classification
Title: OpenSSL 1.1.1 / TLS 1.3 cipher suite changes
Type: behavior Stage: patch review
Components: SSL Versions: Python 3.8, Python 3.7, Python 3.6, Python 2.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: alex, benjamin.peterson, christian.heimes, dstufft, janssen, miss-islington, ned.deily, vstinner
Priority: high Keywords: patch

Created on 2018-05-18 13:00 by christian.heimes, last changed 2019-02-15 18:01 by vstinner.

Pull Requests
URL Status Linked Edit
PR 6976 merged christian.heimes, 2018-05-18 19:53
PR 7064 merged miss-islington, 2018-05-22 20:51
PR 8771 closed christian.heimes, 2018-08-15 07:24
PR 10607 merged cstratak, 2018-11-20 14:27
PR 11879 merged cstratak, 2019-02-15 17:18
Messages (6)
msg317027 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-05-18 13:00
The definition and configuration of TLS 1.3 cipher suites has changed during the development phase of OpenSSL 1.1.1. The cipher suites are no longer prefixed with "TLS13-". TLS 1.3 are always enabled and can no longer be disabled with SSLContext.set_ciphers() / SSL_CTX_set_cipher_list(). Instead the suites are now configured with SSL_CTX_set_ciphersuites(). See https://github.com/openssl/openssl/pull/5392

For now I'm not going to expose the new API. Instead I'll update the documentation and tests for 2.7 to 3.8 with new names. I'll also mention that TLS 1.3 suites will be always available with OpenSSL 1.1.1.
msg317345 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-05-22 20:50
New changeset e8eb6cb7920ded66abc5d284319a8539bdc2bae3 by Christian Heimes in branch 'master':
bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
https://github.com/python/cpython/commit/e8eb6cb7920ded66abc5d284319a8539bdc2bae3
msg317347 - (view) Author: miss-islington (miss-islington) Date: 2018-05-22 21:40
New changeset cd57b48ef9a70b7ef693ba52aaf38d7c945ab5d3 by Miss Islington (bot) in branch '3.7':
bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
https://github.com/python/cpython/commit/cd57b48ef9a70b7ef693ba52aaf38d7c945ab5d3
msg323552 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-08-15 07:07
New changeset 3e630c541b35c96bfe5619165255e559f577ee71 by Christian Heimes in branch '3.6':
bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) (GH-8760)
https://github.com/python/cpython/commit/3e630c541b35c96bfe5619165255e559f577ee71
msg335609 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-15 13:17
New changeset c49f63c1761ce03df7850b9e0b31a18c432dac64 by Victor Stinner (stratakis) in branch '2.7':
[2.7] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) (GH-8760) (GH-10607)
https://github.com/python/cpython/commit/c49f63c1761ce03df7850b9e0b31a18c432dac64
msg335632 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-15 18:01
New changeset c3c49ec56890d9d591f8fd1609c8436019f28f96 by Victor Stinner (stratakis) in branch '2.7':
[2.7] bpo-33570: Enable OpenSSL 1.1.1 testing within the multissltests (GH-11879)
https://github.com/python/cpython/commit/c3c49ec56890d9d591f8fd1609c8436019f28f96
History
Date User Action Args
2019-02-15 18:01:31vstinnersetmessages: + msg335632
2019-02-15 17:18:26cstrataksetpull_requests: + pull_request11913
2019-02-15 13:17:18vstinnersetnosy: + vstinner
messages: + msg335609
2018-11-20 14:27:54cstrataksetpull_requests: + pull_request9850
2018-08-15 07:24:11christian.heimessetpull_requests: + pull_request8247
2018-08-15 07:07:31christian.heimessetmessages: + msg323552
2018-05-22 21:40:49miss-islingtonsetnosy: + miss-islington
messages: + msg317347
2018-05-22 20:51:26miss-islingtonsetpull_requests: + pull_request6694
2018-05-22 20:50:23christian.heimessetmessages: + msg317345
2018-05-18 19:53:22christian.heimessetkeywords: + patch
stage: test needed -> patch review
pull_requests: + pull_request6631
2018-05-18 13:00:38christian.heimescreate