-
Notifications
You must be signed in to change notification settings - Fork 421
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added set_ciphersuites() API #963
base: main
Are you sure you want to change the base?
Conversation
What's the motivation? All the TLS 1.3 ciphersuites are secure (and good) which removes a lot of the motivation that exists in TLS<=1.2 for micromanaging them. |
Motivation is three part: |
IMHO it's bad practice to configure any TLS and crypto-related settings in an application. Cipher suites, key strength, TLS versions, and trust store should be configured globally on operating system level. In the past few years Linux distributions have invested into better infrastructure for system-wide crypto policies.
I have used the same argument to object against |
I don't agree with this at all. This is a very sysadmin/distro centric view of the world, and I think it maps quite poorly to lots of real world applications. Nevertherless, I'm loathe to expand the pyOpenSSL API here. |
Hi @tiran yes, agreed that it should be done on the OS level usually and that TLS 1.3 ciphers are great and all that. |
There is also the use that might need to configure to a different default when the distribution changes the default setting. E.g. Centos8 does this:
So is probably more a feature parity between TLS <=1.2 and TLS 1.3+ than anything else. |
Add the set_ciphersuites API to set TLS 1.3 ciphersuites properly.
See:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html
https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites