How to set protocol and cipher to be hipaa compliant using python ssl

Question

I am configuring an SSL context to be HIPAA compliant. According to this document, the connection must use at least TLS 1.2+ and use one of the approved ciphers. How do I configure the context to use the right ciphers and protocol? I can't seem to find examples of this. What I am trying right now is the following:

class GmailClient:
    allowed_ciphers = "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-CCM:DHE-RSA-AES128-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES128-CCM8:DH-RSA-AES256-GCM-SHA384:DH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256"

    def __init__(self, email=None, app_password=None, imap_host="imap.gmail.com"):
        self.email = email
        self.app_password = app_password

        context = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
        context.options |= (ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1)
        context.set_ciphers(self.allowed_ciphers)

        self.imap_client = imap.IMAP4_SSL(
            host=imap_host,
            port=imap.IMAP4_SSL_PORT,
            ssl_context=context
        )

I have no idea if this will produce a properly configured ssl context or even how to troubleshoot it.

It will take me some time to dig up the exact details, but the idea is to create an SSL Context object and customize it; looks like with minimum_version in Python >= 3.7. Set it to TLS 1.2. Also use get_ciphers to get a list of supported ciphers, then filter it down to what you need and use set_ciphers. Or use set_ciphers directly if you know the OpenSSL cipher list string to use. Then pass that context object to the IMAP4_SSL constructor. — Max, May 04 '23 at 14:00
Note: according to the documentation TLS13 ciphers cannot be customized with set_ciphers. — Max, May 04 '23 at 15:56
@Max Because there is nothing to configure in 1.3, as there are only 5 ciphers allowed, all carefully selected to be of similar security level, so a far simpler playing field than 1.2 or before. And also you can't use TLS 1.3 cipher names in TLS 1.2 or lower setup, they are not built the same way. — Patrick Mevzek, May 04 '23 at 22:45
In a real proper safe environment, I would build OpenSSL specifically with ONLY the TLS versions and ciphers needed, and nothing more. Otherwise, there is always a risk that a misconfiguration in the application or the middle library it uses that uses OpenSSL under the hood will choose wrong parameters. Depending on the need you could also split concerns: use something like stunnel to establish the TLS part, and it should be simpler to configure, and your local application connects to TCP or Unix localhost to reach stunnel, hence no more OpenSSL in your app. — Patrick Mevzek, May 04 '23 at 22:48
@max, thats essentially what my code does. It seems to run and create a valid tls connection based on rudimentary packet inspection, but I'm not sure if I have it right. Seems like I should remove the TLS13 ciphers from the string? — sakurashinken, May 06 '23 at 02:00

How to set protocol and cipher to be hipaa compliant using python ssl

0 Answers0