Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Benjamin Peterson - A Dive into TLS

Benjamin Peterson - A Dive into TLS

TLS is the industry standard for secure networking. This talk will give an overview of the TLS protocol and demonstrate how to create secure connections with the standard library's ssl module.

https://us.pycon.org/2015/schedule/presentation/347/

PyCon 2015

April 18, 2015
Tweet

More Decks by PyCon 2015

Other Decks in Programming

Transcript

  1. Background on the ssl module • added in Python 2.6

    • wrapper over OpenSSL • “transparent” socket API • used by httplib for HTTPS support • many improvements in the 3.x series
  2. Consequences for Python 2.7.x • No TLS 1.1 or 1.2

    • No good ciphersuites • No Perfect Forward Security • No Next Protocol Negotiation (NPN) • No Server Name Indication (SNI) • No system certificate access
  3. Horrible Defaults • Bad protocols • Bad ciphers • No

    certificate trust verification • No hostname validation
  4. PEP 466 • 3.4 ssl module backported to 2.7 •

    SSLContext • TLS 1.2 and good ciphers • SNI • other goodies: pbkdf2, constant time compare, persistent urandom
  5. PEP 476 • Python 2.7.9+, 3.4.1+ • for httplib and

    consumers • validation and hostname matching • system cert store used by default • Network APIs now take a context argument
  6. SSLContext • configuration for a TLS connection • trusted certs

    • ciphers • allowed protocols • other obscure options • accepted by many higher level APIs
  7. ssl.create_default_context • creates a SSLContext with sensible defaults • disables

    broken protocols and features • modern ciphers with good ordering • loads system certs for trust by default • updated as best practices change (e.g. RC4) • used by stdlib modules
  8. Support for TLS extensions • Server Name Indication (SNI) -

    Allows the server to pick the correct cert. • Next Protocol Negotiation (NPN) • Application-Layer Protocol Negotiation (ALPN)
  9. Memory BIO support • Alternate to traditional socket interface •

    Separates network IO from TLS protocol • Useful for framework • Used by asyncio • Just in Python 3.5 not 2.7.x
  10. The Slow Creep of Distributors • Debian: in Jessie •

    Ubuntu: Vivid, but not LTS • OS X: ?? • You’re not using system Python anyway, right?
  11. Incomplete Thanks • Alex Gaynor • David Reid • Nick

    Coghlan • Donald Stufft • Hynek Schlawack • Antoine Pitrou • GvR