Open oleksiilv opened 1 year ago
@jaraco, @webknjaz , maybe you can suggest something on this? thanks
When using pyOpenSSL, you should be able to set a custom ssl_context
value. I don't remember if that's possible for the stdlib ssl module, off the top of my head. Looks like Cheroot does not accept it for the built-in option. FWIW I've been meaning to attempt redesigning the TLS interface for quite a while. I feel like exposing individual settings limits the ability of the end users to set up the context flexibly.
thanks @webknjaz . Will try to switch from builtin ssl module to pyOpenSsl with custom ssl_context for this purposes.
@webknjaz @oleksiilv
Any updates on this? CherryPy by default leaves servers exposed to several CVE's. Ideally it provides something like:
cherrypy_cfg["server.ssl_protocol"] = "TLSv1.2"
I'm submitting a ...
Do you want to request a feature or report a bug? feature (or missing documentation)
What is the current behavior? It is not documented on how we can disable TLS v1.1 when using cherrypy ssl builtin (or pyopenssl) module.
I see some related questions on stackoverflow, but no specific answers https://stackoverflow.com/questions/56693255/disable-tls1-0-and-tls1-1-on-cherrypy-python3
If the current behavior is a bug, please provide the steps to reproduce and if possible a screenshots and logs of the problem. If you can, show us your code.
What is the expected behavior? Well documented possibility to disable TLS v1.1 when using cherrypy ssl builtin or pyopenssl module
What is the motivation / use case for changing the behavior? TLS 1.2 was set as min TLS version is ssl module of Python 3.10 according to security recommendations. It will be very helpful to know how we can set similar min TLS version when using Cherrypy on Python 3.6
Please tell us about your environment:
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, e.g. stackoverflow, gitter, etc.)