naif <n...@globaleaks.org> added the comment: We could also disable all the ciphers that use MD5 for authentication:
MD5 has been disabled for SSL use due to it's weakness by: - Firefox (All mozilla products now refuse any MD5 ciphers) https://www.thesslstore.com/blog/index.php/firefox-to-stop-supporting-md5-based-ssl/ - Duracon by Jacob Appelbaum (Tor Project) https://github.com/ioerror/duraconf "HIGH:!aNULL:!eNULL:!SSLv2:!MD5" would do the magic, so we update the default to a modern, yet compatible set of SSL ciphers supported. I don't want in any case to break compatibilities, but by default a software, should not support vulnerable, weak ciphers and this seems a good compromise. Then the last fine tuning would be have the right preferred orders of ciphers to always prefer ECDHE (if available). ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13636> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
