"the sorry state of ssl" hynek schlawack, pyconru 2014
DESCRIPTION
TRANSCRIPT
![Page 1: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/1.jpg)
THE SORRY STATE OF ССЛ
Hynek Schlawack
![Page 2: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/2.jpg)
@hynek https://hynek.me
https://github.com/hynek
Привет!
![Page 3: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/3.jpg)
https://www.variomedia.de
![Page 4: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/4.jpg)
![Page 5: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/5.jpg)
![Page 6: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/6.jpg)
![Page 7: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/7.jpg)
ONLY LINK
ox.cx/t
![Page 8: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/8.jpg)
WTF
![Page 9: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/9.jpg)
WTFSSL
![Page 10: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/10.jpg)
WTFSSL
& TLS
![Page 11: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/11.jpg)
TIMELINE
![Page 12: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/12.jpg)
TIMELINE1995: Secure Sockets Layer 2.0, Netscape
![Page 13: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/13.jpg)
TIMELINE1995: Secure Sockets Layer 2.0, Netscape
1996: SSL 3.0, still Netscape
![Page 14: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/14.jpg)
TIMELINE1995: Secure Sockets Layer 2.0, Netscape
1996: SSL 3.0, still Netscape
1999: Transport Layer Security 1.0, IETF
![Page 15: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/15.jpg)
TIMELINE1995: Secure Sockets Layer 2.0, Netscape
1996: SSL 3.0, still Netscape
1999: Transport Layer Security 1.0, IETF
2006: TLS 1.1
![Page 16: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/16.jpg)
TIMELINE1995: Secure Sockets Layer 2.0, Netscape
1996: SSL 3.0, still Netscape
1999: Transport Layer Security 1.0, IETF
2006: TLS 1.1
2008: TLS 1.2
![Page 17: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/17.jpg)
2013
![Page 18: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/18.jpg)
2013• newfound scrutiny
![Page 19: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/19.jpg)
2013• newfound scrutiny
• browsers add TLS 1.2
![Page 20: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/20.jpg)
2013• newfound scrutiny
• browsers add TLS 1.2
• just using TLS not enough
![Page 21: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/21.jpg)
TLS
![Page 22: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/22.jpg)
TLS• identity
![Page 23: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/23.jpg)
TLS• identity
• confidentiality
![Page 24: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/24.jpg)
TLS• identity
• confidentiality
• integrity
![Page 25: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/25.jpg)
TLS HYGIENE
![Page 26: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/26.jpg)
SERVERS
![Page 27: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/27.jpg)
BE UP-TO-DATE
• OpenSSL >= 1.0.1c
• Apache >= 2.4.0
• nginx >= 1.0.6 or 1.1.0
![Page 28: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/28.jpg)
BE UP-TO-DATE
• OpenSSL >= 1.0.1c
• Apache >= 2.4.0
• nginx >= 1.0.6 or 1.1.0
g
![Page 29: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/29.jpg)
CERTIFICATES
• identity• validity
![Page 30: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/30.jpg)
CERTIFICATES
• identity• validity• CA sig
![Page 31: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/31.jpg)
CERTIFICATES
• identity• validity• CA sig
![Page 32: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/32.jpg)
CERTIFICATES
• identity• validity• CA sig
![Page 33: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/33.jpg)
CERTIFICATES
• identity• validity• CA sig
![Page 34: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/34.jpg)
CERTIFICATES
• identity• validity• CA sig
![Page 35: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/35.jpg)
EXTENDED VALIDATION CERTIFICATES
![Page 36: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/36.jpg)
EXTENDED VALIDATION CERTIFICATES
![Page 37: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/37.jpg)
TRUST CHAIN
![Page 38: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/38.jpg)
TRUST CHAIN
![Page 39: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/39.jpg)
TRUST CHAIN
![Page 40: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/40.jpg)
CERTIFICATES
• trust chain
![Page 41: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/41.jpg)
CERTIFICATES
• trust chain
• host name/service
![Page 42: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/42.jpg)
CERTIFICATES
• trust chain
• host name/service
• already/still valid?
