classification
Title: Support TLS 1.1 and TLS 1.2
Type: enhancement Stage: resolved
Components: Extension Modules, Library (Lib) Versions: Python 3.4
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Arfrever, Thom.Nichols, christian.heimes, giampaolo.rodola, jcea, maker, markk, pitrou, python-dev, westurner
Priority: normal Keywords: easy, patch

Created on 2012-12-15 17:31 by pitrou, last changed 2013-08-04 18:12 by westurner. This issue is now closed.

Files
File name Uploaded Description Edit
issue16692.patch maker, 2013-02-09 22:28 review
issue16692.1.patch maker, 2013-02-13 22:19
issue16692.2.patch maker, 2013-03-20 08:05 review
issue16692.3.patch maker, 2013-03-26 20:49
issue16692.4.patch maker, 2013-03-26 21:11 review
tls12.patch pitrou, 2013-03-26 21:32 review
python-2.7.5-tls1.1-and-tls1.2.patch markk, 2013-07-03 18:02
Messages (16)
msg177541 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2012-12-15 17:31
Recent OpenSSL versions (e.g. 1.0.1c) have explicit support for TLS 1.1 and (presumably, although undocumented-ly) TLS 1.2 through TLSv1_1_method() and TLSv1_2_method(). It should be easy to add such support to the ssl module (although figuring out how exactly protocol version compatibility is handled - for the docs - might be a challenge).
msg184300 - (view) Author: Michele Orrù (maker) * Date: 2013-03-16 08:48
(ping)
msg184341 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-03-16 18:32
Michele, your latest patch doesn't apply on the default branch. However, I'll still do a review.
msg184342 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-03-16 18:37
Ok, some review comments:

+   .. warning:: requires at least openssl version 1.0.1

+   .. warning:: requires at least openssl version 1.0.1

The warnings are not warranted here. You might simply say "Available only with openssl version 1.0.1+."

+def skip_if_unsupported_tlsv1_1(func):

This decorator looks like it would be impressed in a simpler way using unittest.skipIf (or unittest.skipUnless).

+            try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False,
+                               client_options=ssl.OP_NO_TLSv1_1)

Not sure why you test only with OP_NO_TLSv1_1. It would be nice to check that connecting succeeds from a TLSv1_1 client on a SSLv23 server.
msg184745 - (view) Author: Michele Orrù (maker) * Date: 2013-03-20 08:05
synced with tip

> This decorator looks like it would be impressed in a simpler way,
> using unittest.skipIf (or unittest.skipUnless).

> It would be nice to check that connecting succeeds from a
> TLSv1_1 client on a SSLv23 server.

yep, thanks.


> Not sure why you test only with OP_NO_TLSv1_1.
I've just emulated older tests against older TSL protocols. Is there anything wrong you see? 


PS: I have removed ssl.PROTOCOL_* from test_constants, since they are already used in the global variable PROTOCOLS.
msg185300 - (view) Author: Michele Orrù (maker) * Date: 2013-03-26 20:49
.. sorry for all these trivialities.
msg185301 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-03-26 20:56
Thanks. I don't know what happened, but the last patch fails to apply:

$ patch -p1 < issue16692.3.patch 
patching file Doc/library/ssl.rst
patching file Doc/whatsnew/3.4.rst
patching file Lib/ssl.py
patching file Lib/test/test_ssl.py
patching file Misc/NEWS
Hunk #1 succeeded at 1005 (offset 46 lines).
patching file Modules/_ssl.c
patch: **** malformed patch at line 291:  struct py_ssl_error_code {


$ hg import --no-commit issue16692.3.patch 
application de issue16692.3.patch
abandon : bad hunk #2 @@ -73,7 +78,13 @@
 (7 7 15 13)
msg185305 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-03-26 21:21
Ok, yet another issue :-) Testing on a machine with OpenSSL 1.0.0 gives the following failures. I think you mixed up skipIf / skipUnless.

======================================================================
ERROR: test_protocol_sslv2 (test.test_ssl.ThreadedTests)
Connecting to an SSLv2 server with various client options
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f
    return func(*args, **kwargs)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1493, in test_protocol_sslv2
    try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1363, in try_protocol_combo
    chatty=False, connectionchatty=False)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1301, in server_params_test
    s.connect((HOST, server.port))
  File "/home/antoine/cpython/default/Lib/ssl.py", line 582, in connect
    self._real_connect(addr, False)
  File "/home/antoine/cpython/default/Lib/ssl.py", line 572, in _real_connect
    self.do_handshake()
  File "/home/antoine/cpython/default/Lib/ssl.py", line 552, in do_handshake
    self._sslobj.do_handshake()
ConnectionResetError: [Errno 104] Connection reset by peer

