classification
Title: Modules/_ssl.c, repeated 'SSL_OP_NO_TLSv1_2'
Type: behavior Stage: resolved
Components: Versions: Python 3.11, Python 3.10
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: brotherbeer, christian.heimes, erlendaasland, johnj, miss-islington, nanjekyejoannah
Priority: normal Keywords: patch

Created on 2021-06-11 08:23 by brotherbeer, last changed 2021-06-17 10:01 by miss-islington. This issue is now closed.

Files
File name Uploaded Description Edit
_ssl_c_line_3576.png brotherbeer, 2021-06-11 08:23
Pull Requests
URL Status Linked Edit
PR 26680 merged erlendaasland, 2021-06-11 18:43
PR 26699 closed erlendaasland, 2021-06-12 21:02
PR 26700 merged christian.heimes, 2021-06-12 21:06
PR 26704 merged miss-islington, 2021-06-13 10:09
PR 26705 merged miss-islington, 2021-06-13 11:46
PR 26754 merged johnj, 2021-06-16 13:02
PR 26765 merged miss-islington, 2021-06-17 09:40
Messages (16)
msg395612 - (view) Author: Brother Beer (brotherbeer) Date: 2021-06-11 08:23
cpython-3.10.0b2/Modules/_ssl.c  line 3576

3570 static int
3571 set_options(PySSLContext *self, PyObject *arg, void *c)
3572 {
3573     long new_opts, opts, set, clear;
3574     long opt_no = (
3575         SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
3576         SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_2
3577     );

'SSL_OP_NO_TLSv1_2' is repeated, are any other items missing?
msg395703 - (view) Author: Joannah Nanjekye (nanjekyejoannah) * (Python committer) Date: 2021-06-12 20:18
New changeset cb7230c7a7d6d497e54c25e9ba640eec79de10f2 by Erlend Egeberg Aasland in branch 'main':
bpo-44389: Remove duplicate SSL_OP_NO_TLSv1_2 flag (GH-26680)
https://github.com/python/cpython/commit/cb7230c7a7d6d497e54c25e9ba640eec79de10f2
msg395704 - (view) Author: Erlend E. Aasland (erlendaasland) * (Python triager) Date: 2021-06-12 20:19
Thanks for the report, Brother Beer.
msg395706 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-06-12 20:35
It's a typo, not a duplicate entry. Correct line is:

    SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3
msg395707 - (view) Author: Erlend E. Aasland (erlendaasland) * (Python triager) Date: 2021-06-12 20:36
But TLSv1.3 is included in openssl 1.1.1, no?
msg395709 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-06-12 20:44
3.10 requires OpenSSL >= 1.1.1

The code checks for presence of deprecated options and emits a warning for all SSL_OP_NO_TLS/SSL* constants.
msg395710 - (view) Author: Erlend E. Aasland (erlendaasland) * (Python triager) Date: 2021-06-12 20:46
Yes, and judging from PEP 644, I figured the TLSv1.3 flag was _not_ deprecated. Sorry for the misunderstanding/noise.
msg395711 - (view) Author: Erlend E. Aasland (erlendaasland) * (Python triager) Date: 2021-06-12 20:47
Let me know if you want me to open a PR that adds the correct flag and adds deprecation wrappers to the tests.
msg395713 - (view) Author: Erlend E. Aasland (erlendaasland) * (Python triager) Date: 2021-06-12 21:00
Ah, I see now that it's deprecated in the docs as well: https://docs.python.org/3/library/ssl.html#ssl.OP_NO_TLSv1_3
msg395739 - (view) Author: miss-islington (miss-islington) Date: 2021-06-13 10:29
New changeset f30f484e9660c6ad5d5a554869593d14d709a7f4 by Miss Islington (bot) in branch '3.10':
bpo-44389: Remove duplicate SSL_OP_NO_TLSv1_2 flag (GH-26680)
https://github.com/python/cpython/commit/f30f484e9660c6ad5d5a554869593d14d709a7f4
msg395741 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-06-13 11:46
New changeset bf527277d4e4907e32d76ca7ba667ab3149fe258 by Christian Heimes in branch 'main':
bpo-44389: Fix deprecation of OP_NO_TLSv1_3 (GH-26700)
https://github.com/python/cpython/commit/bf527277d4e4907e32d76ca7ba667ab3149fe258
msg395742 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-06-13 12:05
OpenSSL has deprecated these constants:

> SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2
>
> As of OpenSSL 1.1.0, these options are deprecated, use SSL_CTX_set_min_proto_version(3) and SSL_CTX_set_max_proto_version(3) instead.

