bpo-31429: Define TLS cipher suite on build time by tiran · Pull Request #3532 · python/cpython
bpo-31429: [WIP] --with-ssl-default-suites
bpo-31429: Define TLS cipher suite on build time
Until now Python used a hard coded white list of default TLS cipher suites. The old approach has multiple downsides. OpenSSL's default selection was completely overruled. Python did neither benefit from new cipher suites (ChaCha20, TLS 1.3 suites) nor blacklisted cipher suites. For example we used to re-enable 3DES. Python now defaults to OpenSSL DEFAULT cipher suite selection and black lists all unwanted ciphers. Downstream vendors can override the default cipher list with --with-ssl-default-suites. Signed-off-by: Christian Heimes <christian@python.org>
sfackler added a commit to rust-openssl/rust-openssl that referenced this pull request
Based off of python/cpython#3532, we use OpenSSL's default cipher list and turn of things we don't like. This can't be used with 1.0.1, however, which had a poor default set. There, we use the old defaults, with the bits that aren't implemented in 1.0.1 removed (namely TLSv1.3 suites and ChaCha).
sfackler added a commit to rust-openssl/rust-openssl that referenced this pull request
Based off of python/cpython#3532, we use OpenSSL's default cipher list and turn of things we don't like. This can't be used with 1.0.1, however, which had a poor default set. There, we use the old defaults, with the bits that aren't implemented in 1.0.1 removed (namely TLSv1.3 suites and ChaCha).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters