This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: ssl module documentation: incorrect compatibility matrix
Type: Stage: resolved
Components: Documentation Versions: Python 3.4, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: docs@python Nosy List: alex, christian.heimes, docs@python, dstufft, giampaolo.rodola, janssen, kali, pitrou, python-dev
Priority: normal Keywords:

Created on 2014-12-03 13:15 by kali, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (5)
msg232078 - (view) Author: Kali Kaneko (kali) Date: 2014-12-03 13:15
The SSLv23 row that can be read in the socket creation section in the documentation for the ssl module looks incorrect:
https://docs.python.org/2.7/library/ssl.html#socket-creation

by my tests (with python 2.7.8) that row should read:

yes no yes yes yes yes

instead of:

yes no yes no no no 

as it does now.

Since a client specifying SSLv23 should be (and it seems to be) able to negotiate the highest available version that the server can offer, no matter if the server has chosen a tls version.

Is this an error in the documentation, or is there any situation in which the current values hold true?
msg232079 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2014-12-03 16:05
I agree this is a bug, but I believe the correct output is:

no yes yes yes yes yes
msg232080 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-12-03 16:13
Alex is right. The current doc was valid for older OpenSSL versions, which sent a SSLv2 hello with SSLv23.

Reference from the OpenSSL docs:

"""If the cipher list does not contain any SSLv2 ciphersuites (the default cipher list does not) or extensions are required (for example server name) a client will send out TLSv1 client hello messages including extensions and will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols."""

(https://www.openssl.org/docs/ssl/SSL_CTX_new.html)
msg232085 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2014-12-03 19:04
New changeset 7af5d5493497 by Antoine Pitrou in branch '2.7':
Fix #22987: update the compatibility matrix for a SSLv23 client.
https://hg.python.org/cpython/rev/7af5d5493497

New changeset 9f03572690d2 by Antoine Pitrou in branch '3.4':
Fix #22987: update the compatibility matrix for a SSLv23 client.
https://hg.python.org/cpython/rev/9f03572690d2

New changeset 7509a0607c40 by Antoine Pitrou in branch 'default':
Fix #22987: update the compatibility matrix for a SSLv23 client.
https://hg.python.org/cpython/rev/7509a0607c40
msg232144 - (view) Author: Kali Kaneko (kali) Date: 2014-12-04 17:26
my bad, I had not actually tested the sslv2 and sslv3 options, since they were not available in the python in debian sid.

thanks for the quick fix!
History
Date User Action Args
2022-04-11 14:58:10adminsetgithub: 67176
2014-12-04 17:26:17kalisetmessages: + msg232144
2014-12-03 19:11:10pitrousetstatus: open -> closed
stage: resolved
resolution: fixed
versions: + Python 3.4, Python 3.5
2014-12-03 19:04:04python-devsetnosy: + python-dev
messages: + msg232085
2014-12-03 16:13:44pitrousetmessages: + msg232080
2014-12-03 16:05:05alexsetnosy: + janssen, pitrou, giampaolo.rodola, christian.heimes, alex, dstufft
messages: + msg232079
2014-12-03 13:15:58kalicreate