Skip to main content

Browse the archive

https://github.com/python/cpython
07 April 2024, 05:56:27 UTC
Revision e983252b516edb15d4338b0a47631b59ef1e2536 authored by Christian Heimes on 01 May 2021, 18:53:10 UTC, committed by GitHub on 01 May 2021, 18:53:10 UTC 
bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)
 
The ssl module now has more secure default settings. Ciphers without forward
secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits
weak RSA, DH, and ECC keys with less than 112 bits of security.
:class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2.
Settings are based on Hynek Schlawack's research.

```
$ openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021
$ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
```

Signed-off-by: Christian Heimes <christian@python.org>
1 parent 50c21ad
History
Tip revision: e983252b516edb15d4338b0a47631b59ef1e2536 authored by Christian Heimes on 01 May 2021, 18:53:10 UTC
bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)
Tip revision: e983252
File Mode Size
.azure-pipelines
.github
Doc
Grammar
Include
Lib
Mac
Misc
Modules
Objects
PC
PCbuild
Parser
Programs
Python
Tools
.gitattributes -rw-r--r-- 2.0 KB
.gitignore -rw-r--r-- 1.8 KB
.travis.yml -rw-r--r-- 6.5 KB
CODE_OF_CONDUCT.md -rw-r--r-- 630 bytes
LICENSE -rw-r--r-- 13.6 KB
Makefile.pre.in -rw-r--r-- 70.3 KB
README.rst -rw-r--r-- 9.8 KB
aclocal.m4 -rw-r--r-- 22.3 KB
config.guess -rwxr-xr-x 43.1 KB
config.sub -rwxr-xr-x 35.4 KB
configure -rwxr-xr-x 508.8 KB
configure.ac -rw-r--r-- 173.3 KB
install-sh -rwxr-xr-x 15.0 KB
netlify.toml -rw-r--r-- 82 bytes
pyconfig.h.in -rw-r--r-- 45.2 KB
setup.py -rw-r--r-- 112.8 KB

README.rst

back to top