![Page 43: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/43.jpg)
DISABLE
• SSL 2.0
![Page 44: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/44.jpg)
DISABLE
• SSL 2.0
• SSL 3.0 (if you can)
![Page 45: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/45.jpg)
DISABLE
• SSL 2.0
• SSL 3.0 (if you can)
• TLS compression
![Page 46: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/46.jpg)
CIPHER SUITES
![Page 47: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/47.jpg)
CIPHER
![Page 48: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/48.jpg)
CIPHER
Cipher
![Page 49: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/49.jpg)
CIPHER
CipherPlaintext
![Page 50: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/50.jpg)
CIPHER
CipherPlaintext
![Page 51: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/51.jpg)
CIPHER
Cipher CiphertextPlaintext
![Page 52: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/52.jpg)
Ciphertext
CIPHER
Cipher Plaintext
![Page 53: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/53.jpg)
CIPHER: MODE
![Page 54: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/54.jpg)
CIPHER: MODE
• CBC
![Page 55: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/55.jpg)
CIPHER: MODE
• CBC
• stream ciphers
![Page 56: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/56.jpg)
CIPHER: MODE
• CBC
• stream ciphers
• GCM
![Page 57: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/57.jpg)
ENCRYPTION: PREFER THIS
![Page 58: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/58.jpg)
ENCRYPTION: PREFER THIS
AES128-GCM&
![Page 59: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/59.jpg)
ENCRYPTION: PREFER THIS
AES128-GCM&
ChaCha20
![Page 60: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/60.jpg)
ENCRYPTION: FALL BACK TO
AES128-CBC
![Page 61: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/61.jpg)
ENCRYPTION: IF LIFE IS CRUEL TO YOU
3DES-CBC
![Page 62: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/62.jpg)
ENCRYPTION: EOL
![Page 63: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/63.jpg)
ENCRYPTION: DANGEROUS
• EXP-*
![Page 64: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/64.jpg)
ENCRYPTION: DANGEROUS
• EXP-*
• DES
![Page 65: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/65.jpg)
ENCRYPTION: DANGEROUS
• EXP-*
• DES
• RC4
![Page 66: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/66.jpg)
ENCRYPTION: DANGEROUS
• EXP-*
• DES
• RC4
![Page 67: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/67.jpg)
KEY EXCHANGE
![Page 68: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/68.jpg)
KEY EXCHANGEfast PFS
RSA ✔️ ❌
![Page 69: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/69.jpg)
KEY EXCHANGEfast PFS
RSA ✔️ ❌
DHE ❌ ✔️
![Page 70: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/70.jpg)
KEY EXCHANGEfast PFS
RSA ✔️ ❌
DHE ❌ ✔️
ECDHE ✔️ ✔️
![Page 71: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/71.jpg)
KEY EXCHANGEfast PFS
RSA ✔️ ❌
DHE ❌ ✔️
ECDHE ✔️ ✔️
![Page 72: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/72.jpg)
INTEGRITY: MACS
• Message Authentication Code
![Page 73: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/73.jpg)
INTEGRITY: MACS
• Message Authentication Code
• HMAC
![Page 74: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/74.jpg)
INTEGRITY: MACS
• Message Authentication Code
• HMAC
• GCM
![Page 75: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/75.jpg)
HAVE THE LAST WORD
![Page 76: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/76.jpg)
YOU’RE DONE!
![Page 77: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/77.jpg)
YOU’RE DONE!
(but test your results!)
