<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Thu, 22 Jun 2017 at 02:32 Larry Hastings <<a href="mailto:larry@hastings.org">larry@hastings.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="m_8128928513685750733moz-cite-prefix">On 06/22/2017 01:04 AM, Victor Stinner
wrote:<br>
</div>
<blockquote type="cite">
<div dir="auto">About the cipher list in ssl, the change itself is
simple but it's to blacklist DES and 3DES since it has been
proved that these ciphers are really too weak nowadays:
<div dir="auto"><a href="http://python-security.readthedocs.io/vuln/cve-2016-2183_sweet32_attack_des_3des.html" target="_blank">http://python-security.readthedocs.io/vuln/cve-2016-2183_sweet32_attack_des_3des.html</a><br>
</div>
</div>
</blockquote>
<br></div><div bgcolor="#FFFFFF" text="#000000">
Not "blacklist"--IIUC the user can still manually specify whatever
cipher suites they like. And not DES... who knows how long ago that
was removed from the list.<br>
<br>
This change in 3.4 removes 3DES from the <i>default</i> permissible
cipher list, changing those entries to use "HIGH cipher suites"
instead (OpenSSL's term for "cipher suites with key sizes >= 128
bytes"). It also adds ChaCha20 to the default cipher list.</div><div bgcolor="#FFFFFF" text="#000000"><br>
<br>
<br>
<blockquote type="cite">
<div dir="auto">
<div dir="auto">By the way, is Larry the only one to be able to
merge changes in 3.4? Before GitHub, all core dev were
technically allowed to push in security-only branches.</div>
</div>
</blockquote>
<br></div><div bgcolor="#FFFFFF" text="#000000">
Oh? Am I? **insert evil laugh** Ladies and gentlemen, get out your
checkbooks! 3.4 is about to get... expensive.<br>
<br>
Seriously, though, I was mostly hoping other people would handle the
security stuff and just keep me informed. If I'm the only one
permitted to accept PRs into 3.4 (and soon 3.5), okay, I can work
with that. I'm still probably gonna delegate the actual judgment of
the validity of the PRs. But obviously it'll mean I'll have to be
more hands-on, where so far I was assuming I could just let other
people handle it.<br></div></blockquote><div><br></div><div>Currently the security-only branches are set so that only release managers can merge PRs since they technically are on the hook if some compatibility breaks due to some patch (e.g. I expect Ned to use this for 3.7 once we hit rc to really control what goes in last minute). It's easy enough to turn this protection off, though, if people want.<br></div></div></div>