https://github.com/python/cpython
Revision e983252b516edb15d4338b0a47631b59ef1e2536 authored by Christian Heimes on 01 May 2021, 18:53:10 UTC, committed by GitHub on 01 May 2021, 18:53:10 UTC
The ssl module now has more secure default settings. Ciphers without forward secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits weak RSA, DH, and ECC keys with less than 112 bits of security. :class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2. Settings are based on Hynek Schlawack's research. ``` $ openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021 $ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 ``` Signed-off-by: Christian Heimes <christian@python.org>
1 parent 50c21ad
Tip revision: e983252b516edb15d4338b0a47631b59ef1e2536 authored by Christian Heimes on 01 May 2021, 18:53:10 UTC
bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)
bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)
Tip revision: e983252
File | Mode | Size |
---|---|---|
.azure-pipelines | ||
.github | ||
Doc | ||
Grammar | ||
Include | ||
Lib | ||
Mac | ||
Misc | ||
Modules | ||
Objects | ||
PC | ||
PCbuild | ||
Parser | ||
Programs | ||
Python | ||
Tools | ||
.gitattributes | -rw-r--r-- | 2.0 KB |
.gitignore | -rw-r--r-- | 1.8 KB |
.travis.yml | -rw-r--r-- | 6.5 KB |
CODE_OF_CONDUCT.md | -rw-r--r-- | 630 bytes |
LICENSE | -rw-r--r-- | 13.6 KB |
Makefile.pre.in | -rw-r--r-- | 70.3 KB |
README.rst | -rw-r--r-- | 9.8 KB |
aclocal.m4 | -rw-r--r-- | 22.3 KB |
config.guess | -rwxr-xr-x | 43.1 KB |
config.sub | -rwxr-xr-x | 35.4 KB |
configure | -rwxr-xr-x | 508.8 KB |
configure.ac | -rw-r--r-- | 173.3 KB |
install-sh | -rwxr-xr-x | 15.0 KB |
netlify.toml | -rw-r--r-- | 82 bytes |
pyconfig.h.in | -rw-r--r-- | 45.2 KB |
setup.py | -rw-r--r-- | 112.8 KB |
Computing file changes ...