 
 Multi-processing
 ^^^^^^^^^^^^^^^^
diff --git a/Lib/ssl.py b/Lib/ssl.py
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -162,14 +162,37 @@
 
 # Disable weak or insecure ciphers by default
 # (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
-_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2'
+# Enable a better set of ciphers by default
+# This list has been explicitly chosen to:
+#   * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
+#   * Prefer ECDHE over DHE for better performance
+#   * Prefer any AES-GCM over any AES-CBC for better performance and security
+#   * Then Use HIGH cipher suites as a fallback
+#   * Then Use 3DES as fallback which is secure but slow
+#   * Finally use RC4 as a fallback which is problematic but needed for
+#     compatibility some times.
+#   * Disable NULL authentication, NULL encryption, and MD5 MACs for security
+#     reasons
+_DEFAULT_CIPHERS = (
+    'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:'
+    'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:ECDH+RC4:'
+    'DH+RC4:RSA+RC4:!aNULL:!eNULL:!MD5'
+)
 
-# restricted and more secure ciphers
-# HIGH: high encryption cipher suites with key length >= 128 bits (no MD5)
-# !aNULL: only authenticated cipher suites (no anonymous DH)
-# !RC4: no RC4 streaming cipher, RC4 is broken
-# !DSS: RSA is preferred over DSA
-_RESTRICTED_CIPHERS = 'HIGH:!aNULL:!RC4:!DSS'
+# Restricted and more secure ciphers
+# This list has been explicitly chosen to:
+#   * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
+#   * Prefer ECDHE over DHE for better performance
+#   * Prefer any AES-GCM over any AES-CBC for better performance and security
+#   * Then Use HIGH cipher suites as a fallback
+#   * Then Use 3DES as fallback which is secure but slow
+#   * Disable NULL authentication, NULL encryption, MD5 MACs, DSS, and RC4 for
+#     security reasons
+_RESTRICTED_CIPHERS = (
+    'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:'
+    'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:'
+    '!eNULL:!MD5:!DSS:!RC4'
+)
 
 
 class CertificateError(ValueError):
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -23,6 +23,9 @@
 Library
 -------
 
+- Issue #20995: Enhance default ciphers used by the ssl module to enable
+  better security an prioritize perfect forward secrecy.
+
 - Issue #20627: xmlrpc.client.ServerProxy is now a context manager.
 
 - Issue #19165: The formatter module now raises DeprecationWarning instead of
@@ -40,6 +43,9 @@
 
 - Issue #20574: Implement incremental decoder for cp65001 code (Windows code
   page 65001, Microsoft UTF-8).
+=======
+- Issue #20884: Don't assume that __file__ is defined on importlib.__init__.
+>>>>>>> other
 
 - Issue #20879: Delay the initialization of encoding and decoding tables for
   base32, ascii85 and base85 codecs in the base64 module, and delay the

-- 
Repository URL: http://hg.python.org/cpython

More information about the Python-checkins mailing list