Donald Stufft added the comment: > I disagree. Python only provides an interface to OpenSSL, so the OpenSSL > system defaults should be used.
Python is already changing the OpenSSL defaults, also you're advocating that Python should support 40bit encryption that can be brute forced in a matter of days. > Maintaining system security is an easier and more scalable approach than > trying to properly configure half a dozen sub-systems which happen to use > OpenSSL as basis for their SSL configuration. By forcing a specific > set of ciphers, we're breaking this approach. Again, Python is already forcing a set of ciphers. I don't know what sort of Systems you use, but even RHEL 6.5 has *horrible* ciphers by in the OpenSSL default set. Things like DES (not 3DES, DES) and 40bit RC4. > By restricting the set of allowed ciphers you can also create the > situation that Python in its default configuration cannot talk to > certain web servers which use a different set of ciphers than the > one you are proposing. Of course, any restriction does that, that's not reason to also allow aNULL or eNULL by default just because somewhere someone out there might be running a server that only speaks them. Secure, Sane Defaults and the Ability to override. > We shouldn't do this in Python for the same reason we're not including > a predefined set of CA root certificates with the distribution. The difference here is that there are properly maintained alternatives to Python including a predefined set of CA root certificates. This isn't the case with OpenSSL. OpenSSL doesn't provide good defaults and I'm not aware of a single OS which ships with OpenSSL that patches it to provide good defaults. Python exposes this API, it's Python's job to properly secure it. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue20995> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com