summaryrefslogtreecommitdiffstats
path: root/Lib
diff options
context:
space:
mode:
Diffstat (limited to 'Lib')
-rw-r--r--Lib/ssl.py39
1 files changed, 31 insertions, 8 deletions
diff --git a/Lib/ssl.py b/Lib/ssl.py
index 87b70fa..da80802 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -162,14 +162,37 @@ else:
# Disable weak or insecure ciphers by default
# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
-_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2'
-
-# restricted and more secure ciphers
-# HIGH: high encryption cipher suites with key length >= 128 bits (no MD5)
-# !aNULL: only authenticated cipher suites (no anonymous DH)
-# !RC4: no RC4 streaming cipher, RC4 is broken
-# !DSS: RSA is preferred over DSA
-_RESTRICTED_CIPHERS = 'HIGH:!aNULL:!RC4:!DSS'
+# Enable a better set of ciphers by default
+# This list has been explicitly chosen to:
+# * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
+# * Prefer ECDHE over DHE for better performance
+# * Prefer any AES-GCM over any AES-CBC for better performance and security
+# * Then Use HIGH cipher suites as a fallback
+# * Then Use 3DES as fallback which is secure but slow
+# * Finally use RC4 as a fallback which is problematic but needed for
+# compatibility some times.
+# * Disable NULL authentication, NULL encryption, and MD5 MACs for security
+# reasons
+_DEFAULT_CIPHERS = (
+ 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:'
+ 'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:ECDH+RC4:'
+ 'DH+RC4:RSA+RC4:!aNULL:!eNULL:!MD5'
+)
+
+# Restricted and more secure ciphers
+# This list has been explicitly chosen to:
+# * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
+# * Prefer ECDHE over DHE for better performance
+# * Prefer any AES-GCM over any AES-CBC for better performance and security
+# * Then Use HIGH cipher suites as a fallback
+# * Then Use 3DES as fallback which is secure but slow
+# * Disable NULL authentication, NULL encryption, MD5 MACs, DSS, and RC4 for
+# security reasons
+_RESTRICTED_CIPHERS = (
+ 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:'
+ 'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:'
+ '!eNULL:!MD5:!DSS:!RC4'
+)
class CertificateError(ValueError):
generated by cgit v0.12 at 2024-12-12 13:48:37 (GMT)