diff options
| author | Christian Heimes <christian@cheimes.de> | 2013-11-23 14:58:30 (GMT) |
|---|---|---|
| committer | Christian Heimes <christian@cheimes.de> | 2013-11-23 14:58:30 (GMT) |
| commit | 4c05b472ddd4634138b6abfa857ee37761d33185 (patch) | |
| tree | da4b06b3937c1f82f56ecd54e6a999af08e5f326 /Lib/ssl.py | |
| parent | 6b2ff98df45d3d1ca389f4ae07a2ef4e08257867 (diff) | |
| download | cpython-4c05b472ddd4634138b6abfa857ee37761d33185.zip cpython-4c05b472ddd4634138b6abfa857ee37761d33185.tar.gz cpython-4c05b472ddd4634138b6abfa857ee37761d33185.tar.bz2 | |
Issue #19689: Add ssl.create_default_context() factory function. It creates
a new SSLContext object with secure default settings.
Diffstat (limited to 'Lib/ssl.py')
| -rw-r--r-- | Lib/ssl.py | 35 |
1 files changed, 35 insertions, 0 deletions
@@ -165,6 +165,13 @@ else: # (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL') _DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2' +# restricted and more secure ciphers +# HIGH: high encryption cipher suites with key length >= 128 bits (no MD5) +# !aNULL: only authenticated cipher suites (no anonymous DH) +# !RC4: no RC4 streaming cipher, RC4 is broken +# !DSS: RSA is preferred over DSA +_RESTRICTED_CIPHERS = 'HIGH:!aNULL:!RC4:!DSS' + class CertificateError(ValueError): pass @@ -363,6 +370,34 @@ class SSLContext(_SSLContext): self.set_default_verify_paths() +def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None, + capath=None, cadata=None): + """Create a SSLContext object with default settings. + + NOTE: The protocol and settings may change anytime without prior + deprecation. The values represent a fair balance between maximum + compatibility and security. + """ + if not isinstance(purpose, _ASN1Object): + raise TypeError(purpose) + context = SSLContext(PROTOCOL_TLSv1) + # SSLv2 considered harmful. + context.options |= OP_NO_SSLv2 + # disallow ciphers with known vulnerabilities + context.set_ciphers(_RESTRICTED_CIPHERS) + # verify certs in client mode + if purpose == Purpose.SERVER_AUTH: + context.verify_mode = CERT_REQUIRED + if cafile or capath or cadata: + context.load_verify_locations(cafile, capath, cadata) + elif context.verify_mode != CERT_NONE: + # no explicit cafile, capath or cadata but the verify mode is + # CERT_OPTIONAL or CERT_REQUIRED. Let's try to load default system + # root CA certificates for the given purpose. This may fail silently. + context.load_default_certs(purpose) + return context + + class SSLSocket(socket): """This class implements a subtype of socket.socket that wraps the underlying OS socket in an SSL context when necessary, and |