bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)
The ssl module now has more secure default settings. Ciphers without forward
secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits
weak RSA, DH, and ECC keys with less than 112 bits of security.
:class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2.
Settings are based on Hynek Schlawack's research.
```
$ openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
$ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM'
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
```
Signed-off-by: Christian Heimes <christian@python.org>
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index f7c49dc..4d43fa0 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -1509,6 +1509,14 @@
context class will either require :data:`PROTOCOL_TLS_CLIENT` or
:data:`PROTOCOL_TLS_SERVER` protocol in the future.
+ .. versionchanged:: 3.10
+
+ The default cipher suites now include only secure AES and ChaCha20
+ ciphers with forward secrecy and security level 2. RSA and DH keys with
+ less than 2048 bits and ECC keys with less than 224 bits are prohibited.
+ :data:`PROTOCOL_TLS`, :data:`PROTOCOL_TLS_CLIENT`, and
+ :data:`PROTOCOL_TLS_SERVER` use TLS 1.2 as minimum TLS version.
+
:class:`SSLContext` objects have the following methods and attributes:
diff --git a/Doc/using/configure.rst b/Doc/using/configure.rst
index 4f3953e..c37540c 100644
--- a/Doc/using/configure.rst
+++ b/Doc/using/configure.rst
@@ -441,12 +441,16 @@
* ``python`` (default): use Python's preferred selection;
* ``openssl``: leave OpenSSL's defaults untouched;
- * *STRING*: use a custom string, PROTOCOL_SSLv2 ignores the setting.
+ * *STRING*: use a custom string
See the :mod:`ssl` module.
.. versionadded:: 3.7
+ .. versionchanged:: 3.10
+
+ The settings ``python`` and *STRING* also set TLS 1.2 as minimum
+ protocol version.
macOS Options
-------------
diff --git a/Doc/whatsnew/3.10.rst b/Doc/whatsnew/3.10.rst
index 797e1e3..a59e2e5 100644
--- a/Doc/whatsnew/3.10.rst
+++ b/Doc/whatsnew/3.10.rst
@@ -1105,6 +1105,13 @@
ssl
---
+The ssl module now has more secure default settings. Ciphers without forward
+secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits
+weak RSA, DH, and ECC keys with less than 112 bits of security.
+:class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2.
+Settings are based on Hynek Schlawack's research.
+(Contributed by Christian Heimes in :issue:`43998`.)
+
Add a *timeout* parameter to the :func:`ssl.get_server_certificate` function.
(Contributed by Zackery Spytz in :issue:`31870`.)