Christian Heimes e983252b51 bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778) ... The ssl module now has more secure default settings. Ciphers without forward secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits weak RSA, DH, and ECC keys with less than 112 bits of security. :class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2. Settings are based on Hynek Schlawack's research. ``` $ openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021 $ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 ``` Signed-off-by: Christian Heimes <christian@python.org>		2021-05-01 20:53:10 +02:00
..
2.0.rst	bpo-35506: Remove redundant and incorrect links from keywords. (GH-11174)	2018-12-19 08:09:46 +02:00
2.1.rst	bpo-35506: Remove redundant and incorrect links from keywords. (GH-11174)	2018-12-19 08:09:46 +02:00
2.2.rst	bpo-35506: Remove redundant and incorrect links from keywords. (GH-11174)	2018-12-19 08:09:46 +02:00
2.3.rst	bpo-35506: Remove redundant and incorrect links from keywords. (GH-11174)	2018-12-19 08:09:46 +02:00
2.4.rst	bpo-33641: Convert RFC references into links. (GH-7103)	2018-05-31 07:39:00 +03:00
2.5.rst	bpo-35506: Remove redundant and incorrect links from keywords. (GH-11174)	2018-12-19 08:09:46 +02:00
2.6.rst	Docs: FIX broken links. (GH-13491)	2019-05-25 20:02:24 +02:00
2.7.rst	bpo-38600: NULL -> ``NULL``. (GH-17001)	2019-10-30 21:37:16 +02:00
3.0.rst	bpo-35506: Remove redundant and incorrect links from keywords. (GH-11174)	2018-12-19 08:09:46 +02:00
3.1.rst	Fix miscellaneous typos (#4275)	2017-11-05 15:37:50 +02:00
3.2.rst	Revert "Fix all Python Cookbook links (#22205)" (GH-22424)	2020-09-27 01:47:25 +01:00
3.3.rst	bpo-40204, doc: Fix syntax of C variables (GH-21846)	2020-08-13 22:11:50 +02:00
3.4.rst	bpo-38600: NULL -> ``NULL``. (GH-17001)	2019-10-30 21:37:16 +02:00
3.5.rst	bpo-40204: Fix reference to terms in the doc (GH-21865)	2020-08-14 12:20:05 +02:00
3.6.rst	bpo-43774: Document configure options (GH-25283)	2021-04-08 22:32:21 +02:00
3.7.rst	bpo-43774: Document configure options (GH-25283)	2021-04-08 22:32:21 +02:00
3.8.rst	bpo-43774: Enhance debug build documentation (GH-25712)	2021-04-29 13:06:59 +02:00
3.9.rst	bpo-43908: Document Static Types in the C API (GH-25710)	2021-04-29 10:26:34 +02:00
3.10.rst	bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)	2021-05-01 20:53:10 +02:00
changelog.rst	Include additional changes to support blurbified NEWS (#3340)	2017-09-05 00:46:18 -07:00
index.rst	Python 3.10.0a0 (GH-20198)	2020-05-19 03:33:01 +01:00