![Page 78: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/78.jpg)
CERTIFICATE
![Page 79: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/79.jpg)
CERTIFICATE
![Page 80: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/80.jpg)
CERTIFICATE
![Page 81: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/81.jpg)
CERTIFICATE
![Page 82: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/82.jpg)
CERTIFICATE
![Page 83: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/83.jpg)
CERTIFICATE
![Page 84: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/84.jpg)
CERTIFICATE
![Page 85: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/85.jpg)
PROTOCOLS
![Page 86: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/86.jpg)
PROTOCOLS
![Page 87: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/87.jpg)
PROTOCOLS
![Page 88: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/88.jpg)
PROTOCOLS
![Page 89: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/89.jpg)
CIPHER SUITES
![Page 90: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/90.jpg)
CIPHER SUITES
![Page 91: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/91.jpg)
CIPHER SUITES
![Page 92: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/92.jpg)
CIPHER SUITES
![Page 93: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/93.jpg)
CIPHER SUITES
![Page 94: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/94.jpg)
CIPHER SUITES
![Page 95: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/95.jpg)
CIPHER SUITES
![Page 96: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/96.jpg)
CIPHER SUITES
![Page 97: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/97.jpg)
CLIENTS
![Page 98: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/98.jpg)
YOU HAD ONE JOB!
![Page 99: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/99.jpg)
YOU HAD ONE JOB!
VERIFY!
![Page 100: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/100.jpg)
VERIFY THE CERTIFICATE!
• valid?
![Page 101: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/101.jpg)
VERIFY THE CERTIFICATE!
• valid?
• trustworthy chain?
![Page 102: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/102.jpg)
VERIFY THE CERTIFICATE!
• valid?
• trustworthy chain?
• correct hostname/service?
![Page 103: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/103.jpg)
TRUST CHAIN
![Page 104: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/104.jpg)
TRUST CHAIN• VERIFY_PEER
![Page 105: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/105.jpg)
TRUST CHAIN• VERIFY_PEER
• trust stores OS dependent
![Page 106: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/106.jpg)
TRUST CHAIN• VERIFY_PEER
• trust stores OS dependent
• SSL_CTX_set_default_verify_paths
![Page 107: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/107.jpg)
SYSTEM CA• FreeBSD: ca_root_nss
![Page 108: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/108.jpg)
SYSTEM CA• FreeBSD: ca_root_nss
• debian/Red Hat: ca-certificates
![Page 109: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/109.jpg)
SYSTEM CA• FreeBSD: ca_root_nss
• debian/Red Hat: ca-certificates
• OS X: TEA or homebrew
![Page 110: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/110.jpg)
SYSTEM CA• FreeBSD: ca_root_nss
• debian/Red Hat: ca-certificates
• OS X: TEA or homebrew
• Windows: wincertstore
![Page 111: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/111.jpg)
SYSTEM CA• FreeBSD: ca_root_nss
• debian/Red Hat: ca-certificates
• OS X: TEA or homebrew
• Windows: wincertstore
• or: Mozilla/certifi
![Page 112: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/112.jpg)
HOSTNAME VERIFICATION
OpenSSL to developers:
![Page 113: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/113.jpg)
HOSTNAME VERIFICATION
OpenSSL to developers:
LOL
![Page 114: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/114.jpg)
DON’T VERIFY TRUST CHAIN
I can pretend to be Google with any self-signed
certificate.
![Page 115: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/115.jpg)
DON’T VERIFY HOSTNAME
I can pretend to be Google with any valid certificate.
![Page 116: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/116.jpg)
![Page 117: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/117.jpg)
SET SOME OPTIONS
• acceptable ciphers
• disable SSL 2.0
![Page 118: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/118.jpg)
THAT’S ALL!
![Page 119: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/119.jpg)
USERS
![Page 120: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/120.jpg)
FUNDAMENTAL MISCONCEPTIONS
![Page 121: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/121.jpg)
FUNDAMENTAL MISCONCEPTIONS
• no end-to-end security
![Page 122: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/122.jpg)
FUNDAMENTAL MISCONCEPTIONS
• no end-to-end security
• metadata
![Page 123: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/123.jpg)
VPN?
![Page 124: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/124.jpg)
VPN?
• sees all your traffic
![Page 125: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/125.jpg)
VPN?
