From: Tom Christie <tom@tomchristie.com>
Date: Sun, 23 Jun 2019 10:24:17 +0000 (+0100)
Subject: Use urllib3's DEFAULT_CIPHERS for ssl config (#100)
X-Git-Tag: 0.6.2^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9930de80910655ac44c3b10e5f0a1f5425730e30;p=thirdparty%2Fhttpx.git

Use urllib3's DEFAULT_CIPHERS for ssl config (#100)
---

diff --git a/http3/__init__.py b/http3/__init__.py
index b1e89ce8..cf9897a2 100644
--- a/http3/__init__.py
+++ b/http3/__init__.py
@@ -49,4 +49,4 @@ from .models import (
 )
 from .status_codes import StatusCode, codes
 
-__version__ = "0.6.1"
+__version__ = "0.6.2"
diff --git a/http3/config.py b/http3/config.py
index 5b3c3131..778051ba 100644
--- a/http3/config.py
+++ b/http3/config.py
@@ -10,6 +10,26 @@ VerifyTypes = typing.Union[str, bool]
 TimeoutTypes = typing.Union[float, typing.Tuple[float, float, float], "TimeoutConfig"]
 
 
+DEFAULT_CIPHERS = ":".join(
+    [
+        "ECDHE+AESGCM",
+        "ECDHE+CHACHA20",
+        "DHE+AESGCM",
+        "DHE+CHACHA20",
+        "ECDH+AESGCM",
+        "DH+AESGCM",
+        "ECDH+AES",
+        "DH+AES",
+        "RSA+AESGCM",
+        "RSA+AES",
+        "!aNULL",
+        "!eNULL",
+        "!MD5",
+        "!DSS",
+    ]
+)
+
+
 class SSLConfig:
     """
     SSL Configuration.
@@ -85,11 +105,7 @@ class SSLConfig:
         context.options |= ssl.OP_NO_SSLv3
         context.options |= ssl.OP_NO_COMPRESSION
 
-        # RFC 7540 Section 9.2.2: "deployments of HTTP/2 that use TLS 1.2 MUST
-        # support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". In practice, the
-        # blacklist defined in this section allows only the AES GCM and ChaCha20
-        # cipher suites with ephemeral key negotiation.
-        context.set_ciphers("ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20")
+        context.set_ciphers(DEFAULT_CIPHERS)
 
         if ssl.HAS_ALPN:
             context.set_alpn_protocols(["h2", "http/1.1"])