diff options
| author | Christian Heimes <christian@python.org> | 2018-01-29 13:10:18 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-01-29 13:10:18 (GMT) |
| commit | 892d66e422d5367673163d62ba40cd70a37d5cf7 (patch) | |
| tree | a9df16cdf788980f62f6ec04c010ece4d85bf822 /Doc | |
| parent | d951157268b2122109098c792562b71ccc41920b (diff) | |
| download | cpython-892d66e422d5367673163d62ba40cd70a37d5cf7.zip cpython-892d66e422d5367673163d62ba40cd70a37d5cf7.tar.gz cpython-892d66e422d5367673163d62ba40cd70a37d5cf7.tar.bz2 | |
bpo-31429: Define TLS cipher suite on build time (#3532)
Until now Python used a hard coded white list of default TLS cipher
suites. The old approach has multiple downsides. OpenSSL's default
selection was completely overruled. Python did neither benefit from new
cipher suites (ChaCha20, TLS 1.3 suites) nor blacklisted cipher suites.
For example we used to re-enable 3DES.
Python now defaults to OpenSSL DEFAULT cipher suite selection and black
lists all unwanted ciphers. Downstream vendors can override the default
cipher list with --with-ssl-default-suites.
Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'Doc')
| -rw-r--r-- | Doc/whatsnew/3.7.rst | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst index b70945f..e36e505 100644 --- a/Doc/whatsnew/3.7.rst +++ b/Doc/whatsnew/3.7.rst @@ -623,6 +623,12 @@ wildcard matching disabled by default. (Contributed by Mandeep Singh in :issue:`23033` and Christian Heimes in :issue:`31399`.) +The default cipher suite selection of the ssl module now uses a blacklist +approach rather than a hard-coded whitelist. Python no longer re-enables +ciphers that have been blocked by OpenSSL security update. Default cipher +suite selection can be configured on compile time. +(Contributed by Christian Heimes in :issue:`31429`.) + string ------ |