On Fri, Jan 13, 2017 at 12:09 AM, Nick Coghlan <ncoghlan@gmail.com> wrote:
On 13 January 2017 at 07:05, Wes Turner <wes.turner@gmail.com> wrote:
+1 for start simple and iterate; but expecting a config object is not easy to add later.
Yes, it is - all that is necessary is to add a "make_ssl_context" helper function that translates from the declarative configuration format (however defined) to the programmatic API and returns a configured context of the requested type.
The appropriate time to define that lowest-common-denominator configuration format is *after* there is a working programmatic API that covers at least the 3 major implementations of interest (OpenSSL, SecureTransport, SChannel), and hopefully a few other implementations as well (e.g. NSS, BoringSSL).
So, rather than scattered throughout each implementation, I think it would be wise to provide guidance regarding configuration validation. Enumerating the parameters into a common schema certainly will require actual implementations to define a superset of common dict keys; which I believe would be easier with a standard SSLConfig object. Another reason I believe there should be a configuration object with a .validate() method for centralized SSL configuration: - Having one .validate() method (with as many necessary subvalidators) provides a hook for security-conscious organizations to do SSL/TLS configuration validation in one place. (Otherwise, this type of configuration-validation must be frequently-re-implemented in an ad-hoc way; which inopportunely admits errors) - Examples of SSL/TLS configuration validation criteria: - https://en.wikipedia.org/wiki/FIPS_140-2#Cryptographic_Module_Validation_Pro... - https://mozilla.github.io/server-side-tls/ssl-config-generator/ - "CIS Critical Security Controls" https://www.cisecurity.org/critical-controls.cfm - CSC 3.[*] - Least-privilege dictates that this type of config is separate from the code.py files - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" (2011 Top 25 #19) https://cwe.mitre.org/top25/#CWE-327 https://cwe.mitre.org/data/definitions/327.html - ... "improper configuration" is basically this issue; so, validation should be encouraged where possible. Again, I think we should encourage validation of SSL/TLS configuration settings; and pointing to SSLConfig.validate() as the method to subclass makes that very easy.