======================================================================
ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1.1 server with various client options.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f
    return func(*args, **kwargs)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1582, in test_protocol_tlsv1_1
    try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, True)
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_1'

======================================================================
ERROR: test_protocol_tlsv1_2 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1.2 server with various client options.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f
    return func(*args, **kwargs)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1602, in test_protocol_tlsv1_2
    try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, True,
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_2'
msg185308 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-03-26 21:32
Here is an updated patch fixing the aforementioned issue (as well as another small issue with the set_ciphers("ALL") hack).
msg185470 - (view) Author: Roundup Robot (python-dev) Date: 2013-03-28 21:29
New changeset 02a89bd646ca by Antoine Pitrou in branch 'default':
Issue #16692: The ssl module now supports TLS 1.1 and TLS 1.2.  Initial patch by Michele Orrù.
http://hg.python.org/cpython/rev/02a89bd646ca
msg185471 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-03-28 21:30
Finally committed. Thanks for the patches!
msg189873 - (view) Author: Thom Nichols (Thom.Nichols) Date: 2013-05-23 18:48
Is there any chance of this being backported to Python 2.7?  Given NIST's complete deprecation of SHA1 and TLS 1.0 by end of 2013, I imagine there are at least a few folks who can't upgrade to Python 3.x, but need TLS 1.2 support.  I think Ruby just recently implemented TLS 1.2 in 2.0, and backported it to the 1.9.3 tree.  Thanks.
msg189879 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-05-23 21:24
> Is there any chance of this being backported to Python 2.7?  Given
> NIST's complete deprecation of SHA1 and TLS 1.0 by end of 2013, I
> imagine there are at least a few folks who can't upgrade to Python
> 3.x, but need TLS 1.2 support.  I think Ruby just recently implemented
> TLS 1.2 in 2.0, and backported it to the 1.9.3 tree.  Thanks.

No, sorry. 2.7 only gets bug fixes.
msg192249 - (view) Author: Mark Kubacki (markk) Date: 2013-07-03 18:02
Raw backport for Python 2.7. ›raw‹ like in some options are in _ssl only. (_ssl.{err_names_to_codes,err_codes_to_names,lib_codes_to_names,…})
msg192250 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-07-03 18:03
Ha. If you're insisting on backporting SSL stuff, I think the best option would be to create a third-party backport of the whole ssl module on PyPI.
msg194404 - (view) Author: Wes Turner (westurner) * Date: 2013-08-04 18:12
http://docs.python.org/3.4/whatsnew/3.4.html#ssl

re: Backporting to Python 2.7: maybe something like:

backports.ssl (like backports.ssl_match_hostname)

https://pypi.python.org/pypi/backports/
History
Date User Action Args
2013-08-04 18:12:40westurnersetnosy: + westurner
messages: + msg194404
2013-07-03 18:03:54pitrousetmessages: + msg192250
2013-07-03 18:02:52markksetfiles: + python-2.7.5-tls1.1-and-tls1.2.patch
nosy: + markk
messages: + msg192249

2013-05-23 21:24:24pitrousetmessages: + msg189879
2013-05-23 18:48:38Thom.Nicholssetnosy: + Thom.Nichols
messages: + msg189873
2013-03-28 21:30:16pitrousetstatus: open -> closed
resolution: fixed
messages: + msg185471

stage: patch review -> resolved
2013-03-28 21:29:14python-devsetnosy: + python-dev
messages: + msg185470
2013-03-26 21:32:47pitrousetfiles: + tls12.patch

messages: + msg185308
2013-03-26 21:21:11pitrousetmessages: + msg185305
2013-03-26 21:11:51makersetfiles: + issue16692.4.patch
2013-03-26 20:56:13pitrousetmessages: + msg185301
2013-03-26 20:49:26makersetfiles: + issue16692.3.patch

messages: + msg185300
2013-03-20 08:05:02makersetfiles: + issue16692.2.patch

messages: + msg184745
2013-03-16 18:37:54pitrousetmessages: + msg184342
2013-03-16 18:32:04pitrousetmessages: + msg184341
stage: needs patch -> patch review
2013-03-16 08:48:04makersetmessages: + msg184300
2013-02-13 23:13:36eric.araujosetnosy: - eric.araujo
2013-02-13 22:19:59makersetfiles: + issue16692.1.patch
2013-02-13 10:46:25makersetnosy: + eric.araujo
2013-02-09 22:28:06makersetfiles: + issue16692.patch
nosy: + maker
keywords: + patch
2012-12-20 14:05:28christian.heimessetnosy: + christian.heimes
components: + Extension Modules
2012-12-17 14:10:52giampaolo.rodolasetnosy: + giampaolo.rodola
2012-12-17 08:12:17jceasetnosy: + jcea
2012-12-15 17:35:48Arfreversetnosy: + Arfrever
2012-12-15 17:31:05pitroucreate