granicus.if.org Git - python/commit

author	Donald Stufft <donald@stufft.io>
	Sun, 23 Mar 2014 23:05:28 +0000 (19:05 -0400)
committer	Donald Stufft <donald@stufft.io>
	Sun, 23 Mar 2014 23:05:28 +0000 (19:05 -0400)
commit	6a2ba949089754dafe69d56ce0398f4b8847a4e2
tree	5a4463201c01486e368c2c3a74f7b1240ea02f87	tree \| snapshot
parent	553e108fce5673072e709d85c4b4de817f7057b1	commit \| diff

Issue #21013: Enhance ssl.create_default_context() for server side contexts

Closes #21013 by modfying ssl.create_default_context() to:

* Move the restricted ciphers to only apply when using
  ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
  is the lack of RC4 in the restricted. However there are servers that exist
  that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
  will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
  of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
  socket the context will prioritize our ciphers which have been carefully
  selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
  that end users can more easily determine if they need to unset
  ssl.OP_NO_SSLv3.

Doc/library/ssl.rst		diff \| blob \| history
Lib/ssl.py		diff \| blob \| history
Lib/test/test_ssl.py		diff \| blob \| history
Misc/NEWS		diff \| blob \| history