View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0008097||Kali Linux||[All Projects] Kali Package Improvement||public||2022-12-12 16:55||2022-12-21 12:42|
|Target Version||Fixed in Version|
|Summary||0008097: Make Python use openssl's default SSL cipher settings|
|Description||Since Python 3.10, the security of the default SSL cipher settings have been|
This causes issues, for example, with Certipy and Impacket, two very popular
Python packages among Kali Linux users. See for instance:
The problem is exacerbated by the fact that changes to the Python library
ldap3 are needed to take full effect of the patch linked above, and ldap3
appears to be effectively unmaintained. See: https://github.com/cannatag/ldap3/pull/1067
Python does not respect the cipher settings defined in /etc/ssl/openssl.cnf
by default. Arguably, Kali Linux users have different needs than regular
users and should be empowered to configure as many parts of their system as
possible to suit their needs. That's why I propose to change Python's
behavior by setting a configure option at build time.
If we set the following configure option to `openssl`, users should be able
to allow weak cipher settings in all connections initiated by Python
At the same time, regular users who don't mess with config files should not
be affected and their cipher settings will not be weakened unexpectedly.
Please let me know whether you think that this is a sensible approach and
whether you are open to changing Python's configure options in order to
distribute custom builds.
|Steps To Reproduce||Execute the following commands on an up-to-date Kali system:|
$ python3.9 -c 'import requests; requests.get("https://dh1024.badssl.com/")'
$ python3.10 -c 'import requests; requests.get("https://dh1024.badssl.com/")'
ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:997)
Hello, and thank you for the suggestion!
The request has been filled in debian's bugtracker too, to see what can be done directly in Debian https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026802