Set OP_NO_COMPRESSION & OP_CIPHER_SERVER_PREFERENCE on TLS contexts
|Reported by:||hynek||Owned by:||hynek|
(diff, github, buildbot, log)
There is a broad consensus that there are two options that should always be set:
- OP_NO_COMPRESSION (CRIME attacks, seems like most OpenSSLs set that as default nowadays but still)
- OP_CIPHER_SERVER_PREFERENCE (if we push for secure ciphers, we should make sure they get used too)
Both are missing in pyOpenSSL at the moment but we can easily wing it for now.
Confusingly, OP_NO_COMPRESSION is documented in my self-built pyOpenSSL docs ( http://glui.me/?i=3b37w0j9wemcrsl/2013-10-25_at_14.30.png – maybe I’ve built them from a bzr checkout? been a while) and my OpenSSL should have support for it but I can’t find it neither in the official docs at http://pythonhosted.org/pyOpenSSL/openssl-ssl.html nor in the actual library. In any case we’d have to take into account that the underlying (Py)OpenSSL may not support either.
Implementation is trivial, I’d just wait for #6772 to land in trunk because it’s laying groundwork for setting options.
Change History (6)
comment:5 Changed 10 months ago by exarkun
- Keywords review removed
- Owner changed from exarkun to hynek
- Status changed from assigned to new