[Security-sig] Unified TLS API for Python
Christian Heimes
christian at cheimes.de
Thu Jan 12 14:26:29 EST 2017
On 2017-01-12 18:16, Wes Turner wrote:
> - Do these need a __cmp__()?
> - Are there concrete-implementation-specific const constants for each
> library?
Why would you need to compare these? The TLS API will merely provide
generic constants. Every implementation of the unified TLS API needs to
map the constants somehow. I assume that TLSVersion enum is going to
have a human readable name and a machine readable constants, preferable
the wire protocol constant.
https://bugs.python.org/issue27876 is just a PoC for OpenSSL and
Python's ssl module.
> The Apache HTTPD `SSLProtocol` and Nginx `ssl_protocols` options support
> different methods of whitelisting and blacklisting.
>
> https://mozilla.github.io/server-side-tls/ssl-config-generator/ modern
> (2017):
>
> - SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
> - ssl_protocols TLSv1.2;
Nit picking mode: Apache HTTPD does not have a SSLProtocol option.
mod_ssl implements the SSLProtocol option. Other TLS libraries for
Apache (mod_nss) have different options, though.
Some TLS libraries only support min and max TLS version, not version
picking like OpenSSL. It doesn't make much sense to support TLS 1.0 and
1.2 but disallow TLS 1.1, too. A version range with secure default
settings is both the simplest and most generic approach.
Christian
More information about the Security-SIG
mailing list