Recent OpenSSL versions (e.g. 1.0.1c) have explicit support for TLS 1.1 and (presumably, although undocumented-ly) TLS 1.2 through TLSv1_1_method() and TLSv1_2_method(). It should be easy to add such support to the ssl module (although figuring out how exactly protocol version compatibility is handled - for the docs - might be a challenge).

(ping)

Michele, your latest patch doesn't apply on the default branch. However, I'll still do a review.

Ok, some review comments:

+   .. warning:: requires at least openssl version 1.0.1

+   .. warning:: requires at least openssl version 1.0.1

The warnings are not warranted here. You might simply say "Available only with openssl version 1.0.1+."

+def skip_if_unsupported_tlsv1_1(func):

This decorator looks like it would be impressed in a simpler way using unittest.skipIf (or unittest.skipUnless).

+            try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False,
+                               client_options=ssl.OP_NO_TLSv1_1)

Not sure why you test only with OP_NO_TLSv1_1. It would be nice to check that connecting succeeds from a TLSv1_1 client on a SSLv23 server.

synced with tip

> This decorator looks like it would be impressed in a simpler way,
> using unittest.skipIf (or unittest.skipUnless).

> It would be nice to check that connecting succeeds from a
> TLSv1_1 client on a SSLv23 server.

yep, thanks.


> Not sure why you test only with OP_NO_TLSv1_1.
I've just emulated older tests against older TSL protocols. Is there anything wrong you see? 


PS: I have removed ssl.PROTOCOL_* from test_constants, since they are already used in the global variable PROTOCOLS.

.. sorry for all these trivialities.

Thanks. I don't know what happened, but the last patch fails to apply:

$ patch -p1 < issue16692.3.patch 
patching file Doc/library/ssl.rst
patching file Doc/whatsnew/3.4.rst
patching file Lib/ssl.py
patching file Lib/test/test_ssl.py
patching file Misc/NEWS
Hunk #1 succeeded at 1005 (offset 46 lines).
patching file Modules/_ssl.c
patch: **** malformed patch at line 291:  struct py_ssl_error_code {


$ hg import --no-commit issue16692.3.patch 
application de issue16692.3.patch
abandon : bad hunk #2 @@ -73,7 +78,13 @@
 (7 7 15 13)

Ok, yet another issue :-) Testing on a machine with OpenSSL 1.0.0 gives the following failures. I think you mixed up skipIf / skipUnless.

======================================================================
ERROR: test_protocol_sslv2 (test.test_ssl.ThreadedTests)
Connecting to an SSLv2 server with various client options
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f
    return func(*args, **kwargs)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1493, in test_protocol_sslv2
    try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1363, in try_protocol_combo
    chatty=False, connectionchatty=False)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1301, in server_params_test
    s.connect((HOST, server.port))
  File "/home/antoine/cpython/default/Lib/ssl.py", line 582, in connect
    self._real_connect(addr, False)
  File "/home/antoine/cpython/default/Lib/ssl.py", line 572, in _real_connect
    self.do_handshake()
  File "/home/antoine/cpython/default/Lib/ssl.py", line 552, in do_handshake
    self._sslobj.do_handshake()
ConnectionResetError: [Errno 104] Connection reset by peer

======================================================================
ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1.1 server with various client options.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f
    return func(*args, **kwargs)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1582, in test_protocol_tlsv1_1
    try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, True)
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_1'

======================================================================
ERROR: test_protocol_tlsv1_2 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1.2 server with various client options.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f
    return func(*args, **kwargs)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1602, in test_protocol_tlsv1_2
    try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, True,
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_2'

Here is an updated patch fixing the aforementioned issue (as well as another small issue with the set_ciphers("ALL") hack).

New changeset 02a89bd646ca by Antoine Pitrou in branch 'default':
Issue #16692: The ssl module now supports TLS 1.1 and TLS 1.2.  Initial patch by Michele Orrù.
http://hg.python.org/cpython/rev/02a89bd646ca

Finally committed. Thanks for the patches!

Is there any chance of this being backported to Python 2.7?  Given NIST's complete deprecation of SHA1 and TLS 1.0 by end of 2013, I imagine there are at least a few folks who can't upgrade to Python 3.x, but need TLS 1.2 support.  I think Ruby just recently implemented TLS 1.2 in 2.0, and backported it to the 1.9.3 tree.  Thanks.

> Is there any chance of this being backported to Python 2.7?  Given
> NIST's complete deprecation of SHA1 and TLS 1.0 by end of 2013, I
> imagine there are at least a few folks who can't upgrade to Python
> 3.x, but need TLS 1.2 support.  I think Ruby just recently implemented
> TLS 1.2 in 2.0, and backported it to the 1.9.3 tree.  Thanks.

No, sorry. 2.7 only gets bug fixes.

Raw backport for Python 2.7. ›raw‹ like in some options are in _ssl only. (_ssl.{err_names_to_codes,err_codes_to_names,lib_codes_to_names,…})

Ha. If you're insisting on backporting SSL stuff, I think the best option would be to create a third-party backport of the whole ssl module on PyPI.

http://docs.python.org/3.4/whatsnew/3.4.html#ssl

re: Backporting to Python 2.7: maybe something like:

backports.ssl (like backports.ssl_match_hostname)

https://pypi.python.org/pypi/backports/