classification
Title: Add OP_NO_TLSv1_3
Type: enhancement Stage: resolved
Components: SSL Versions: Python 3.7, Python 3.6, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Arfrever, Lukasa, alex, benjamin.peterson, christian.heimes, larry, ned.deily
Priority: normal Keywords: patch

Created on 2017-01-02 21:07 by christian.heimes, last changed 2017-09-10 19:15 by christian.heimes. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 1363 merged christian.heimes, 2017-04-30 10:38
PR 3444 merged christian.heimes, 2017-09-08 02:13
PR 3446 merged christian.heimes, 2017-09-08 02:23
PR 3483 merged christian.heimes, 2017-09-10 18:36
Messages (14)
msg284504 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-01-02 21:07
OpenSSL 1.1.1 is going to provide TLS 1.3. The preferred protocols PROTOCOL_TLS (old name PROTOCOL_SSLv23), PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER are going to have TLS 1.3 enabled by default. In order to disable TLS 1.3, let's add OP_NO_TLSv1_3 to _ssl.c and guard it with #ifdef SSL_OP_NO_TLSv1_3

https://github.com/openssl/openssl/blob/d2e491f225d465b11f18a466bf399d4a899cb50e/include/openssl/ssl.h#L346

Benjamin, Larry, Ned, are you ok with a new flag? OpenSSL 1.1.1 won't be available any time soon. I like to add the flag *after* the upcoming round of releases.
msg284509 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2017-01-02 21:58
I think that's fine for 2.7.

On Mon, Jan 2, 2017, at 13:07, Christian Heimes wrote:
> 
> New submission from Christian Heimes:
> 
> OpenSSL 1.1.1 is going to provide TLS 1.3. The preferred protocols
> PROTOCOL_TLS (old name PROTOCOL_SSLv23), PROTOCOL_TLS_CLIENT and
> PROTOCOL_TLS_SERVER are going to have TLS 1.3 enabled by default. In
> order to disable TLS 1.3, let's add OP_NO_TLSv1_3 to _ssl.c and guard it
> with #ifdef SSL_OP_NO_TLSv1_3
> 
> https://github.com/openssl/openssl/blob/d2e491f225d465b11f18a466bf399d4a899cb50e/include/openssl/ssl.h#L346
> 
> Benjamin, Larry, Ned, are you ok with a new flag? OpenSSL 1.1.1 won't be
> available any time soon. I like to add the flag *after* the upcoming
> round of releases.
> 
> ----------
> assignee: christian.heimes
> components: SSL
> messages: 284504
> nosy: benjamin.peterson, christian.heimes, larry, ned.deily
> priority: normal
> severity: normal
> stage: needs patch
> status: open
> title: Add OP_NO_TLSv1_3
> type: enhancement
> versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7
> 
> _______________________________________
> Python tracker <report@bugs.python.org>
> <http://bugs.python.org/issue29136>
> _______________________________________
msg286032 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-01-22 22:39
memo to me: Update the TLS cipher list to include TLS 1.3 ciphers. TLS 1.3 uses a disjunct set of cipher suites. No member of the current cipher suite set is compatible with TLS 1.3. Handshake with TLS 1.3 enabled servers is going to fail.

As of today OpenSSL 1.1.1-dev provides one of five TLS 1.3 ciphers: TLS13-AES-128-GCM-SHA256. TLS13-AES-256-GCM-SHA384 and TLS13-CHACHA20-POLY1305 are not yet implemented as are CCM block mode.
msg286094 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2017-01-23 16:29
We can easily just add `TLS13:...` at the from of our ciphersuite list and it'll be ok though right? (Note to self, do the same in urllib3, twisted, requests, god only knows what else)
msg286096 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-01-23 16:35
No, of course it does not work (yet):