• sees all your traffic
• same for CDN
![Page 126: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/126.jpg)
CERTIFICATE WARNINIGS
![Page 127: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/127.jpg)
CERTIFICATE WARNINIGS
![Page 128: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/128.jpg)
ROOT CERTIFICATE POISONING
![Page 129: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/129.jpg)
TRUST ISSUES
![Page 130: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/130.jpg)
TRUST ISSUES
![Page 131: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/131.jpg)
TRUST ISSUES
![Page 132: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/132.jpg)
TRUST ISSUES
![Page 133: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/133.jpg)
TRUST ISSUES• hacked
![Page 134: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/134.jpg)
TRUST ISSUES• hacked
• screw up
![Page 135: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/135.jpg)
TRUST ISSUES• hacked
• screw up
• court orders
![Page 136: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/136.jpg)
TRUST ISSUES• hacked
• screw up
• court orders
• big corp
![Page 137: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/137.jpg)
![Page 138: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/138.jpg)
DON’T DO IT YOURSELF IF YOU CAN HELP IT.
Rule of Thumb
![Page 139: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/139.jpg)
STANDARD LIBRARY VS.
PYOPENSSL
![Page 140: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/140.jpg)
STANDARD LIBRARY
![Page 141: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/141.jpg)
STANDARD LIBRARY• terrible pre-3.3
![Page 142: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/142.jpg)
STANDARD LIBRARY• terrible pre-3.3
• very incomplete in 2.7
![Page 143: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/143.jpg)
STANDARD LIBRARY• terrible pre-3.3
• very incomplete in 2.7
• PFS impossible
![Page 144: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/144.jpg)
STANDARD LIBRARY• terrible pre-3.3
• very incomplete in 2.7
• PFS impossible
• missing options
![Page 145: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/145.jpg)
STANDARD LIBRARY• terrible pre-3.3
• very incomplete in 2.7
• PFS impossible
• missing options
• bound to Python’s OpenSSL
![Page 146: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/146.jpg)
HOSTNAME VERIFICATION
3.2– from ssl import match_hostname
2.4–2.7 pip install backports.ssl_match_hostname
![Page 147: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/147.jpg)
PYOPENSSL
![Page 148: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/148.jpg)
PYOPENSSL
• Python 2.6+, 3.2+, and PyPy
![Page 149: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/149.jpg)
PYOPENSSL
• Python 2.6+, 3.2+, and PyPy
• more complete API coverage
![Page 150: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/150.jpg)
PYOPENSSL
• Python 2.6+, 3.2+, and PyPy
• more complete API coverage
• PyCA cryptography!
![Page 151: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/151.jpg)
CRYPTOGRAPHY.IO
![Page 152: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/152.jpg)
CRYPTOGRAPHY.IO• Python crypto w/o footguns
![Page 153: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/153.jpg)
CRYPTOGRAPHY.IO• Python crypto w/o footguns
• PyCA
![Page 154: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/154.jpg)
CRYPTOGRAPHY.IO• Python crypto w/o footguns
• PyCA
• PyPy ♥ CFFI
![Page 155: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/155.jpg)
CRYPTOGRAPHY.IO• Python crypto w/o footguns
• PyCA
• PyPy ♥ CFFI
• gives pyOpenSSL momentum
![Page 156: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/156.jpg)
HOSTNAME VERIFICATION
service_identity
![Page 157: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/157.jpg)
LIBRARIES &
FRAMEWORKS
![Page 158: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/158.jpg)
SERVERSlib PFS good defaults configurable
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
gunicorn depends ❌ ❌ ❌
Tornado stdlib ❌ ❌ ❌
![Page 159: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/159.jpg)
SERVERSlib PFS good defaults configurable
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
gunicorn depends ❌ ❌ ❌
Tornado stdlib ❌ ❌ ❌
Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️
![Page 160: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/160.jpg)
SERVERSlib PFS good defaults configurable
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
gunicorn depends ❌ ❌ ❌
Tornado stdlib ❌ ❌ ❌
Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️
uWSGI own C code ✔️ ❌ ✔️
![Page 161: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/161.jpg)
