[issue21013] server-specific SSL context configuration
Donald Stufft
report at bugs.python.org
Sun Mar 23 03:25:53 CET 2014
Donald Stufft added the comment:
Attached is a new patch. It has:
* Switches the protocol to SSLv23 so that we can negotiate a TLS1.1 or TLS1.2 connection.
* Sets OP_CIPHER_SERVER_PREFERENCE for Purpose.CLIENT_AUTH so that our carefully selected cipher priority gives us better encryption and PFS
* Sets OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE for Purpose.CLIENT_AUTH to prevent re-use of the DH and ECDH keys in distinct sessions.
* Disables SSLv3 connections explicitly to match lower bounds of the original security of the created context
* Moves the "restricted" ciphers to only apply to servers. Servers can be much more picky about which ciphers they accept than clients can, and further more with how our ciphers are laid out now if RC4 is selected it is entirely the fault of the server we are connecting to.
* Document what the type of error message would be if a SSL 3.0 connection is required and how to re-enable it.
----------
Added file: http://bugs.python.org/file34577/ssl-context-defaults-ssl3-diff
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue21013>
_______________________________________
More information about the Python-bugs-list
mailing list