Package: python3.10 Version: 3.10.9-1 Severity: wishlist User: de...@kali.org Usertags: origin-kali X-Debbugs-Cc: de...@kali.org
Hello Mathias (and other Python maintainers), it would be nice if python3.10 (and future versions) could be built with --with-ssl-default-suites=openssl. Starting with Python 3.10, with the default configuration ("--with-ssl-default-suites=python"), Python not only enforces its own cipher list but also requires TLS1.2 as a minimal protocol version. This is certainly a sensible thing to do in the context of Python upstream where you don't know much about the rest of the environment but in the context of Debian, it makes sense to not duplicate such restrictions at all levels and leave that to the sane defaults that are regularly reviewed in the openssl source package itself (which currently sets OPENSSL_TLS_SECURITY_LEVEL=2). This also means that it's possible for users to actually override the system wide defaults through changes to /etc/ssl/openssl.cnf and we are actually making this possible in Kali to reduce the security level and make it possible to access old insecure servers. However despite our changes, the Python applications are not able to use old TLS versions, due to the restrictions imposed by Python itself. Credit goes to Adrian Vollmer who reported this to Kali here: https://bugs.kali.org/view.php?id=8097 Let me know if you are open to this idea, and if you want a merge request. Cheers, -- System Information: Debian Release: bookworm/sid APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.0.0-6-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages python3.10 depends on: ii libpython3.10-stdlib 3.10.9-1 ii media-types 8.0.0 ii mime-support 3.66 ii python3.10-minimal 3.10.9-1 python3.10 recommends no packages. Versions of packages python3.10 suggests: ii binutils 2.39.50.20221208-5 ii python3.10-doc 3.10.9-1 pn python3.10-venv <none> -- no debconf information -- Raphaƫl Hertzog