SERVERSlib PFS good defaults configurable
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
gunicorn depends ❌ ❌ ❌
Tornado stdlib ❌ ❌ ❌
Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️
uWSGI own C code ✔️ ❌ ✔️
![Page 162: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/162.jpg)
CLIENTSlib verifies
certificatesverifies
hostnames good defaults
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
![Page 163: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/163.jpg)
CLIENTSlib verifies
certificatesverifies
hostnames good defaults
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
Tornado stdlib ✔️ ✔️ ❌
![Page 164: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/164.jpg)
CLIENTSlib verifies
certificatesverifies
hostnames good defaults
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
Tornado stdlib ✔️ ✔️ ❌
Twisted 14.0 pyOpenSSL depends depends ✔️
![Page 165: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/165.jpg)
CLIENTSlib verifies
certificatesverifies
hostnames good defaults
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
Tornado stdlib ✔️ ✔️ ❌
Twisted 14.0 pyOpenSSL depends depends ✔️
urllib2 stdlib ❌ ❌ ❌
![Page 166: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/166.jpg)
CLIENTSlib verifies
certificatesverifies
hostnames good defaults
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
Tornado stdlib ✔️ ✔️ ❌
Twisted 14.0 pyOpenSSL depends depends ✔️
urllib2 stdlib ❌ ❌ ❌
urllib3/requests hybrid ✔️ ✔️ ✔️
![Page 167: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/167.jpg)
SUMMARY
![Page 168: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/168.jpg)
SUMMARY
• keep TLS out of Python if you can
![Page 169: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/169.jpg)
SUMMARY
• keep TLS out of Python if you can
• use pyOpenSSL-powered requests for HTTPS
![Page 170: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/170.jpg)
SUMMARY
• keep TLS out of Python if you can
• use pyOpenSSL-powered requests for HTTPS
• write servers in Twisted
![Page 171: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/171.jpg)
SUMMARY
• keep TLS out of Python if you can
• use pyOpenSSL-powered requests for HTTPS
• write servers in Twisted
• use pyOpenSSL
![Page 172: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/172.jpg)
SUMMARY
• keep TLS out of Python if you can
• use pyOpenSSL-powered requests for HTTPS
• write servers in Twisted
• use pyOpenSSL
• use Python 2 stdlib only for clients
![Page 173: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/173.jpg)
WHY SORRY?
![Page 174: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/174.jpg)
IMPLEMENTATIONS
![Page 175: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/175.jpg)
IMPLEMENTATIONS
![Page 176: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/176.jpg)
USERS
![Page 177: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/177.jpg)
USERS
• run outdated software
![Page 178: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/178.jpg)
USERS
• run outdated software
• click certificate warnings away
![Page 179: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/179.jpg)
USERS
• run outdated software
• click certificate warnings away
• are at the mercy of 3rd parties
![Page 180: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/180.jpg)
SERVERS
![Page 181: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/181.jpg)
SERVERS
![Page 182: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/182.jpg)
CLIENTS
![Page 183: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/183.jpg)
PYTHON
Is at the forefront of terrible.
![Page 184: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/184.jpg)
HOPE
![Page 185: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/185.jpg)
HOPE
• people care again
![Page 186: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/186.jpg)
HOPE
• people care again
• stdlib
![Page 187: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/187.jpg)
HOPE
• people care again
• stdlib
• PyCA
![Page 188: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/188.jpg)
CALLS TO ACTION
![Page 189: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/189.jpg)
CALLS TO ACTION
![Page 190: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/190.jpg)
CALLS TO ACTION
![Page 191: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/191.jpg)
CALLS TO ACTION
![Page 192: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/192.jpg)
CALLS TO ACTION
![Page 193: "The Sorry State of SSL" Hynek Schlawack, PyConRu 2014](https://reader031.vdocuments.us/reader031/viewer/2022013100/54c522354a7959d9708b4575/html5/thumbnails/193.jpg)
ox.cx/t@hynek
vrmd.de