[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Larry Hastings added the comment: I've accepted PR 224. I don't plan an emergency release of 3.4 to get this change out into the world. Unless there's any other business, we can now close this issue. -- resolution: -> fixed stage: commit review -> resolved status: open -> closed

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Changes by STINNER Victor : -- priority: critical -> release blocker ___ Python tracker ___

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

STINNER Victor added the comment: Larry: "I agree completely Jim. The problem is that OpenSSL regularly discovers face-meltingly bad security bugs, so it frequently pulls the "security exception" lever." We chose to maintain our own cipher list, and so we have to maintain it. I created a

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Christian Heimes added the comment: Victor found out that Python is considered as affect by CVE-2016-2183, https://www.cvedetails.com/cve/CVE-2016-2183/ -- ___ Python tracker

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Changes by Christian Heimes : -- assignee: christian.heimes -> versions: -Python 2.7, Python 3.5, Python 3.6 ___ Python tracker ___

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Christian Heimes added the comment: Larry, the issue has nothing to do with the TLS/SSL library or implementation. It's about cipher suite selection. All (!) SSL libraries are affected because they had 3DES enabled as legacy fallback. Fun fact: OpenSSL latest security fix has addressed the

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Changes by Christian Heimes : -- assignee: -> christian.heimes components: +SSL ___ Python tracker ___

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Larry Hastings added the comment: I agree completely Jim. The problem is that OpenSSL regularly discovers face-meltingly bad security bugs, so it frequently pulls the "security exception" lever. As with so many things in this life, we play the hand we're dealt. I have my fingers crossed

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Jim Jewett added the comment: In general, the rule is that micro versions (such as 3.4.4 to 3.4.5) should not make any changes that are not clearly bug fixes. If users would call the new API (or ABI) differently, it is almost certainly a change that should be reserved for a development release

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Christian Heimes added the comment: On 2016-09-08 09:28, Cory Benfield wrote: > > Cory Benfield added the comment: > > Thanks for your response Larry. I think it cleared up my understanding a bit, > and I'm (extremely!) sympathetic to your desire to not get any closer to this > problem than

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Cory Benfield added the comment: Thanks for your response Larry. I think it cleared up my understanding a bit, and I'm (extremely!) sympathetic to your desire to not get any closer to this problem than you have to. I think it may be worth, in future, defining what effort will be made to

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Larry Hastings added the comment: > My reading of this is that for OpenSSL Python defines a range of > compatible sonames at the time of the first release in a series (e.g. > 3.4.0), and then will never extend that in either direction for that > release series. Put another way: patches to extend

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Donald Stufft added the comment: > Is switching to a different SSL library without OS vendor support any more > reasonable than switching to a newer python without that same support? There are OSs that ship with Python 3.4 and LibreSSL. -- ___

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Jim Jewett added the comment: On Sep 6, 2016 10:55 PM, Donald Stufft added the comment: > In the hypothetical case we don't backport ChaCha20 support and 3DES and AES constructs in TLS are no longer secure... what do you do? Do you just plug your fingers in your ears and hope nobody attacks

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Larry Hastings added the comment: Okay. We (Ned Deily + Steve Dower + me) talked it over here at the core dev sprints, and they convinced me that it's basically okay to add the CHACHA20 string to 3.4 and 3.5--it has some history, and OpenSSL is a little different, etc etc. So go for it. I

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Christian Heimes added the comment: On 2016-09-07 05:06, Larry Hastings wrote: > > Larry Hastings added the comment: > >> FWIW the cipher list (at least the restricted ones for >> ssl.create_default_context()) is explicitly documented >> as being able to be changed at any time without prior

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Cory Benfield added the comment: > Future OpenSSLs don't affect Python 3.4, as Python 3.4 won't be upgraded to > them. Can I get a clarification on this, please, Larry? I just want to confirm I understand what your meaning is here. My reading of this is that for OpenSSL Python defines a

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Larry Hastings added the comment: > FWIW the cipher list (at least the restricted ones for > ssl.create_default_context()) is explicitly documented > as being able to be changed at any time without prior deprecation Yes. To be specific: "The protocol, options, cipher and other settings may

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Larry Hastings added the comment: Here at the core dev sprint we had a discussion about whether adding ChaCha20 into 3.5 was the right call. Strictly speaking, of course, it's neither a bug fix or a security fix, so that suggests it shouldn't be permitted. However ultimately we concluded it

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Donald Stufft added the comment: > > The difference between a security feature and a security fix > > is incredibly hard to differentiate. > > I'm not buying this argument. This touches on it http://web.mit.edu/tabbott/www/papers/hotos.pdf but I'm not sure how you don't see it... In the

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Larry Hastings added the comment: > The difference between a security feature and a security fix > is incredibly hard to differentiate. I'm not buying this argument. > For instance, with 3DES being de-recommended (and removed in future > OpenSSLs) that leaves basically only AES-GCM and

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Donald Stufft added the comment: We should backport OpenSSL 1.1.0 too *shrug*. -- ___ Python tracker ___ ___

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Christian Heimes added the comment: Donald, my OpenSSL 1.1.0 patch hasn't landed in 3.3 and 3.4 either. It's a bit mood to discuss ChaCha20 w/o OpenSSL 1.1.0. Rich Salz doesn't want to include ChaCha20 suites in 1.0.2 upstream. You either have to patch and build OpenSSL yourself or use

