Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possibility to disable TLS v1.1 when using cherrypy ssl builtin (or pyopenssl) module #1978

Open
1 of 3 tasks
oleksiilv opened this issue Aug 19, 2022 · 4 comments
Open
1 of 3 tasks

Possibility to disable TLS v1.1 when using cherrypy ssl builtin (or pyopenssl) module #1978

oleksiilv opened this issue Aug 19, 2022 · 4 comments

Comments

@oleksiilv
Copy link

oleksiilv commented Aug 19, 2022
edited

I'm submitting a ...

  • bug report
  • feature request
  • question about the decisions made in the repository

Do you want to request a feature or report a bug?
feature (or missing documentation)

What is the current behavior?
It is not documented on how we can disable TLS v1.1 when using cherrypy ssl builtin (or pyopenssl) module.

I see some related questions on stackoverflow, but no specific answers
https://stackoverflow.com/questions/56693255/disable-tls1-0-and-tls1-1-on-cherrypy-python3

If the current behavior is a bug, please provide the steps to reproduce and if possible a screenshots and logs of the problem. If you can, show us your code.

What is the expected behavior?
Well documented possibility to disable TLS v1.1 when using cherrypy ssl builtin or pyopenssl module

What is the motivation / use case for changing the behavior?
TLS 1.2 was set as min TLS version is ssl module of Python 3.10 according to security recommendations. It will be very helpful to know how we can set similar min TLS version when using Cherrypy on Python 3.6

Please tell us about your environment:

  • Cheroot version: X.X.X
  • CherryPy version: X.X.X
  • Python version: 3.6.X
  • OS: XXX
  • Browser: [all | Chrome XX | Firefox XX | IE XX | Safari XX | Mobile Chrome XX | Android X.X Web Browser | iOS XX Safari | iOS XX UIWebView | iOS XX WKWebView ]

Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, e.g. stackoverflow, gitter, etc.)
@oleksiilv
Copy link
Author

@jaraco, @webknjaz , maybe you can suggest something on this? thanks

@webknjaz
Copy link
Member

webknjaz commented Sep 8, 2022

When using pyOpenSSL, you should be able to set a custom ssl_context value. I don't remember if that's possible for the stdlib ssl module, off the top of my head. Looks like Cheroot does not accept it for the built-in option. FWIW I've been meaning to attempt redesigning the TLS interface for quite a while. I feel like exposing individual settings limits the ability of the end users to set up the context flexibly.

@oleksiilv
Copy link
Author

thanks @webknjaz . Will try to switch from builtin ssl module to pyOpenSsl with custom ssl_context for this purposes.

@gaby
Copy link

gaby commented Jun 6, 2023
edited

@webknjaz @oleksiilv

Any updates on this? CherryPy by default leaves servers exposed to several CVE's. Ideally it provides something like:

cherrypy_cfg["server.ssl_protocol"] = "TLSv1.2"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@webknjaz @gaby @oleksiilv