https://github.com/python/cpython
Revision e983252b516edb15d4338b0a47631b59ef1e2536 authored by Christian Heimes on 01 May 2021, 18:53:10 UTC, committed by GitHub on 01 May 2021, 18:53:10 UTC
The ssl module now has more secure default settings. Ciphers without forward secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits weak RSA, DH, and ECC keys with less than 112 bits of security. :class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2. Settings are based on Hynek Schlawack's research. ``` $ openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021 $ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 ``` Signed-off-by: Christian Heimes <christian@python.org>
1 parent 50c21ad
Tip revision: e983252b516edb15d4338b0a47631b59ef1e2536 authored by Christian Heimes on 01 May 2021, 18:53:10 UTC
bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)
bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)
Tip revision: e983252
File | Mode | Size |
---|---|---|
cpython | ||
internal | ||
Python.h | -rw-r--r-- | 3.3 KB |
README.rst | -rw-r--r-- | 2.2 KB |
abstract.h | -rw-r--r-- | 28.6 KB |
bltinmodule.h | -rw-r--r-- | 264 bytes |
boolobject.h | -rw-r--r-- | 1.2 KB |
bytearrayobject.h | -rw-r--r-- | 1.4 KB |
bytesobject.h | -rw-r--r-- | 2.5 KB |
cellobject.h | -rw-r--r-- | 720 bytes |
ceval.h | -rw-r--r-- | 5.6 KB |
classobject.h | -rw-r--r-- | 1.6 KB |
code.h | -rw-r--r-- | 318 bytes |
codecs.h | -rw-r--r-- | 6.9 KB |
compile.h | -rw-r--r-- | 520 bytes |
complexobject.h | -rw-r--r-- | 1.8 KB |
context.h | -rw-r--r-- | 1.9 KB |
datetime.h | -rw-r--r-- | 9.4 KB |
descrobject.h | -rw-r--r-- | 2.9 KB |
dictobject.h | -rw-r--r-- | 3.8 KB |
dynamic_annotations.h | -rw-r--r-- | 21.9 KB |
enumobject.h | -rw-r--r-- | 253 bytes |
errcode.h | -rw-r--r-- | 1.5 KB |
eval.h | -rw-r--r-- | 831 bytes |
exports.h | -rw-r--r-- | 1.1 KB |
fileobject.h | -rw-r--r-- | 1.5 KB |
fileutils.h | -rw-r--r-- | 508 bytes |
floatobject.h | -rw-r--r-- | 4.3 KB |
frameobject.h | -rw-r--r-- | 337 bytes |
funcobject.h | -rw-r--r-- | 4.2 KB |
genericaliasobject.h | -rw-r--r-- | 334 bytes |
genobject.h | -rw-r--r-- | 3.3 KB |
import.h | -rw-r--r-- | 3.0 KB |
interpreteridobject.h | -rw-r--r-- | 334 bytes |
intrcheck.h | -rw-r--r-- | 772 bytes |
iterobject.h | -rw-r--r-- | 593 bytes |
listobject.h | -rw-r--r-- | 1.7 KB |
longintrepr.h | -rw-r--r-- | 3.7 KB |
longobject.h | -rw-r--r-- | 8.4 KB |
marshal.h | -rw-r--r-- | 803 bytes |
memoryobject.h | -rw-r--r-- | 2.7 KB |
methodobject.h | -rw-r--r-- | 4.0 KB |
modsupport.h | -rw-r--r-- | 10.1 KB |
moduleobject.h | -rw-r--r-- | 2.4 KB |
namespaceobject.h | -rw-r--r-- | 349 bytes |
object.h | -rw-r--r-- | 27.5 KB |
objimpl.h | -rw-r--r-- | 8.2 KB |
opcode.h | -rw-r--r-- | 5.3 KB |
osdefs.h | -rw-r--r-- | 737 bytes |
osmodule.h | -rw-r--r-- | 291 bytes |
patchlevel.h | -rw-r--r-- | 1.3 KB |
py_curses.h | -rw-r--r-- | 2.4 KB |
pycapsule.h | -rw-r--r-- | 1.7 KB |
pydtrace.d | -rw-r--r-- | 1008 bytes |
pydtrace.h | -rw-r--r-- | 2.4 KB |
pyerrors.h | -rw-r--r-- | 12.1 KB |
pyexpat.h | -rw-r--r-- | 2.4 KB |
pyframe.h | -rw-r--r-- | 466 bytes |
pyhash.h | -rw-r--r-- | 4.1 KB |
pylifecycle.h | -rw-r--r-- | 2.1 KB |
pymacconfig.h | -rw-r--r-- | 2.9 KB |
pymacro.h | -rw-r--r-- | 4.8 KB |
pymath.h | -rw-r--r-- | 8.1 KB |
pymem.h | -rw-r--r-- | 3.8 KB |
pyport.h | -rw-r--r-- | 30.9 KB |
pystate.h | -rw-r--r-- | 5.1 KB |
pystrcmp.h | -rw-r--r-- | 436 bytes |
pystrhex.h | -rw-r--r-- | 849 bytes |
pystrtod.h | -rw-r--r-- | 1.4 KB |
pythonrun.h | -rw-r--r-- | 1.1 KB |
pythread.h | -rw-r--r-- | 5.8 KB |
rangeobject.h | -rw-r--r-- | 628 bytes |
setobject.h | -rw-r--r-- | 3.3 KB |
sliceobject.h | -rw-r--r-- | 2.5 KB |
structmember.h | -rw-r--r-- | 2.0 KB |
structseq.h | -rw-r--r-- | 1.5 KB |
sysmodule.h | -rw-r--r-- | 1.2 KB |
token.h | -rw-r--r-- | 2.6 KB |
traceback.h | -rw-r--r-- | 584 bytes |
tracemalloc.h | -rw-r--r-- | 1.1 KB |
tupleobject.h | -rw-r--r-- | 1.6 KB |
typeslots.h | -rw-r--r-- | 2.4 KB |
unicodeobject.h | -rw-r--r-- | 35.3 KB |
warnings.h | -rw-r--r-- | 1.7 KB |
weakrefobject.h | -rw-r--r-- | 2.8 KB |
Computing file changes ...