naif <n...@globaleaks.org> added the comment:
>From Antoine Pitrou (pitrou):
> Why don't you simple define your own default ciphers and call the
> set_ciphers() method?
> That said, we could perhaps call set_ciphers("HIGH") by default. This
> excludes legacy ciphers (such as RC4, DES) without having us maintain an
> explicit list.
I would suggest to follow a future proof approach that would consider:
* Disable SSLv2 (no one support it anymore)
* Enable Elliptic Curve Crypto and provide it as a priority (maximum security
with strong performance gain)
* Enable Perfect Forward Secrecy ciphers first (DH ephemeral DHE)
* Provide an ordered cipher list for TLSv1
- First ECC/DHE ciphers (Future Proof, PFS, with maximum performance)
- Second DHE ciphers (Non-future proof, PFS, less performance)
- Third TLSv1 AES ciphers (AES-128/AES-256, max compatibility, max performance)
* Then provide an ordered cipher list for SSLv3 (No AES support)
- First 3DES DHE ciphers (PFS security)
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA
- Second 3DES non-DHE cipher
SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
- Third RC4 based encryption
SSL_RSA_WITH_RC4_128_SHA
That way (but this is an approach to be discussed) we will pick-up a set of
widely secure ciphers, high performance ciphers, highly compatible ciphers, but
with a selection logic that's optimized for existing set of application and
servers.
Or eventually hide that complexity for the Python developers by providing a set
of "pre-configured" profiles to be used?
I always find ppl having difficulties in dealing with SSL/TLS, as a result
SSL/TLS configuration it's often "by default" .
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue13636>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
