I've confirmed that Python 3.9.22 was released at AIX Toolbox last week, and it uses openssl shared library which is installed on a system instead of using static one which is embedded in Python image. Thanks to the update, we can specify custom openssl.cnf to control cipher suites to be used for TLS1.3.
>>> before changing the openssl.cnf
Python 3.9.22
>>> import ssl
>>> context = ssl.create_default_context()
>>> ciphers = context.get_ciphers()
>>> for c in ciphers:
... if c["protocol"] == "TLSv1.3":
... print (c["name"])
...
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256 <===== CHACHA20 is included as a default cipher
TLS_AES_128_GCM_SHA256
>>> after changing the openssl.cnf like the following
[openssl_init]
ssl_conf = ssl_configuration
[ssl_configuration]
system_default = tls_system_default
[tls_system_default]
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 <=== TLS1.3 ciphers excluding CHACHA20
Python 3.9.22
>>> import ssl
>>> context = ssl.create_default_context()
>>> ciphers = context.get_ciphers()
>>> for c in ciphers:
... if c["protocol"] == "TLSv1.3":
... print (c["name"])
...
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
------------------------------
YUKI
------------------------------
Original Message:
Sent: Mon May 19, 2025 03:49 AM
From: Ayappan P
Subject: exclude TLS1.3 CHACHA20 cipher suites from Python ssl library
Here is the SPEC file for build instructions --> https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/SPECS/python3.9-3.9.20-1.spec
------------------------------
Ayappan P
Original Message:
Sent: Mon May 19, 2025 03:31 AM
From: YUKI ASAKURA
Subject: exclude TLS1.3 CHACHA20 cipher suites from Python ssl library
Thank you so much for your prompt reply! I understood, but is there any instructions to build CPython for AIX by myself?
------------------------------
YUKI
Original Message:
Sent: Mon May 19, 2025 03:16 AM
From: Ayappan P
Subject: exclude TLS1.3 CHACHA20 cipher suites from Python ssl library
I think you have to explore other workarounds to disable CHACHA20 cipher suite for the applications. We are not going to patch Python's ssl module for this, in line with the Python community.
------------------------------
Ayappan P
Original Message:
Sent: Sun May 18, 2025 11:37 PM
From: YUKI ASAKURA
Subject: exclude TLS1.3 CHACHA20 cipher suites from Python ssl library
CHACHA20 is one of the default cipher suites of TLS1.3, but it is not FIPS certified algorithms. There may be some customers who want to use TLS1.3 but don't want to use CHACHA20.
We are using default ssl library which is bundled in Python, and the library uses CHACHA20 as a default when we enable TLS1.3, and we are not able to disable CHACHA20 because default ssl library in Python calls static openssl library and it is embedded in Python package.
I was wondering if you could create a custom static openssl library excluding CHACHA20, and bundle it in Python ?
If it is not possible, you may be able to apply a patch to reorder the cipher suites for TLS1.3 discussed in Issue 36484: Can't reorder TLS 1.3 ciphersuites - Python tracker.
Until TLS1.2, we can reorder the ciphers but openssl APIs are added when TLS1.3 support, and Python community doesn't seem to have any plan to apply the patch to main stream...
| Python | remove preview |
| | Issue 36484: Can't reorder TLS 1.3 ciphersuites - Python tracker | | Here is the PR as well. While I agree that there is no more a reason to reorder cipher suites and that we should use our certificates to basically ensure a secure connection, the advantage of the OpenSSL API is it provides us the function to influence the selection of cipher suites. | | View this on Python > |
|
|
------------------------------
YUKI
------------------------------