diff options
| author | Christian Heimes <christian@python.org> | 2018-01-29 13:10:18 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-01-29 13:10:18 (GMT) |
| commit | 892d66e422d5367673163d62ba40cd70a37d5cf7 (patch) | |
| tree | a9df16cdf788980f62f6ec04c010ece4d85bf822 /configure.ac | |
| parent | d951157268b2122109098c792562b71ccc41920b (diff) | |
| download | cpython-892d66e422d5367673163d62ba40cd70a37d5cf7.zip cpython-892d66e422d5367673163d62ba40cd70a37d5cf7.tar.gz cpython-892d66e422d5367673163d62ba40cd70a37d5cf7.tar.bz2 | |
bpo-31429: Define TLS cipher suite on build time (#3532)
Until now Python used a hard coded white list of default TLS cipher
suites. The old approach has multiple downsides. OpenSSL's default
selection was completely overruled. Python did neither benefit from new
cipher suites (ChaCha20, TLS 1.3 suites) nor blacklisted cipher suites.
For example we used to re-enable 3DES.
Python now defaults to OpenSSL DEFAULT cipher suite selection and black
lists all unwanted ciphers. Downstream vendors can override the default
cipher list with --with-ssl-default-suites.
Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'configure.ac')
| -rw-r--r-- | configure.ac | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 6524863..af10a6d 100644 --- a/configure.ac +++ b/configure.ac @@ -5497,6 +5497,43 @@ if test "$have_openssl" = yes; then LIBS="$save_LIBS" fi +# ssl module default cipher suite string +AH_TEMPLATE(PY_SSL_DEFAULT_CIPHERS, + [Default cipher suites list for ssl module. + 1: Python's preferred selection, 2: leave OpenSSL defaults untouched, 0: custom string]) +AH_TEMPLATE(PY_SSL_DEFAULT_CIPHER_STRING, + [Cipher suite string for PY_SSL_DEFAULT_CIPHERS=0] +) + +AC_MSG_CHECKING(for --with-ssl-default-suites) +AC_ARG_WITH(ssl-default-suites, + AS_HELP_STRING([--with-ssl-default-suites=@<:@python|openssl|STRING@:>@], + [Override default cipher suites string, + python: use Python's preferred selection (default), + openssl: leave OpenSSL's defaults untouched, + STRING: use a custom string, + PROTOCOL_SSLv2 ignores the setting]), +[ +AC_MSG_RESULT($withval) +case "$withval" in + python) + AC_DEFINE(PY_SSL_DEFAULT_CIPHERS, 1) + ;; + openssl) + AC_DEFINE(PY_SSL_DEFAULT_CIPHERS, 2) + ;; + *) + AC_DEFINE(PY_SSL_DEFAULT_CIPHERS, 0) + AC_DEFINE_UNQUOTED(PY_SSL_DEFAULT_CIPHER_STRING, "$withval") + ;; +esac +], +[ +AC_MSG_RESULT(python) +AC_DEFINE(PY_SSL_DEFAULT_CIPHERS, 1) +]) + + # generate output files AC_CONFIG_FILES(Makefile.pre Misc/python.pc Misc/python-config.sh) AC_CONFIG_FILES([Modules/ld_so_aix], [chmod +x Modules/ld_so_aix]) |