mirror of
https://github.com/httpie/cli.git
synced 2024-11-25 01:03:27 +01:00
Clean up DEFAULT_SSL_CIPHERS
comments
This commit is contained in:
parent
4e29a6d561
commit
d021b94b5d
@ -8,29 +8,29 @@ from urllib3.util.ssl_ import (
|
|||||||
resolve_ssl_version,
|
resolve_ssl_version,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# We used to import default SSL ciphers via `SSL_CIPHERS` from `urllib3` but it’s been removed,
|
||||||
# Default ciphers imported from urllib3 as a work around for https://github.com/httpie/httpie/issues/1499
|
# so we’ve copied the original list here.
|
||||||
# Removed from urllib3 in this commit: https://github.com/urllib3/urllib3/commit/e5eac0c
|
# Our issue: <https://github.com/httpie/httpie/issues/1499>
|
||||||
####################
|
# Removal commit: <https://github.com/urllib3/urllib3/commit/e5eac0c>
|
||||||
# A secure default.
|
DEFAULT_SSL_CIPHERS = ":".join([
|
||||||
# Sources for more information on TLS ciphers:
|
# <urllib3>
|
||||||
#
|
# A secure default.
|
||||||
# - https://wiki.mozilla.org/Security/Server_Side_TLS
|
# Sources for more information on TLS ciphers:
|
||||||
# - https://www.ssllabs.com/projects/best-practices/index.html
|
#
|
||||||
# - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
# - https://wiki.mozilla.org/Security/Server_Side_TLS
|
||||||
#
|
# - https://www.ssllabs.com/projects/best-practices/index.html
|
||||||
# The general intent is:
|
# - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
||||||
# - prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE),
|
#
|
||||||
# - prefer ECDHE over DHE for better performance,
|
# The general intent is:
|
||||||
# - prefer any AES-GCM and ChaCha20 over any AES-CBC for better performance and
|
# - prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE),
|
||||||
# security,
|
# - prefer ECDHE over DHE for better performance,
|
||||||
# - prefer AES-GCM over ChaCha20 because hardware-accelerated AES is common,
|
# - prefer any AES-GCM and ChaCha20 over any AES-CBC for better performance and
|
||||||
# - disable NULL authentication, MD5 MACs, DSS, and other
|
# security,
|
||||||
# insecure ciphers for security reasons.
|
# - prefer AES-GCM over ChaCha20 because hardware-accelerated AES is common,
|
||||||
# - NOTE: TLS 1.3 cipher suites are managed through a different interface
|
# - disable NULL authentication, MD5 MACs, DSS, and other
|
||||||
# not exposed by CPython (yet!) and are enabled by default if they're available.
|
# insecure ciphers for security reasons.
|
||||||
DEFAULT_SSL_CIPHERS = ":".join(
|
# - NOTE: TLS 1.3 cipher suites are managed through a different interface
|
||||||
[
|
# not exposed by CPython (yet!) and are enabled by default if they're available.
|
||||||
"ECDHE+AESGCM",
|
"ECDHE+AESGCM",
|
||||||
"ECDHE+CHACHA20",
|
"ECDHE+CHACHA20",
|
||||||
"DHE+AESGCM",
|
"DHE+AESGCM",
|
||||||
@ -46,8 +46,8 @@ DEFAULT_SSL_CIPHERS = ":".join(
|
|||||||
"!MD5",
|
"!MD5",
|
||||||
"!DSS",
|
"!DSS",
|
||||||
"!AESCCM",
|
"!AESCCM",
|
||||||
]
|
# </urllib3>
|
||||||
)
|
])
|
||||||
SSL_VERSION_ARG_MAPPING = {
|
SSL_VERSION_ARG_MAPPING = {
|
||||||
'ssl2.3': 'PROTOCOL_SSLv23',
|
'ssl2.3': 'PROTOCOL_SSLv23',
|
||||||
'ssl3': 'PROTOCOL_SSLv3',
|
'ssl3': 'PROTOCOL_SSLv3',
|
||||||
|
Loading…
Reference in New Issue
Block a user