Comments (7)
I dont think this is responsibility of the client. The server should not allow TLS <1.3.
from digsec.
Please reopen as I think you are fundamentally wrong about SSL in Python.
Before you close it, please test your code against a server that supports tlsv1.3, and verify the cipher after the handshake. Having looked at your code, I'm sure it will not, but I could be wrong, in which case I'll apologize profusely.
I doubt your code (using urllib3) will even check SNI.
Getting a Python client to handshake upto tls1.3 with a 1.3 capable server is not easy in Python from what I'm seeing, and does not work out-of-the-box with urlib3 or requests.
from digsec.
This is very unrelated to this project. I think what would be useful is to separate downloading and using the downloaded xml, for which I created #15 . So if you have a concern, you can download the xml file with a method you trust and use it locally.
from digsec.
Just for your information, during TLS handshake, server and client handshakes on a common cipher etc. based on what server offers. If server offers communicating with a less than ideal cipher (even no cipher), independent of client's acceptance to this, this is considered to be problem of the server configuration, hence there is something called correct TLS settings on the server which eliminates using certain ciphers and protocols (even with not good clients). On the other hand, of course client has some flexibility within the ciphers and protocols offered by the server and it should select a good alternative. Like I said that is not point of this project, digsec download is only a quick way to acquire trust anchors (which is just an xml file). It is much better to just offer a way to load this locally so the trust anchor acquisition can become independent of digsec. Just a reminder again, digsec is not a DNSSEC validating resolver (e.g. for production use).
from digsec.
There is another part of the process you are not considering: MITM. During the handshake, third parties can get in the way of v1.2 protocol handshakes, but from what I'm seeing, not v1.3. So the few lines of code in your client to get it to fail the SSL connection if it's not v1.3 ensure that the client is getting what it asked for.
What I'm suggesting applies to any Python client using SSL, not even DNSSEC validating resolvers, and it's simply specifying openssl protocol
, min_version
and acceptable ciphers (usually only a few lines of code).
from digsec.
Again, digsec is not a DNSSEC validating resolver and the main point of it is not to acquire trust anchors securely and authenticate them. It is also not enough to just download them in the most secure way with SSL. See #15
(side note: MITM cannot be fully prevented by using TLS, hence there is another mechanism to authenticate the trust anchor -see the code mentioned in #15-)
from digsec.
The official way of doing this will be implemented with #24, and can be done together with using openssl
from digsec.
Related Issues (20)
- Don't always bind to the same port HOT 1
- The help.py has not been updated
- Make the module into a package with a __main__.py HOT 6
- canonical_rrset in validate.py sometimes contain None HOT 1
- What does Error: multiple DS with keytag: 53376 mean HOT 6
- create a full testsuite
- fix python source headers HOT 1
- support trust anchors validation per RFC 7958
- confirm single key use cases
- warning when ZSK is not in DS
- introduce digsec-test.org
- support ED25519 and ED448
- support AAAA record type
- implement view command to display saved answer files
- name is shown without root label
- implement unknown record type
- add RSASHA1-NSEC3-SHA1 support
- support CNAME, NSEC3PARAM, PTR, SRV record types
- support NSEC3 negative validation HOT 1
- support IDNA (RFC 3490)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from digsec.