Skip to content

C
cpython
Commit 71b4192e authored by Donald Stufft's avatar Donald Stufft
Browse files
Options

Merge changes from 3.4 to bring in fixes for Issue #20995

parents 068281ad 79ccaa2c
Hide whitespace changes
Inline Side-by-side
Showing with 41 additions and 19 deletions
Doc/library/ssl.rst
View file @ 71b4192e
...@@ -1665,17 +1665,10 @@ If you have advanced security requirements, fine-tuning of the ciphers ...@@ -1665,17 +1665,10 @@ If you have advanced security requirements, fine-tuning of the ciphers
enabled when negotiating a SSL session is possible through the enabled when negotiating a SSL session is possible through the
:meth:`SSLContext.set_ciphers` method. Starting from Python 3.2.3, the :meth:`SSLContext.set_ciphers` method. Starting from Python 3.2.3, the
ssl module disables certain weak ciphers by default, but you may want ssl module disables certain weak ciphers by default, but you may want
to further restrict the cipher choice. For example:: to further restrict the cipher choice. Be sure to read OpenSSL's documentation
about the `cipher list format <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`_.
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) If you want to check which ciphers are enabled by a given cipher list, use the
context.set_ciphers('HIGH:!aNULL:!eNULL') ``openssl ciphers`` command on your system.
The ``!aNULL:!eNULL`` part of the cipher spec is necessary to disable ciphers
which don't provide both encryption and authentication. Be sure to read
OpenSSL's documentation about the `cipher list
format <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`_.
If you want to check which ciphers are enabled by a given cipher list,
use the ``openssl ciphers`` command on your system.
Multi-processing Multi-processing
^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^
......
Lib/ssl.py
View file @ 71b4192e
...@@ -162,14 +162,37 @@ else: ...@@ -162,14 +162,37 @@ else:
# Disable weak or insecure ciphers by default # Disable weak or insecure ciphers by default
# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL') # (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2' # Enable a better set of ciphers by default
# This list has been explicitly chosen to:
# restricted and more secure ciphers # * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
# HIGH: high encryption cipher suites with key length >= 128 bits (no MD5) # * Prefer ECDHE over DHE for better performance
# !aNULL: only authenticated cipher suites (no anonymous DH) # * Prefer any AES-GCM over any AES-CBC for better performance and security
# !RC4: no RC4 streaming cipher, RC4 is broken # * Then Use HIGH cipher suites as a fallback
# !DSS: RSA is preferred over DSA # * Then Use 3DES as fallback which is secure but slow
_RESTRICTED_CIPHERS = 'HIGH:!aNULL:!RC4:!DSS' # * Finally use RC4 as a fallback which is problematic but needed for
# compatibility some times.
# * Disable NULL authentication, NULL encryption, and MD5 MACs for security
# reasons
_DEFAULT_CIPHERS = (
'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:'
'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:ECDH+RC4:'
'DH+RC4:RSA+RC4:!aNULL:!eNULL:!MD5'
)
# Restricted and more secure ciphers
# This list has been explicitly chosen to:
# * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
# * Prefer ECDHE over DHE for better performance
# * Prefer any AES-GCM over any AES-CBC for better performance and security
# * Then Use HIGH cipher suites as a fallback
# * Then Use 3DES as fallback which is secure but slow
# * Disable NULL authentication, NULL encryption, MD5 MACs, DSS, and RC4 for
# security reasons
_RESTRICTED_CIPHERS = (
'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:'
'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:'
'!eNULL:!MD5:!DSS:!RC4'
)
class CertificateError(ValueError): class CertificateError(ValueError):
......
Misc/NEWS
View file @ 71b4192e
...@@ -23,6 +23,9 @@ Core and Builtins ...@@ -23,6 +23,9 @@ Core and Builtins
Library Library
------- -------
- Issue #20995: Enhance default ciphers used by the ssl module to enable
better security an prioritize perfect forward secrecy.
- Issue #20627: xmlrpc.client.ServerProxy is now a context manager. - Issue #20627: xmlrpc.client.ServerProxy is now a context manager.
- Issue #19165: The formatter module now raises DeprecationWarning instead of - Issue #19165: The formatter module now raises DeprecationWarning instead of
...@@ -40,6 +43,9 @@ Library ...@@ -40,6 +43,9 @@ Library
- Issue #20574: Implement incremental decoder for cp65001 code (Windows code - Issue #20574: Implement incremental decoder for cp65001 code (Windows code
page 65001, Microsoft UTF-8). page 65001, Microsoft UTF-8).
=======
- Issue #20884: Don't assume that __file__ is defined on importlib.__init__.
>>>>>>> other
- Issue #20879: Delay the initialization of encoding and decoding tables for - Issue #20879: Delay the initialization of encoding and decoding tables for
base32, ascii85 and base85 codecs in the base64 module, and delay the base32, ascii85 and base85 codecs in the base64 module, and delay the
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7