AIX Open Source

AIX Open Source

Share your experiences and connect with fellow developers to discover how to build and manage open source software for the AIX operating system

 View Only
  • 1.  exclude TLS1.3 CHACHA20 cipher suites from Python ssl library

    Posted Mon May 19, 2025 01:22 AM

    CHACHA20 is one of the default cipher suites of TLS1.3, but it is not FIPS certified algorithms. There may be some customers who want to use TLS1.3 but don't want to use CHACHA20.

    We are using default ssl library which is bundled in Python, and the library uses CHACHA20 as a default when we enable TLS1.3, and we are not able to disable CHACHA20 because default ssl library in Python calls static openssl library and it is embedded in Python package.

    I was wondering if you could create a custom static openssl library excluding CHACHA20, and bundle it in Python ?

    If it is not possible, you may be able to apply a patch to reorder the cipher suites for TLS1.3 discussed in Issue 36484: Can't reorder TLS 1.3 ciphersuites - Python tracker.

    Until TLS1.2, we can reorder the ciphers but openssl APIs are added when TLS1.3 support, and Python community doesn't seem to have any plan to apply the patch to main stream...

    Python remove preview
    Issue 36484: Can't reorder TLS 1.3 ciphersuites - Python tracker
    Here is the PR as well. While I agree that there is no more a reason to reorder cipher suites and that we should use our certificates to basically ensure a secure connection, the advantage of the OpenSSL API is it provides us the function to influence the selection of cipher suites.
    View this on Python >

     



    ------------------------------
    YUKI
    ------------------------------


  • 2.  RE: exclude TLS1.3 CHACHA20 cipher suites from Python ssl library

    Posted Mon May 19, 2025 03:17 AM

     I think you have to explore other workarounds to disable CHACHA20 cipher suite for the applications. We are not going to patch Python's ssl module for this,  in line with the Python community. 



    ------------------------------
    Ayappan P
    ------------------------------



  • 3.  RE: exclude TLS1.3 CHACHA20 cipher suites from Python ssl library

    Posted Mon May 19, 2025 03:31 AM

    Thank you so much for your prompt reply! I understood, but is there any instructions to build CPython for AIX by myself?



    ------------------------------
    YUKI
    ------------------------------



  • 4.  RE: exclude TLS1.3 CHACHA20 cipher suites from Python ssl library

    Posted Mon May 19, 2025 03:50 AM

    Here is the SPEC file for build instructions --> https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/SPECS/python3.9-3.9.20-1.spec



    ------------------------------
    Ayappan P
    ------------------------------



  • 5.  RE: exclude TLS1.3 CHACHA20 cipher suites from Python ssl library

    Posted 26 days ago

    I've confirmed that Python 3.9.22 was released at AIX Toolbox last week, and it uses openssl shared library which is installed on a system instead of using static one which is embedded in Python image. Thanks to the update, we can specify custom openssl.cnf to control cipher suites to be used for TLS1.3.

    >>> before changing the openssl.cnf
     
    Python 3.9.22 
    >>> import ssl
    >>> context = ssl.create_default_context()
    >>> ciphers = context.get_ciphers()
    >>> for c in ciphers:
    ...   if c["protocol"] == "TLSv1.3":
    ...      print (c["name"])
    ...
    TLS_AES_256_GCM_SHA384
    TLS_CHACHA20_POLY1305_SHA256 <===== CHACHA20 is included as a default cipher
    TLS_AES_128_GCM_SHA256
     
     
    >>> after changing the openssl.cnf like the following
    
    [openssl_init]
    ssl_conf = ssl_configuration
    
    [ssl_configuration]
    system_default = tls_system_default
    
    [tls_system_default]
    Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 <=== TLS1.3 ciphers excluding CHACHA20
     
    
    
    Python 3.9.22
    >>> import ssl
    >>> context = ssl.create_default_context()
    >>> ciphers = context.get_ciphers()
    >>> for c in ciphers:
    ...   if c["protocol"] == "TLSv1.3":
    ...      print (c["name"])
    ...
    TLS_AES_256_GCM_SHA384
    TLS_AES_128_GCM_SHA256


    ------------------------------
    YUKI
    ------------------------------