diff options
| author | Donald Stufft <donald@stufft.io> | 2014-03-22 01:33:34 (GMT) |
|---|---|---|
| committer | Donald Stufft <donald@stufft.io> | 2014-03-22 01:33:34 (GMT) |
| commit | 79ccaa2cad2a13f0da2f900a0f9f61cd6b619c99 (patch) | |
| tree | ad16e54403a655838fb1338be48d4e8702312adf /Lib/ssl.py | |
| parent | 51f3129ba2f87233006338c9c735fe4b0cc84036 (diff) | |
| download | cpython-79ccaa2cad2a13f0da2f900a0f9f61cd6b619c99.zip cpython-79ccaa2cad2a13f0da2f900a0f9f61cd6b619c99.tar.gz cpython-79ccaa2cad2a13f0da2f900a0f9f61cd6b619c99.tar.bz2 | |
Issue #20995: Enhance default ciphers used by the ssl module
Closes #20995 by Enabling better security by prioritizing ciphers
such that:
* Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
* Prefer ECDHE over DHE for better performance
* Prefer any AES-GCM over any AES-CBC for better performance and security
* Then Use HIGH cipher suites as a fallback
* Then Use 3DES as fallback which is secure but slow
* Finally use RC4 as a fallback which is problematic but needed for
compatibility some times.
* Disable NULL authentication, NULL encryption, and MD5 MACs for security
reasons
Diffstat (limited to 'Lib/ssl.py')
| -rw-r--r-- | Lib/ssl.py | 39 |
1 files changed, 31 insertions, 8 deletions
@@ -162,14 +162,37 @@ else: # Disable weak or insecure ciphers by default # (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL') -_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2' - -# restricted and more secure ciphers -# HIGH: high encryption cipher suites with key length >= 128 bits (no MD5) -# !aNULL: only authenticated cipher suites (no anonymous DH) -# !RC4: no RC4 streaming cipher, RC4 is broken -# !DSS: RSA is preferred over DSA -_RESTRICTED_CIPHERS = 'HIGH:!aNULL:!RC4:!DSS' +# Enable a better set of ciphers by default +# This list has been explicitly chosen to: +# * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE) +# * Prefer ECDHE over DHE for better performance +# * Prefer any AES-GCM over any AES-CBC for better performance and security +# * Then Use HIGH cipher suites as a fallback +# * Then Use 3DES as fallback which is secure but slow +# * Finally use RC4 as a fallback which is problematic but needed for +# compatibility some times. +# * Disable NULL authentication, NULL encryption, and MD5 MACs for security +# reasons +_DEFAULT_CIPHERS = ( + 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:' + 'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:ECDH+RC4:' + 'DH+RC4:RSA+RC4:!aNULL:!eNULL:!MD5' +) + +# Restricted and more secure ciphers +# This list has been explicitly chosen to: +# * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE) +# * Prefer ECDHE over DHE for better performance +# * Prefer any AES-GCM over any AES-CBC for better performance and security +# * Then Use HIGH cipher suites as a fallback +# * Then Use 3DES as fallback which is secure but slow +# * Disable NULL authentication, NULL encryption, MD5 MACs, DSS, and RC4 for +# security reasons +_RESTRICTED_CIPHERS = ( + 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:' + 'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:' + '!eNULL:!MD5:!DSS:!RC4' +) class CertificateError(ValueError): |