Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#73549 - [python] Allow using system-wide openssl config instead of the hardcoded Python's list of ciphers

Attached to Project: Arch Linux
Opened by Michał Sałaban (emesik) - Saturday, 29 January 2022, 16:37 GMT
Last edited by Antonio Rojas (arojas) - Saturday, 29 January 2022, 17:01 GMT
Task Type Feature Request
Category Packages: Core
Status Assigned
Assigned To Felix Yan (felixonmars)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 2
Private No


Since Python 3.10 there's a hardcoded default list of openssl ciphers specified when initializing the SSL/TLS layer.

By adding `--with-ssl-default-suites=openssl` option to the `./configure` script, it allows Python to use the system-wide OpenSSL configuration, which is much more convenient. Especially regarding to SECLEVEL setting and problems reported by users, like:

The solution described above doesn't work in Arch because of hardcoded list of capabilities.
This task depends upon

Comment by Kai (halan) - Thursday, 03 March 2022, 23:54 GMT
What was the rationale for adding this hardcoded list? This seems quite dangerous as increasing the systems-wide security level will not affect any python applications.
Comment by loqs (loqs) - Friday, 04 March 2022, 00:16 GMT