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_options.html
msg395743 - (view) Author: miss-islington (miss-islington) Date: 2021-06-13 12:07
New changeset 4becc569a606102bce624a4e28f4068317d09f42 by Miss Islington (bot) in branch '3.10':
[3.10] bpo-44389: Fix deprecation of OP_NO_TLSv1_3 (GH-26700) (GH-26705)
https://github.com/python/cpython/commit/4becc569a606102bce624a4e28f4068317d09f42
msg395744 - (view) Author: Erlend E. Aasland (erlendaasland) * (Python triager) Date: 2021-06-13 12:52
Thanks, Christian.
msg395981 - (view) Author: miss-islington (miss-islington) Date: 2021-06-17 09:40
New changeset c544393b89f9b3e2b1a22588fc9ae58019314879 by Joe in branch 'main':
bpo-44389: Fix typo in ssl deprecation warning message (GH-26754)
https://github.com/python/cpython/commit/c544393b89f9b3e2b1a22588fc9ae58019314879
msg395982 - (view) Author: miss-islington (miss-islington) Date: 2021-06-17 10:01
New changeset 08f2b9dedea13d2e9d11c189914387db3a66e2ca by Miss Islington (bot) in branch '3.10':
bpo-44389: Fix typo in ssl deprecation warning message (GH-26754)
https://github.com/python/cpython/commit/08f2b9dedea13d2e9d11c189914387db3a66e2ca
History
Date User Action Args
2021-06-17 10:01:15miss-islingtonsetmessages: + msg395982
2021-06-17 09:40:17miss-islingtonsetpull_requests: + pull_request25351
2021-06-17 09:40:05miss-islingtonsetmessages: + msg395981
2021-06-16 13:02:34johnjsetnosy: + johnj

pull_requests: + pull_request25339
2021-06-13 12:52:24erlendaaslandsetmessages: + msg395744
2021-06-13 12:07:25christian.heimessetstatus: open -> closed
resolution: fixed
stage: needs patch -> resolved
2021-06-13 12:07:07miss-islingtonsetmessages: + msg395743
2021-06-13 12:05:23christian.heimessetmessages: + msg395742
stage: patch review -> needs patch
2021-06-13 11:46:35christian.heimessetmessages: + msg395741
2021-06-13 11:46:16miss-islingtonsetpull_requests: + pull_request25290
2021-06-13 10:29:46miss-islingtonsetmessages: + msg395739
2021-06-13 10:09:38miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request25289
2021-06-12 21:06:20christian.heimessetpull_requests: + pull_request25285
2021-06-12 21:02:15erlendaaslandsetstage: needs patch -> patch review
pull_requests: + pull_request25284
2021-06-12 21:00:58erlendaaslandsetmessages: + msg395713
2021-06-12 20:47:50erlendaaslandsetmessages: + msg395711
2021-06-12 20:46:25erlendaaslandsetmessages: + msg395710
2021-06-12 20:44:28christian.heimessetmessages: + msg395709
2021-06-12 20:36:45erlendaaslandsetmessages: + msg395707
2021-06-12 20:36:01christian.heimessetresolution: duplicate -> (no value)
versions: + Python 3.11
2021-06-12 20:35:31christian.heimessetstatus: closed -> open

nosy: + christian.heimes
messages: + msg395706

resolution: fixed -> duplicate
stage: resolved -> needs patch
2021-06-12 20:19:30erlendaaslandsetmessages: + msg395704
2021-06-12 20:18:58erlendaaslandsetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2021-06-12 20:18:01nanjekyejoannahsetnosy: + nanjekyejoannah
messages: + msg395703
2021-06-11 18:43:20erlendaaslandsetkeywords: + patch
nosy: + erlendaasland

pull_requests: + pull_request25266
stage: patch review
2021-06-11 08:23:58brotherbeercreate