View Issue Details

IDProjectCategoryView StatusLast Update
0008097Kali LinuxKali Package Improvementpublic2023-02-09 08:51
Reporteradrian.vollmer Assigned Torhertzog  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Versionkali-dev 
Fixed in Version2023.1 
Summary0008097: Make Python use openssl's default SSL cipher settings
Description

Since Python 3.10, the security of the default SSL cipher settings have been
increased: https://bugs.python.org/issue43998

This causes issues, for example, with Certipy and Impacket, two very popular
Python packages among Kali Linux users. See for instance:
https://github.com/ly4k/Certipy/pull/110

The problem is exacerbated by the fact that changes to the Python library
ldap3 are needed to take full effect of the patch linked above, and ldap3
appears to be effectively unmaintained. See: https://github.com/cannatag/ldap3/pull/1067

Python does not respect the cipher settings defined in /etc/ssl/openssl.cnf
by default. Arguably, Kali Linux users have different needs than regular
users and should be empowered to configure as many parts of their system as
possible to suit their needs. That's why I propose to change Python's
behavior by setting a configure option at build time.

If we set the following configure option to openssl, users should be able
to allow weak cipher settings in all connections initiated by Python
programs: https://docs.python.org/3.10/using/configure.html#cmdoption-with-ssl-default-suites

At the same time, regular users who don't mess with config files should not
be affected and their cipher settings will not be weakened unexpectedly.

Please let me know whether you think that this is a sensible approach and
whether you are open to changing Python's configure options in order to
distribute custom builds.

Steps To Reproduce

Execute the following commands on an up-to-date Kali system:

$ python3.9 -c 'import requests; requests.get("https://dh1024.badssl.com/")'
$ python3.10 -c 'import requests; requests.get("https://dh1024.badssl.com/")'
ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:997)

Activities

daniruiz

daniruiz

2022-12-21 12:42

manager   ~0017270

Hello, and thank you for the suggestion!
The request has been filled in debian's bugtracker too, to see what can be done directly in Debian https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026802

rhertzog

rhertzog

2023-02-09 08:51

administrator   ~0017487

This has been fixed in Python 3.11.2-2 which landed in Debian recently and will reach kali-rolling in a few days.

Issue History

Date Modified Username Field Change
2022-12-12 16:55 adrian.vollmer New Issue
2022-12-21 12:42 daniruiz Note Added: 0017270
2023-02-09 08:51 rhertzog Assigned To => rhertzog
2023-02-09 08:51 rhertzog Status new => resolved
2023-02-09 08:51 rhertzog Resolution open => fixed
2023-02-09 08:51 rhertzog Fixed in Version => 2023.1
2023-02-09 08:51 rhertzog Note Added: 0017487