Issue #20995: Enhance default ciphers used by the ssl module

Closes #20995 by Enabling better security by prioritizing ciphers
such that:

* Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
* Prefer ECDHE over DHE for better performance
* Prefer any AES-GCM over any AES-CBC for better performance and security
* Then Use HIGH cipher suites as a fallback
* Then Use 3DES as fallback which is secure but slow
* Finally use RC4 as a fallback which is problematic but needed for
  compatibility some times.
* Disable NULL authentication, NULL encryption, and MD5 MACs for security
  reasons

1 files changed, 4 insertions, 11 deletions

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 0ed5fb2..3aa1e36 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -1665,17 +1665,10 @@ If you have advanced security requirements, fine-tuning of the ciphers
 enabled when negotiating a SSL session is possible through the
 :meth:`SSLContext.set_ciphers` method.  Starting from Python 3.2.3, the
 ssl module disables certain weak ciphers by default, but you may want
-to further restrict the cipher choice.  For example::
-
-   context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-   context.set_ciphers('HIGH:!aNULL:!eNULL')
-
-The ``!aNULL:!eNULL`` part of the cipher spec is necessary to disable ciphers
-which don't provide both encryption and authentication.  Be sure to read
-OpenSSL's documentation about the `cipher list
-format <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`_.
-If you want to check which ciphers are enabled by a given cipher list,
-use the ``openssl ciphers`` command on your system.
+to further restrict the cipher choice. Be sure to read OpenSSL's documentation
+about the `cipher list format <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`_.
+If you want to check which ciphers are enabled by a given cipher list, use the
+``openssl ciphers`` command on your system.
 
 Multi-processing
 ^^^^^^^^^^^^^^^^