Clean up DEFAULT_SSL_CIPHERS comments

This commit is contained in:
Jakub Roztocil 2023-05-19 21:50:58 +02:00
parent 4e29a6d561
commit d021b94b5d

View File

@ -8,29 +8,29 @@ from urllib3.util.ssl_ import (
resolve_ssl_version, resolve_ssl_version,
) )
# We used to import default SSL ciphers via `SSL_CIPHERS` from `urllib3` but its been removed,
# Default ciphers imported from urllib3 as a work around for https://github.com/httpie/httpie/issues/1499 # so weve copied the original list here.
# Removed from urllib3 in this commit: https://github.com/urllib3/urllib3/commit/e5eac0c # Our issue: <https://github.com/httpie/httpie/issues/1499>
#################### # Removal commit: <https://github.com/urllib3/urllib3/commit/e5eac0c>
# A secure default. DEFAULT_SSL_CIPHERS = ":".join([
# Sources for more information on TLS ciphers: # <urllib3>
# # A secure default.
# - https://wiki.mozilla.org/Security/Server_Side_TLS # Sources for more information on TLS ciphers:
# - https://www.ssllabs.com/projects/best-practices/index.html #
# - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # - https://wiki.mozilla.org/Security/Server_Side_TLS
# # - https://www.ssllabs.com/projects/best-practices/index.html
# The general intent is: # - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# - prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE), #
# - prefer ECDHE over DHE for better performance, # The general intent is:
# - prefer any AES-GCM and ChaCha20 over any AES-CBC for better performance and # - prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE),
# security, # - prefer ECDHE over DHE for better performance,
# - prefer AES-GCM over ChaCha20 because hardware-accelerated AES is common, # - prefer any AES-GCM and ChaCha20 over any AES-CBC for better performance and
# - disable NULL authentication, MD5 MACs, DSS, and other # security,
# insecure ciphers for security reasons. # - prefer AES-GCM over ChaCha20 because hardware-accelerated AES is common,
# - NOTE: TLS 1.3 cipher suites are managed through a different interface # - disable NULL authentication, MD5 MACs, DSS, and other
# not exposed by CPython (yet!) and are enabled by default if they're available. # insecure ciphers for security reasons.
DEFAULT_SSL_CIPHERS = ":".join( # - NOTE: TLS 1.3 cipher suites are managed through a different interface
[ # not exposed by CPython (yet!) and are enabled by default if they're available.
"ECDHE+AESGCM", "ECDHE+AESGCM",
"ECDHE+CHACHA20", "ECDHE+CHACHA20",
"DHE+AESGCM", "DHE+AESGCM",
@ -46,8 +46,8 @@ DEFAULT_SSL_CIPHERS = ":".join(
"!MD5", "!MD5",
"!DSS", "!DSS",
"!AESCCM", "!AESCCM",
] # </urllib3>
) ])
SSL_VERSION_ARG_MAPPING = { SSL_VERSION_ARG_MAPPING = {
'ssl2.3': 'PROTOCOL_SSLv23', 'ssl2.3': 'PROTOCOL_SSLv23',
'ssl3': 'PROTOCOL_SSLv3', 'ssl3': 'PROTOCOL_SSLv3',