$ LD_LIBRARY_PATH=. apps/openssl ciphers TLS13
Error in cipher list
140546693477888:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2100:
msg286239 - (view) Author: Cory Benfield (Lukasa) * Date: 2017-01-25 10:42
For those who want to keep track, the relevant OpenSSL ticket for configuring TLSv1.3 cipher suites is https://github.com/openssl/openssl/issues/2276.
msg301654 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-08 00:10
PR 1363 also introduced ssl.HAS_TLSv1_3 flag for unit tests. The flag is required because OpenSSL 1.1.1-dev can be compiled without TLS 1.3 support. The development version always defines OP_NO_TLSv1_3 to a non-zero value. Further more the PR adds a test for TLS 1.3.
msg301662 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-08 01:07
New changeset cb5b68abdeb1b1d56c581d5b4d647018703d61e3 by Christian Heimes in branch 'master':
bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (#1363)
https://github.com/python/cpython/commit/cb5b68abdeb1b1d56c581d5b4d647018703d61e3
msg301674 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-08 03:23
New changeset 9f2b3d4c2899f9caea2e47063061a76e460ac618 by Christian Heimes in branch '3.6':
[3.6] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (#3444)
https://github.com/python/cpython/commit/9f2b3d4c2899f9caea2e47063061a76e460ac618
msg301678 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-08 05:31
New changeset b9a860f3bf80b0d4a6c25d0f2f6ef849d9bf3594 by Christian Heimes in branch '2.7':
[2.7] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (#3446)
https://github.com/python/cpython/commit/b9a860f3bf80b0d4a6c25d0f2f6ef849d9bf3594
msg301803 - (view) Author: Arfrever Frehtes Taifersar Arahesis (Arfrever) * (Python triager) Date: 2017-09-10 07:35
In backport to 2.7 branch, ".. versionadded:: 2.7.15" and ".. versionchanged:: 2.7.15" were used.

However, in backport to 3.6 branch, ".. versionadded:: 3.7" and ".. versionchanged:: 3.7" were used, instead of expected ".. versionadded:: 3.6.3" and ".. versionchanged:: 3.6.3".
msg301820 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-10 17:28
Good catch, thanks! I'll update the documentation.
msg301828 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-10 19:14
New changeset 28580316a57d1757978196c27286f989d21ec0f3 by Christian Heimes in branch '3.6':
bpo-29136: Fix versionchange for TLS 1.3 changes (#3483)
https://github.com/python/cpython/commit/28580316a57d1757978196c27286f989d21ec0f3
msg301829 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-10 19:15
Thanks, I fixed versionchanged.
History
Date User Action Args
2017-09-10 19:15:14christian.heimessetstatus: open -> closed

stage: patch review -> resolved
messages: + msg301829
versions: + Python 2.7, Python 3.7
2017-09-10 19:14:36christian.heimessetmessages: + msg301828
2017-09-10 18:36:28christian.heimessetstage: needs patch -> patch review
pull_requests: + pull_request3473
2017-09-10 17:28:21christian.heimessetstatus: closed -> open

stage: resolved -> needs patch
messages: + msg301820
versions: - Python 2.7, Python 3.7
2017-09-10 07:35:06Arfreversetnosy: + Arfrever
messages: + msg301803
2017-09-08 14:22:23christian.heimessetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2017-09-08 05:31:19christian.heimessetmessages: + msg301678
2017-09-08 03:23:54christian.heimessetmessages: + msg301674
2017-09-08 02:23:58christian.heimessetpull_requests: + pull_request3442
2017-09-08 02:13:58christian.heimessetkeywords: + patch
stage: needs patch -> patch review
pull_requests: + pull_request3440
2017-09-08 01:07:01christian.heimessetmessages: + msg301662
2017-09-08 00:10:18christian.heimessetmessages: + msg301654
versions: - Python 3.5
2017-04-30 10:38:20christian.heimessetpull_requests: + pull_request1473
2017-01-25 10:42:03Lukasasetnosy: + Lukasa
messages: + msg286239
2017-01-23 16:35:46christian.heimessetmessages: + msg286096
2017-01-23 16:29:56alexsetnosy: + alex
messages: + msg286094
2017-01-22 22:39:18christian.heimessetmessages: + msg286032
2017-01-02 21:58:01benjamin.petersonsetmessages: + msg284509
2017-01-02 21:07:24christian.heimescreate