diff options
| author | Christian Heimes <christian@python.org> | 2021-05-01 18:53:10 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-01 18:53:10 (GMT) |
| commit | e983252b516edb15d4338b0a47631b59ef1e2536 (patch) | |
| tree | e57aad415654f5ce8646cf10fd293a5e8e1c0ad4 /Doc/using | |
| parent | 50c21ad35372983680b44130be560d856c5f27ca (diff) | |
| download | cpython-e983252b516edb15d4338b0a47631b59ef1e2536.zip cpython-e983252b516edb15d4338b0a47631b59ef1e2536.tar.gz cpython-e983252b516edb15d4338b0a47631b59ef1e2536.tar.bz2 | |
bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)
The ssl module now has more secure default settings. Ciphers without forward
secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits
weak RSA, DH, and ECC keys with less than 112 bits of security.
:class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2.
Settings are based on Hynek Schlawack's research.
```
$ openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
$ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM'
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
```
Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'Doc/using')
| -rw-r--r-- | Doc/using/configure.rst | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/Doc/using/configure.rst b/Doc/using/configure.rst index 4f3953e..c37540c 100644 --- a/Doc/using/configure.rst +++ b/Doc/using/configure.rst @@ -441,12 +441,16 @@ Security Options * ``python`` (default): use Python's preferred selection; * ``openssl``: leave OpenSSL's defaults untouched; - * *STRING*: use a custom string, PROTOCOL_SSLv2 ignores the setting. + * *STRING*: use a custom string See the :mod:`ssl` module. .. versionadded:: 3.7 + .. versionchanged:: 3.10 + + The settings ``python`` and *STRING* also set TLS 1.2 as minimum + protocol version. macOS Options ------------- |