View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0008097 | Kali Linux | [All Projects] Kali Package Improvement | public | 2022-12-12 16:55 | 2023-02-09 08:51 |
| Reporter | adrian.vollmer | Assigned To | rhertzog | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | kali-dev | ||||
| Target Version | Fixed in Version | 2023.1 | |||
| Summary | 0008097: Make Python use openssl's default SSL cipher settings | ||||
| Description | Since Python 3.10, the security of the default SSL cipher settings have been increased: https://bugs.python.org/issue43998 This causes issues, for example, with Certipy and Impacket, two very popular Python packages among Kali Linux users. See for instance: https://github.com/ly4k/Certipy/pull/110 The problem is exacerbated by the fact that changes to the Python library ldap3 are needed to take full effect of the patch linked above, and ldap3 appears to be effectively unmaintained. See: https://github.com/cannatag/ldap3/pull/1067 Python does not respect the cipher settings defined in /etc/ssl/openssl.cnf by default. Arguably, Kali Linux users have different needs than regular users and should be empowered to configure as many parts of their system as possible to suit their needs. That's why I propose to change Python's behavior by setting a configure option at build time. If we set the following configure option to `openssl`, users should be able to allow weak cipher settings in all connections initiated by Python programs: https://docs.python.org/3.10/using/configure.html#cmdoption-with-ssl-default-suites At the same time, regular users who don't mess with config files should not be affected and their cipher settings will not be weakened unexpectedly. Please let me know whether you think that this is a sensible approach and whether you are open to changing Python's configure options in order to distribute custom builds. | ||||
| Steps To Reproduce | Execute the following commands on an up-to-date Kali system: $ python3.9 -c 'import requests; requests.get("https://dh1024.badssl.com/")' $ python3.10 -c 'import requests; requests.get("https://dh1024.badssl.com/")' ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:997) | ||||
|
|
Hello, and thank you for the suggestion! The request has been filled in debian's bugtracker too, to see what can be done directly in Debian https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026802 |
|
|
This has been fixed in Python 3.11.2-2 which landed in Debian recently and will reach kali-rolling in a few days. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2022-12-12 16:55 | adrian.vollmer | New Issue | |
| 2022-12-21 12:42 | daniruiz | Note Added: 0017270 | |
| 2023-02-09 08:51 | rhertzog | Assigned To | => rhertzog |
| 2023-02-09 08:51 | rhertzog | Status | new => resolved |
| 2023-02-09 08:51 | rhertzog | Resolution | open => fixed |
| 2023-02-09 08:51 | rhertzog | Fixed in Version | => 2023.1 |
| 2023-02-09 08:51 | rhertzog | Note Added: 0017487 |