Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added set_ciphersuites() API #963

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Added set_ciphersuites() API #963

wants to merge 3 commits into from

Conversation

schlenk
Copy link

@schlenk schlenk commented Nov 26, 2020

@alex
Copy link
Member

alex commented Nov 26, 2020

What's the motivation? All the TLS 1.3 ciphersuites are secure (and good) which removes a lot of the motivation that exists in TLS<=1.2 for micromanaging them.

@schlenk
Copy link
Author

schlenk commented Nov 26, 2020

Motivation is three part:
a) Cannot configure the CCM variants
b) Looked at the Twisted API for cipher suites and it is broken due to not understanding the existing API (https://twistedmatrix.com/trac/ticket/10058)
c) Fixing some in-house enterprise stuff where people want to configure that stuff...

@tiran
Copy link

tiran commented Nov 26, 2020

IMHO it's bad practice to configure any TLS and crypto-related settings in an application. Cipher suites, key strength, TLS versions, and trust store should be configured globally on operating system level. In the past few years Linux distributions have invested into better infrastructure for system-wide crypto policies.

What's the motivation? All the TLS 1.3 ciphersuites are secure (and good) which removes a lot of the motivation that exists in TLS<=1.2 for micromanaging them.

I have used the same argument to object against SSL_CTX_set_ciphersuites for Python's ssl module.

@alex
Copy link
Member

alex commented Nov 26, 2020

IMHO it's bad practice to configure any TLS and crypto-related settings in an application. Cipher suites, key strength, TLS versions, and trust store should be configured globally on operating system level. In the past few years Linux distributions have invested into better infrastructure for system-wide crypto policies.

I don't agree with this at all. This is a very sysadmin/distro centric view of the world, and I think it maps quite poorly to lots of real world applications.

Nevertherless, I'm loathe to expand the pyOpenSSL API here.

@schlenk
Copy link
Author

schlenk commented Nov 26, 2020
edited
Loading

Hi @tiran

yes, agreed that it should be done on the OS level usually and that TLS 1.3 ciphers are great and all that.
I basically ship a whole python distro/openssl with custom options/apache httpd etc. as part of some framework. So probably should tweak the "framework global" openssl settings instead. I can fork/patch my local versions as needed.

@schwabe
Copy link
Contributor

schwabe commented Nov 27, 2020

There is also the use that might need to configure to a different default when the distribution changes the default setting. E.g. Centos8 does this:

cat ./crypto-policies/back-ends/opensslcnf.config

CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
MinProtocol = TLSv1.2

So is probably more a feature parity between TLS <=1.2 and TLS 1.3+ than anything else.

Base automatically changed from master to main February 13, 2021 17:50
@mhils mhils mentioned this pull request Feb 14, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@schlenk @alex @tiran @schwabe