diff options
| author | Christian Heimes <christian@python.org> | 2018-01-29 13:10:18 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-01-29 13:10:18 (GMT) |
| commit | 892d66e422d5367673163d62ba40cd70a37d5cf7 (patch) | |
| tree | a9df16cdf788980f62f6ec04c010ece4d85bf822 /pyconfig.h.in | |
| parent | d951157268b2122109098c792562b71ccc41920b (diff) | |
| download | cpython-892d66e422d5367673163d62ba40cd70a37d5cf7.zip cpython-892d66e422d5367673163d62ba40cd70a37d5cf7.tar.gz cpython-892d66e422d5367673163d62ba40cd70a37d5cf7.tar.bz2 | |
bpo-31429: Define TLS cipher suite on build time (#3532)
Until now Python used a hard coded white list of default TLS cipher
suites. The old approach has multiple downsides. OpenSSL's default
selection was completely overruled. Python did neither benefit from new
cipher suites (ChaCha20, TLS 1.3 suites) nor blacklisted cipher suites.
For example we used to re-enable 3DES.
Python now defaults to OpenSSL DEFAULT cipher suite selection and black
lists all unwanted ciphers. Downstream vendors can override the default
cipher list with --with-ssl-default-suites.
Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'pyconfig.h.in')
| -rw-r--r-- | pyconfig.h.in | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/pyconfig.h.in b/pyconfig.h.in index a18e3ca..a0efff9 100644 --- a/pyconfig.h.in +++ b/pyconfig.h.in @@ -1314,6 +1314,13 @@ /* Define to printf format modifier for Py_ssize_t */ #undef PY_FORMAT_SIZE_T +/* Default cipher suites list for ssl module. 1: Python's preferred selection, + 2: leave OpenSSL defaults untouched, 0: custom string */ +#undef PY_SSL_DEFAULT_CIPHERS + +/* Cipher suite string for PY_SSL_DEFAULT_CIPHERS=0 */ +#undef PY_SSL_DEFAULT_CIPHER_STRING + /* Define to emit a locale compatibility warning in the C locale */ #undef PY_WARN_ON_C_LOCALE |