Benjamin Peterson - A Dive into TLS

Benjamin Peterson - A Dive into TLS

TLS is the industry standard for secure networking. This talk will give an overview of the TLS protocol and demonstrate how to create secure connections with the standard library's ssl module.

https://us.pycon.org/2015/schedule/presentation/347/

D5710b3bca38f1233274b4cbc523dc4b?s=128

PyCon 2015

April 18, 2015
Tweet

Transcript

  1. The (slightly) Less Sorry State of SSL Benjamin Peterson

  2. Me: CPython, six, etc...

  3. None
  4. Montréal circa April, 2014

  5. Montréal circa April, 2014

  6. Why so sorry?

  7. Background on the ssl module • added in Python 2.6

    • wrapper over OpenSSL • “transparent” socket API • used by httplib for HTTPS support • many improvements in the 3.x series
  8. Python 2.7 frozen in 2010.

  9. Consequences for Python 2.7.x • No TLS 1.1 or 1.2

    • No good ciphersuites • No Perfect Forward Security • No Next Protocol Negotiation (NPN) • No Server Name Indication (SNI) • No system certificate access
  10. Horrible Defaults • Bad protocols • Bad ciphers • No

    certificate trust verification • No hostname validation
  11. Completely Insecure! import urllib urllib.urlopen(“https://www.python.org/”)

  12. Progress over the last year

  13. PEP 466: Network Security Enhancements for Python 2.7.x

  14. PEP 466 • 3.4 ssl module backported to 2.7 •

    SSLContext • TLS 1.2 and good ciphers • SNI • other goodies: pbkdf2, constant time compare, persistent urandom
  15. PEP 476: Enabling certificate verification by default for stdlib HTTP

    clients
  16. PEP 476 • Python 2.7.9+, 3.4.1+ • for httplib and

    consumers • validation and hostname matching • system cert store used by default • Network APIs now take a context argument
  17. The Goodies

  18. SSLContext • configuration for a TLS connection • trusted certs

    • ciphers • allowed protocols • other obscure options • accepted by many higher level APIs
  19. ssl.create_default_context • creates a SSLContext with sensible defaults • disables

    broken protocols and features • modern ciphers with good ordering • loads system certs for trust by default • updated as best practices change (e.g. RC4) • used by stdlib modules
  20. Support for TLS extensions • Server Name Indication (SNI) -

    Allows the server to pick the correct cert. • Next Protocol Negotiation (NPN) • Application-Layer Protocol Negotiation (ALPN)
  21. Memory BIO support • Alternate to traditional socket interface •

    Separates network IO from TLS protocol • Useful for framework • Used by asyncio • Just in Python 3.5 not 2.7.x
  22. The Slow Creep of Distributors • Debian: in Jessie •

    Ubuntu: Vivid, but not LTS • OS X: ?? • You’re not using system Python anyway, right?
  23. Hopefully, we’re not at the forefront of terrible anymore.

  24. requests is nice

  25. Incomplete Thanks • Alex Gaynor • David Reid • Nick

    Coghlan • Donald Stufft • Hynek Schlawack • Antoine Pitrou • GvR
  26. Requests and Responses (benjamin@python.org)