View Issue Details

IDProjectCategoryView StatusLast Update
0008097Kali Linux[All Projects] Kali Package Improvementpublic2022-12-21 12:42
Reporteradrian.vollmer Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Versionkali-dev 
Target VersionFixed in Version 
Summary0008097: Make Python use openssl's default SSL cipher settings
DescriptionSince Python 3.10, the security of the default SSL cipher settings have been
increased: https://bugs.python.org/issue43998

This causes issues, for example, with Certipy and Impacket, two very popular
Python packages among Kali Linux users. See for instance:
https://github.com/ly4k/Certipy/pull/110

The problem is exacerbated by the fact that changes to the Python library
ldap3 are needed to take full effect of the patch linked above, and ldap3
appears to be effectively unmaintained. See: https://github.com/cannatag/ldap3/pull/1067

Python does not respect the cipher settings defined in /etc/ssl/openssl.cnf
by default. Arguably, Kali Linux users have different needs than regular
users and should be empowered to configure as many parts of their system as
possible to suit their needs. That's why I propose to change Python's
behavior by setting a configure option at build time.

If we set the following configure option to `openssl`, users should be able
to allow weak cipher settings in all connections initiated by Python
programs: https://docs.python.org/3.10/using/configure.html#cmdoption-with-ssl-default-suites

At the same time, regular users who don't mess with config files should not
be affected and their cipher settings will not be weakened unexpectedly.

Please let me know whether you think that this is a sensible approach and
whether you are open to changing Python's configure options in order to
distribute custom builds.
Steps To ReproduceExecute the following commands on an up-to-date Kali system:

$ python3.9 -c 'import requests; requests.get("https://dh1024.badssl.com/")'
$ python3.10 -c 'import requests; requests.get("https://dh1024.badssl.com/")'
ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:997)

Activities

daniruiz

2022-12-21 12:42

manager   ~0017270

Hello, and thank you for the suggestion!
The request has been filled in debian's bugtracker too, to see what can be done directly in Debian https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026802

Issue History

Date Modified Username Field Change
2022-12-12 16:55 adrian.vollmer New Issue
2022-12-21 12:42 daniruiz Note Added: 0017270