Can't reorder TLS 1.3 ciphersuites

[d0146263-8194-44c4-b668-e20f19924774]

BPO	36484
Nosy	@tiran, @Dreamsorcerer, @sanchayanghosh
PRs	python/cpython#31607
Files	0001-Add-TLS-v1.3-cipher-suite-set-function.patch: Patch for review

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields: ```python assignee = 'https://github.com/tiran' closed_at = None created_at = labels = ['expert-SSL', 'type-feature', '3.8'] title = "Can't reorder TLS 1.3 ciphersuites" updated_at = user = 'https://bugs.python.org/EA' ``` bugs.python.org fields: ```python activity = actor = 'sanchayanghosh' assignee = 'christian.heimes' closed = False closed_date = None closer = None components = ['SSL'] creation = creator = 'EA' dependencies = [] files = ['50652'] hgrepos = [] issue_num = 36484 keywords = ['patch'] message_count = 5.0 messages = ['339188', '339274', '339276', '414166', '414167'] nosy_count = 4.0 nosy_names = ['christian.heimes', 'EA', 'dreamsorcerer', 'sanchayanghosh'] pr_nums = ['31607'] priority = 'normal' resolution = None stage = 'patch review' status = 'open' superseder = None type = 'enhancement' url = 'https://bugs.python.org/issue36484' versions = ['Python 3.8'] ```

[d0146263-8194-44c4-b668-e20f19924774]

Wen using the SSL module, I need to be able to reorder the ciphersuites list in TLS 1.3. I was able to do this with python using SSLContext.set_ciphers(ciphers) when working with TLS 1.2. But this is not possible with TLS 1.3 ciphersuites. The need to reorder the ciphersuites is needed because one might need a specific order to simulate specific TLS client that send the ciphersuites in specific order. Unfortunately this is seems not possible now in python with TLS 1.3 as the comment in the documentations says: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers

Can you please consider this post as a feature request? Or clarify to me how to reorder the ciphersuites list when working with TLS 1.3?

[tiran]

I don't have plans to implement cipher suite selection for TLS 1.3 any time soon, maybe not at all. TLS 1.3 changed cipher selection a lot, making the API more complicated. The signature algorithm and key agreement groups are handled as separate extensions, resulting in three additional APIs.

Applications shouldn't modify the cipher suites any more. These days TLS libraries provide a good and safe selection of suites. Weak ciphers should be disabled by either a security update of the TLS library or system-wide settings.

There is one workaround: You can influence connection parameters with an OpenSSL config file [1][2] by setting OPENSSL_CONF env var. OpenSSL parses the file only once, so you have to set it before you start Python.

[1] https://www.openssl.org/docs/manmaster/man5/config.html [2] https://fedoraproject.org/wiki/Changes/CryptoPolicy

[d0146263-8194-44c4-b668-e20f19924774]

Thanks. Just to clarify regarding your comment: "Applications shouldn't modify the cipher suites any more.": I use python to develop scripts for running experiments, which requires me to simulate specific clients precisely including their TLS 1.3 ciphers order. As you know, TLS 1.3 can not have weak ciphers and only 3 or 4 secure ones are permitted by design. But still the order should be accurate in simulation experiment settings. This is different from ordinary development. It is a bit disappointing that the developer can re-order the weaker ones (in TLS 1.2) but not TLS 1.3. However, thanks again for your reply.

On Sun, Mar 31, 2019 at 8:46 PM Christian Heimes \report@bugs.python.org\ wrote:

Christian Heimes \lists@cheimes.de\ added the comment:

I don't have plans to implement cipher suite selection for TLS 1.3 any time soon, maybe not at all. TLS 1.3 changed cipher selection a lot, making the API more complicated. The signature algorithm and key agreement groups are handled as separate extensions, resulting in three additional APIs.

Applications shouldn't modify the cipher suites any more. These days TLS libraries provide a good and safe selection of suites. Weak ciphers should be disabled by either a security update of the TLS library or system-wide settings.

There is one workaround: You can influence connection parameters with an OpenSSL config file [1][2] by setting OPENSSL_CONF env var. OpenSSL parses the file only once, so you have to set it before you start Python.

[1] https://www.openssl.org/docs/manmaster/man5/config.html [2] https://fedoraproject.org/wiki/Changes/CryptoPolicy

----------

---

Python tracker \report@bugs.python.org\ \https://bugs.python.org/issue36484\

---

[e54ab0f3-b7cb-4f06-8414-ebfcbc9f4b11]

I have written a function that will allow us to reorder TLS v1.3. Since I have tried to keep a 1-1 binding, you will have to first remove the cipher suites entirely by giving a blank string, and then add TLS v1.2 and v1.3 cipher suites.

[e54ab0f3-b7cb-4f06-8414-ebfcbc9f4b11]

Here is the PR as well. While I agree that there is no more a reason to reorder cipher suites and that we should use our certificates to basically ensure a secure connection, the advantage of the OpenSSL API is it provides us the function to influence the selection of cipher suites.

So, as a first step, I have added the binding for selecting TLS v1.3 cipher suites. And in 2 other pull requests, I will provide the API implementation for the other, for users who may just want a way to access OpenSSL through Python.

[slavkoja]

Applications shouldn't modify the cipher suites any more. These days TLS libraries provide a good and safe selection of suites. Weak ciphers should be disabled by either a security update of the TLS library or system-wide settings.

While can be true for end user applications, it is wrong direction for system apps, and it doesn't matter if that are tools to check system settings or servers, or something other. Changing system default for one app is not desirable.

Despite that ciphers suites count was lowered in TLS1.3 and there are not insecure suites (for now), there are TLS 1.3 suites not enabled by default in openssl (eg. CCM) and it enables all groups by default, and eg. the big FFDH groups are worth to configure (disable) eg. for servers, if not required.

There is one workaround: You can influence connection parameters with an OpenSSL config file [1][2] by setting OPENSSL_CONF env var. OpenSSL parses the file only once, so you have to set it before you start Python.

While this workaround will work, it is not enough flexible, nor configurable from python itself, thus one have restart tool with different environment. In other words, it is not replacement.

If this will not change by default, please document it in clear way in ssl module. eg.: "TLS 1.3 is supported only partially, one can use it, but cannot configure its details".

[GunGunGun]

Applications shouldn't modify the cipher suites any more. These days TLS libraries provide a good and safe selection of suites. Weak ciphers should be disabled by either a security update of the TLS library or system-wide settings.

Why not because nowadays a lot of websites use TLS Fingerprint technique to block non-web browser traffic, and Python automatically get that treatment for example Cloudflare, try to open this website with Python and it always return 403: https://alternativeto.net

And it returns 200 with any real web browser.