➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2016-09-09 11:18 bychristian.heimes, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| Sane-defaults-for-SSLContext-options-and-ciphers.patch | christian.heimes,2016-09-09 11:18 | review | ||
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 10608 | merged | cstratak,2018-11-20 16:00 | |
| Messages (6) | |||
|---|---|---|---|
| msg275310 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2016-09-09 11:18 | |
I like to introduce sane defaults for SSLContext options and ciphers:Changed in version 3.6: The context is created with more secure default values. PROTOCOL_TLS is the default protocol. The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2). | |||
| msg275604 -(view) | Author: Alyssa Coghlan (ncoghlan)* | Date: 2016-09-10 09:20 | |
+1 from me for a model where ssl.get_default_context() can change in maintenance releases, while the ssl.SSLContext defaults get updated for feature releases. | |||
| msg275637 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2016-09-10 13:57 | |
I'm planning to remove PROTOCOL_TLS again and replace it with something more sensible. | |||
| msg275694 -(view) | Author: Roundup Robot (python-dev) | Date: 2016-09-10 20:43 | |
New changeset1b4c5d06c028 by Christian Heimes in branch 'default':Issue 28043: SSLContext has improved default settingshttps://hg.python.org/cpython/rev/1b4c5d06c028 | |||
| msg301419 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2017-09-06 00:53 | |
3.6 and master are looking good. Should I backport the fix to 2.7, too? | |||
| msg335615 -(view) | Author: STINNER Victor (vstinner)* | Date: 2019-02-15 14:24 | |
New changesetb8eaec697a2b5d9d2def2950a0aa50e8ffcf1059 by Victor Stinner (stratakis) in branch '2.7':[2.7]bpo-28043: improved default settings for SSLContext (GH-10608)https://github.com/python/cpython/commit/b8eaec697a2b5d9d2def2950a0aa50e8ffcf1059 | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:36 | admin | set | github: 72230 |
| 2019-05-29 01:17:06 | cheryl.sabella | link | issue34818 superseder |
| 2019-04-08 22:50:22 | cheryl.sabella | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2019-02-15 14:24:18 | vstinner | set | nosy: +vstinner messages: +msg335615 |
| 2018-11-20 16:00:30 | cstratak | set | stage: commit review -> patch review pull_requests: +pull_request9851 |
| 2017-09-06 00:55:56 | christian.heimes | link | issue20994 superseder |
| 2017-09-06 00:53:37 | christian.heimes | set | status: pending -> open messages: +msg301419 |
| 2016-09-10 20:44:30 | christian.heimes | set | status: open -> pending assignee:christian.heimes stage: patch review -> commit review |
| 2016-09-10 20:43:56 | python-dev | set | nosy: +python-dev messages: +msg275694 |
| 2016-09-10 13:57:44 | christian.heimes | set | messages: +msg275637 |
| 2016-09-10 09:20:43 | ncoghlan | set | messages: +msg275604 |
| 2016-09-09 11:18:41 | christian.heimes | create | |