pyOpenSSL does not offer possiblity to enable supported cipherlist ordered precedence
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pyOpenSSL |
New
|
Undecided
|
Unassigned |
Bug Description
pyOpenSSL does not offer possiblity to enable supported cipherlist ordered precedence.
Currently in fact pyOpenSSL permits only the definition of the supported list but does not export the option needed to enable ordered preference, that is "SSL_OP_
Due to this pyOpenSSL is prone to the following two issues:
- Security issue: When more than one cipher are enabled (one secure and one more insecure) the one more insecure may be suggested as first.
- Performance issue: When more than one one ciphers are enabled (only secure ones but some faster than the others like ECDH with respect to EDH) the one slowe may be suggested as first.
The bug has been spotted while developing Tor2web: https:/
A workaround until the symbol won't be exported by pyOpenSSL is: https:/
information type: | Private Security → Public |
information type: | Public → Public Security |