diff options
| author | Donald Stufft <donald@stufft.io> | 2014-03-23 23:05:28 (GMT) |
|---|---|---|
| committer | Donald Stufft <donald@stufft.io> | 2014-03-23 23:05:28 (GMT) |
| commit | 6a2ba949089754dafe69d56ce0398f4b8847a4e2 (patch) | |
| tree | 5a4463201c01486e368c2c3a74f7b1240ea02f87 /Doc/distutils | |
| parent | 553e108fce5673072e709d85c4b4de817f7057b1 (diff) | |
| download | cpython-6a2ba949089754dafe69d56ce0398f4b8847a4e2.zip cpython-6a2ba949089754dafe69d56ce0398f4b8847a4e2.tar.gz cpython-6a2ba949089754dafe69d56ce0398f4b8847a4e2.tar.bz2 | |
Issue #21013: Enhance ssl.create_default_context() for server side contexts
Closes #21013 by modfying ssl.create_default_context() to:
* Move the restricted ciphers to only apply when using
ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
is the lack of RC4 in the restricted. However there are servers that exist
that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
socket the context will prioritize our ciphers which have been carefully
selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
that end users can more easily determine if they need to unset
ssl.OP_NO_SSLv3.
Diffstat (limited to 'Doc/distutils')
0 files changed, 0 insertions, 0 deletions