[issue20995] Use Better Default Ciphers for the SSL Module
Mark Kubacki added the comment: The cipher strings rely too much on AES for my taste. Imagine that ChaCha20Poly1305 or any other strong cipher suite is introduced to OpenSSL in the future. Enabling using general, and demoting using narrow terms, seems IMHO a better approach. For example: ECDH+HIGH:DH+HIGH:!aNULL:!MD5:!RC4:-3DES:HIGH -- nosy: +markk ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20995 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20995] Use Better Default Ciphers for the SSL Module
Mark Kubacki added the comment: Thanks for the detailed insight, Donald! And I certainly love the progress these changes here bring. :-) Perhaps limiting the scope to ChaCha20Poly1305 (»CCP«) has been a wrong approach of mine to explain my concerns: We should not refer to any particular cipher in those lists, and by that avoid to revisit the defaults at any point in the future. 0. Properties of any cipher to come are known to the makers of OpenSSL first. 1. Python shouldn't duplicate the work of ordering ciphers, which is already done by OpenSSL. 2. … especially because it is unknown which ciphers a user's OpenSSL does actually implement (Is EC present? CCP? HC-256 or HC-128? WIERZA? Rabbit? NTRU…) or will implement in the future. 3. Whether a cipher is regarded as more secure than another depends on its implementation, too. The implementors are better judges of that, and hence ordering should done by them and could vary between versions [e.g., of OpenSSL]. 4. Given our experiences with Python 2.7 I'd like to argue that there is reluctance to upgrading existing installations and its cipher suite strings. ;-) But we know from experience with already established ciphers if and when to demote them. That said I don't insist on any changes. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20995 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue5639] Support TLS SNI extension in ssl module
Changes by Mark Kubacki wm...@hurrikane.de: Removed file: http://bugs.python.org/file30757/python-2.7.5-tlssni.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue5639 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue5639] Support TLS SNI extension in ssl module
Changes by Mark Kubacki wm...@hurrikane.de: Added file: http://bugs.python.org/file30778/python-2.7.5-tlssni.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue5639 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue5639] Support TLS SNI extension in ssl module
Changes by Mark Kubacki wm...@hurrikane.de: Removed file: http://bugs.python.org/file30778/python-2.7.5-tlssni.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue5639 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue5639] Support TLS SNI extension in ssl module
Changes by Mark Kubacki wm...@hurrikane.de: Added file: http://bugs.python.org/file30779/python-2.7.5-tlssni.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue5639 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue5639] Support TLS SNI extension in ssl module
Changes by Mark Kubacki wm...@hurrikane.de: Added file: http://bugs.python.org/file30757/python-2.7.5-tlssni.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue5639 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue5639] Support TLS SNI extension in ssl module
Mark Kubacki added the comment: Python 2.7 is still used in production. Given the scarcity of IPv4-addresses — and with CDNs (think: Amazon, Akamai, EdgeCast…) starting to offer HTTP+SSL — the need for SNI arises in order to avoid pitfalls such as shared certificates. The lack of ubiquitous support for TLS SNI could cause delays in HTTPS-everywhere–deployments. Therefore, in the light of the latest revelations about mass surveillance, I'd like even to argue that this is a matter of security and privacy. -- nosy: +markk ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue5639 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue5639] Support TLS SNI extension in ssl module
Mark Kubacki added the comment: Antoine, thank you for the heads-up. As long as I've reminded distribution maintainers of this issue and this or a similar patch (always send a server_hostname with TLS, if one is missing) will be integrated (please do!) I've accomplished my goal. BTW, today I've encountered a similar certificate. Semper aliquid haeret: subjectAltName=DNS:cdn.cloudtop.org,DNS:barely-legal-spam.com,DNS:*.banging-ham.com,DNS:jimmyforcongress2014.com ;-) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue5639 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16113] Add SHA-3 (Keccak) support
Changes by Mark Kubacki wm...@hurrikane.de: -- nosy: +markk ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16113 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Mark Kubacki added the comment: Raw backport for Python 2.7. ›raw‹ like in some options are in _ssl only. (_ssl.{err_names_to_codes,err_codes_to_names,lib_codes_to_names,…}) -- nosy: +markk Added file: http://bugs.python.org/file30761/python-2.7.5-tls1.1-and-tls1.2.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com