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Donald Stufft added the comment: > I don't think "remove de-recommended cypher" qualifies as a security fix for > 3.3 or 3.4. Certainly you're not permitted to add ChaCha20 to 3.3 or 3.4 I think that this is a bad stance to take here. The difference between a security feature and a security

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Larry Hastings added the comment: I don't think "remove de-recommended cypher" qualifies as a security fix for 3.3 or 3.4. Certainly you're not permitted to add ChaCha20 to 3.3 or 3.4. IMO these changes should only be in 2.7 and 3.5+. -- versions: -Python 3.3, Python 3.4

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Christian Heimes added the comment: Larry, Georg I haven't pushed the new cipher suite list to 3.3 and 3.4 yet. It can break compatibility with ancient IE versions on Windows XP machines. The risk of 3DES is small for a typical application. -- nosy: +georg.brandl, larry

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Changes by Christian Heimes : -- stage: -> commit review ___ Python tracker ___ ___

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Roundup Robot added the comment: New changeset d209fd77 by Christian Heimes in branch '3.5': Issues #27850 and #27766: Remove 3DES from ssl default cipher list and add ChaCha20 Poly1305. https://hg.python.org/cpython/rev/d209fd77 New changeset 6f4f19217d9b by Christian Heimes in branch

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Steve Dower added the comment: Just found and added that :) Guessing one of the 'name' fields will show it? If so, looks like all the Windows builds will be missing it. I'm assuming that doesn't block this change. We should have a separate task to change the Windows build to use 1.1.0 I

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Christian Heimes added the comment: My time machine strikes again: #27866 introduces a new method to get all enabled ciphers. ChaCha20 needs either LibreSSL, OpenSSL 1.1.0 or OpenSSL 1.0.2 with an extra patch. -- ___ Python tracker

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Steve Dower added the comment: How can I test that the ciphers are available? Our Windows build of OpenSSL (managed by us) does not necessarily include everything and I honestly don't know an easy way to ensure that ChaCha20 has actually been built in. It doesn't look like there are any

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Jim Jewett added the comment: I think a python call is fine to require ... if they don't have the python source they should have a support contract. I assume the advice followed is intermediate, based on the earlier comment about xp and ie? On Aug 26, 2016 9:46 AM, "Christian Heimes"

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Christian Heimes added the comment: Patch for 3DES and ChaCha20 (#27766). For ChaCha the patch does not check CPU cap vector and just follows the advice from https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility -- keywords: +patch Added file:

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Christian Heimes added the comment: Jim, https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers >>> ctx = ssl.create_default_context() >>> ctx.set_ciphers('HIGH:+3DES:!MD5') Please note that OpenSSL 1.1 will remove 3DES from default builds. You will have to build your own

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Donald Stufft added the comment: It's not a recompile but it's not a configuration file either, it's a Python level API you can call when you're creating a connection to specify what ciphers you want to allow for that connection. -- ___ Python

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Jim Jewett added the comment: What does overriding to put it back require? Does it require a re-compile, or can it be done via a config file? Taking it out of the default set sounds reasonable, but requiring a recompile for people who want to retain backwards compatibility strikes me as too

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Christian Heimes added the comment: Donald, !3DES de-selects all 3DES block ciphers suites. -- ___ Python tracker ___

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Donald Stufft added the comment: Christian: But that doesn't help all of the existing releases of OpenSSL. -- ___ Python tracker ___

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Christian Heimes added the comment: Donald: 3DES will be removed from HIGH with the next release: https://www.openssl.org/blog/blog/2016/08/24/sweet32/ > For 1.0.2 and 1.0.1, we removed the triple-DES ciphers from the “HIGH” > keyword and put them into “MEDIUM.” Note that we did not remove

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Cory Benfield added the comment: As another data point, I just pushed a PR to remove HIGH from urllib3/requests for exactly this reason, and Twisted already doesn't use it. -- ___ Python tracker

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Donald Stufft added the comment: Should we also remove HIGH from the cipher list? If I recall, at the time we added it under the assumption that we might get new, better ciphers automatically but 3DES is considered "HIGH", so we'll get it pulled in via that on older OpenSSLs. --

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Christian Heimes added the comment: I'm +1 for removal from server-side suite and +0.5 for removal from client-side suite. Unless somebody makes a compelling reason for keeping 3DES at all, let's get rid of it for good. Users are free to override the settings. It might make sense to include

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Cory Benfield added the comment: +1 from me, Requests, urllib3, and Twisted are all removing 3DES cipher suites from our default list. -- nosy: +Lukasa ___ Python tracker

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Donald Stufft added the comment: +1 from me, as another data point, the PSF infrastructure (which serves things like hg.python.org that aren't behind Fastly) has had 3DES disabled since 2014 without any complaints that I've seen. -- ___ Python

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Alex Gaynor added the comment: +! from me, removing 3DES is a totally sane default, people who need IE8+XP compat can change the default. -- ___ Python tracker

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

Hynek Schlawack added the comment: JFTR the main compatibility impact on the browser side is the loss of IE8 on WinXP whose last stable release is qua Wikipedia from “February 22, 2011; 5 years ago”. -- nosy: +hynek ___ Python tracker

[issue27850] Remove 3DES from cipher list (sweet32 CVE-2016-2183)

New submission from Christian Heimes: Another attack with a catchy name and logo. This time 3DES is showing its age. 3DES should be removed from the list of server ciphers in ssl._RESTRICTED_SERVER_CIPHERS. For client ciphers we can leave it in for now. An attack requires dynamic code