[New-bugs-announce] [issue43998] Increase security of TLS settings in 3.10
report at bugs.python.org
Sat May 1 06:41:52 EDT 2021
New submission from Christian Heimes <lists at cheimes.de>:
It's 2021. TLS 1.0 and 1.1 have been deprecated in RFC 8996. Browsers have disabled TLS 1.0 and 1.1, too. Python should no longer enable TLS 1.1 by default and require strong TLS ciphers with forward secrecy.
I'm going to update Python's default cipher suite based on Hynek's excellent blog post https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ . I'll deviate in two minor points:
* keep ephemeral, finite field Diffie-Hellman for legacy hardware. It's not that insecure, just slow.
* enforce security level 2 to require strong RSA and DH keys. @SECLEVEL=2 enforced minimum of 112 bits security. Almost all common RSA certificates use 2048 bits RSA signature.
I'm also going to set TLS 1.2 as minimum protocol version with Python is compiled with --with-ssl-default-suites=python or --with-ssl-default-suites=custom_string. Distro vendors can use --with-ssl-default-suites=openssl to override the setting.
nosy: christian.heimes, hynek
title: Increase security of TLS settings in 3.10
versions: Python 3.10, Python 3.11
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce