This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: ssl module documentation: incorrect compatibility matrix
Type: Stage: resolved
Components: Documentation Versions: Python 3.4, Python 3.5, Python 2.7
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: docs@python Nosy List: alex, christian.heimes, docs@python, dstufft, giampaolo.rodola, janssen, kali, pitrou, python-dev
Priority: normal Keywords:

Created on 2014-12-03 13:15 by kali, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (5)
msg232078 - (view) Author: Kali Kaneko (kali) Date: 2014-12-03 13:15
The SSLv23 row that can be read in the socket creation section in the documentation for the ssl module looks incorrect:

by my tests (with python 2.7.8) that row should read:

yes no yes yes yes yes

instead of:

yes no yes no no no 

as it does now.

Since a client specifying SSLv23 should be (and it seems to be) able to negotiate the highest available version that the server can offer, no matter if the server has chosen a tls version.

Is this an error in the documentation, or is there any situation in which the current values hold true?
msg232079 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2014-12-03 16:05
I agree this is a bug, but I believe the correct output is:

no yes yes yes yes yes
msg232080 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-12-03 16:13
Alex is right. The current doc was valid for older OpenSSL versions, which sent a SSLv2 hello with SSLv23.

Reference from the OpenSSL docs:

"""If the cipher list does not contain any SSLv2 ciphersuites (the default cipher list does not) or extensions are required (for example server name) a client will send out TLSv1 client hello messages including extensions and will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols."""

msg232085 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2014-12-03 19:04
New changeset 7af5d5493497 by Antoine Pitrou in branch '2.7':
Fix #22987: update the compatibility matrix for a SSLv23 client.

New changeset 9f03572690d2 by Antoine Pitrou in branch '3.4':
Fix #22987: update the compatibility matrix for a SSLv23 client.

New changeset 7509a0607c40 by Antoine Pitrou in branch 'default':
Fix #22987: update the compatibility matrix for a SSLv23 client.
msg232144 - (view) Author: Kali Kaneko (kali) Date: 2014-12-04 17:26
my bad, I had not actually tested the sslv2 and sslv3 options, since they were not available in the python in debian sid.

thanks for the quick fix!
Date User Action Args
2022-04-11 14:58:10adminsetgithub: 67176
2014-12-04 17:26:17kalisetmessages: + msg232144
2014-12-03 19:11:10pitrousetstatus: open -> closed
stage: resolved
resolution: fixed
versions: + Python 3.4, Python 3.5
2014-12-03 19:04:04python-devsetnosy: + python-dev
messages: + msg232085
2014-12-03 16:13:44pitrousetmessages: + msg232080
2014-12-03 16:05:05alexsetnosy: + janssen, pitrou, giampaolo.rodola, christian.heimes, alex, dstufft
messages: + msg232079
2014-12-03 13:15:58kalicreate