diff options
| author | Christian Heimes <christian@python.org> | 2017-05-02 12:37:51 +0200 |
|---|---|---|
| committer | Christian Heimes <christian@python.org> | 2017-05-02 14:36:31 +0200 |
| commit | c5a1a0553019521dba9fd7ebbed9e8ecbeb76615 (patch) | |
| tree | 6bf1ef08362ee53925c9aa0ccf42e3f2ba435c6d | |
| parent | a68917a4135ff1fccc5229a6083ac8478be056dc (diff) | |
| download | urllib3-c5a1a0553019521dba9fd7ebbed9e8ecbeb76615.tar.gz | |
Add TLS 1.3 cipher suites
Signed-off-by: Christian Heimes <christian@python.org>
| -rw-r--r-- | urllib3/contrib/_securetransport/bindings.py | 3 | ||||
| -rw-r--r-- | urllib3/contrib/securetransport.py | 3 | ||||
| -rw-r--r-- | urllib3/util/ssl_.py | 6 |
3 files changed, 11 insertions, 1 deletions
diff --git a/urllib3/contrib/_securetransport/bindings.py b/urllib3/contrib/_securetransport/bindings.py index e26b8408..bcf41c02 100644 --- a/urllib3/contrib/_securetransport/bindings.py +++ b/urllib3/contrib/_securetransport/bindings.py @@ -588,3 +588,6 @@ class SecurityConst(object): TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035 TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F + TLS_AES_128_GCM_SHA256 = 0x1301 + TLS_AES_256_GCM_SHA384 = 0x1302 + TLS_CHACHA20_POLY1305_SHA256 = 0x1303 diff --git a/urllib3/contrib/securetransport.py b/urllib3/contrib/securetransport.py index 72b23ab1..2cac70f7 100644 --- a/urllib3/contrib/securetransport.py +++ b/urllib3/contrib/securetransport.py @@ -91,6 +91,9 @@ SSL_WRITE_BLOCKSIZE = 16384 # individual cipher suites. We need to do this becuase this is how # SecureTransport wants them. CIPHER_SUITES = [ + SecurityConst.TLS_AES_256_GCM_SHA384, + SecurityConst.TLS_CHACHA20_POLY1305_SHA256, + SecurityConst.TLS_AES_128_GCM_SHA256, SecurityConst.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SecurityConst.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SecurityConst.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, diff --git a/urllib3/util/ssl_.py b/urllib3/util/ssl_.py index 33d428ed..32fd9eda 100644 --- a/urllib3/util/ssl_.py +++ b/urllib3/util/ssl_.py @@ -61,13 +61,17 @@ except ImportError: # - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # # The general intent is: -# - Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE), +# - Prefer TLS 1.3 cipher suites +# - prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE), # - prefer ECDHE over DHE for better performance, # - prefer any AES-GCM and ChaCha20 over any AES-CBC for better performance and # security, # - prefer AES-GCM over ChaCha20 because hardware-accelerated AES is common, # - disable NULL authentication, MD5 MACs and DSS for security reasons. DEFAULT_CIPHERS = ':'.join([ + 'TLS13-AES-256-GCM-SHA384', + 'TLS13-CHACHA20-POLY1305-SHA256', + 'TLS13-AES-128-GCM-SHA256', 'ECDH+AESGCM', 'ECDH+CHACHA20', 'DH+AESGCM', |