[issue21013] server-specific SSL context configuration

2015-04-13 Thread Antoine Pitrou
Changes by Antoine Pitrou : -- resolution: -> fixed stage: -> resolved status: open -> closed ___ Python tracker ___ ___ Python-bugs

[issue21013] server-specific SSL context configuration

2014-03-23 Thread Roundup Robot
Roundup Robot added the comment: New changeset aa2eb034c4f7 by Donald Stufft in branch 'default': Merge the patch for issue #21013 into default http://hg.python.org/cpython/rev/aa2eb034c4f7 -- ___ Python tracker __

[issue21013] server-specific SSL context configuration

2014-03-23 Thread Roundup Robot
Roundup Robot added the comment: New changeset 92efd86d1a38 by Donald Stufft in branch '3.4': Issue #21013: Enhance ssl.create_default_context() for server side contexts http://hg.python.org/cpython/rev/92efd86d1a38 -- nosy: +python-dev ___ Python tra

[issue21013] server-specific SSL context configuration

2014-03-23 Thread Donald Stufft
Donald Stufft added the comment: Added guards to protect against constants not existing. -- Added file: http://bugs.python.org/file34590/ssl-context-defaults-ssl3-guards.diff ___ Python tracker ___

[issue21013] server-specific SSL context configuration

2014-03-23 Thread Donald Stufft
Donald Stufft added the comment: I think I'm happy with this patch, if anyone has a chance to review it and see if it looks OK I'd love that and then I can commit it :) -- ___ Python tracker __

[issue21013] server-specific SSL context configuration

2014-03-22 Thread Donald Stufft
Donald Stufft added the comment: Attached is a new patch. It has: * Switches the protocol to SSLv23 so that we can negotiate a TLS1.1 or TLS1.2 connection. * Sets OP_CIPHER_SERVER_PREFERENCE for Purpose.CLIENT_AUTH so that our carefully selected cipher priority gives us better encryption and P

[issue21013] server-specific SSL context configuration

2014-03-22 Thread Antoine Pitrou
Antoine Pitrou added the comment: Well, I suppose IE6/XP is starting to look very old (though probably deployed quite widely), and TLS 1.0 was standardized in 1999. -- ___ Python tracker __

[issue21013] server-specific SSL context configuration

2014-03-22 Thread Antoine Pitrou
Antoine Pitrou added the comment: (by which I mean: ok, let's disable SSLv3) -- ___ Python tracker ___ ___ Python-bugs-list mailing li

[issue21013] server-specific SSL context configuration

2014-03-22 Thread Donald Stufft
Donald Stufft added the comment: To be clear though, a lot of TLS servers out there still have SSL3.0 enabled by default, primarily because of IE6 / XP. I'm on the fence about what the right answer is for create_default_context. From a strictly "best practices for security" sense of view you w

[issue21013] server-specific SSL context configuration

2014-03-22 Thread Donald Stufft
Donald Stufft added the comment: That's not entirely true unfortunately :( There are downgrade attacks that work all the way up through TLS 1.2. These are not strictly a problem of the protocol specs but instead of the implementations. See: https://crypto.stackexchange.com/questions/10493/why

[issue21013] server-specific SSL context configuration

2014-03-22 Thread Alex Gaynor
Alex Gaynor added the comment: Unfortunately most TLS implementations (particularly those in browser stacks) are vulnerable to downgrade attacks, whereby an attacker can send some malicious packets to simulate a connection failure and cause a lower version of the protocol to be negotiated, ht

[issue21013] server-specific SSL context configuration

2014-03-22 Thread Antoine Pitrou
Antoine Pitrou added the comment: > We can add OP_NO_SSLv3 to the default context to prevent SSL3 but it's > sort of a situational thing. If you're doing something where you need > SSL3 clients you don't want OP_NO_SSLv3. > > So I guess the question is, do we want to be more secure by default >

[issue21013] server-specific SSL context configuration

2014-03-22 Thread Donald Stufft
Donald Stufft added the comment: I'll do that :) To be clear about this patch, it raises the upper bounds of security by enabling TLS 1.1, and 1.2 as well as the single use for (EC)DH and preferring the server ciphers. However it also lowers the lower bounds of security and includes SSLv3 whi

[issue21013] server-specific SSL context configuration

2014-03-22 Thread Antoine Pitrou
Antoine Pitrou added the comment: (as an aside, Donald, perhaps you want to consider adding yourself to relevant topics in http://docs.python.org/devguide/experts.html ) -- ___ Python tracker _

[issue21013] server-specific SSL context configuration

2014-03-22 Thread Alex Gaynor
Changes by Alex Gaynor : -- nosy: +alex ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org

[issue21013] server-specific SSL context configuration

2014-03-22 Thread Donald Stufft
Donald Stufft added the comment: Attached is a patch that: * Switches the protocol to SSLv23 so that we can negotiate a TLS1.1 or TLS1.2 connection. * Sets OP_CIPHER_SERVER_PREFERENCE for Purpose.CLIENT_AUTH so that our carefully selected cipher priority gives us better encryption and PFS * Se

[issue21013] server-specific SSL context configuration

2014-03-21 Thread Donald Stufft
Donald Stufft added the comment: Nah it should be fine to enable that, and it's preferable to do so. The server selects the cipher anyways in the TLS handshake. That just tells the server to prefer it's list for precedence and not the client list. -- __

[issue21013] server-specific SSL context configuration

2014-03-21 Thread Antoine Pitrou
Antoine Pitrou added the comment: (also perhaps enable OP_CIPHER_SERVER_PREFERENCE, although it seems it could cause interoperability problems with some clients) -- ___ Python tracker _

[issue21013] server-specific SSL context configuration

2014-03-21 Thread Antoine Pitrou
New submission from Antoine Pitrou: Currently, create_default_context() doesn't do anything special for server use. It seems the configuration could be improved, though: - PROTOCOL_TLSv1 is suboptimal for servers: a "TLSv1" server can't accept a TLSv1.2 client, but a "SSLv23" server will; so w