Support TLS 1.1 and TLS 1.2 #60896
Comments
|
Recent OpenSSL versions (e.g. 1.0.1c) have explicit support for TLS 1.1 and (presumably, although undocumented-ly) TLS 1.2 through TLSv1_1_method() and TLSv1_2_method(). It should be easy to add such support to the ssl module (although figuring out how exactly protocol version compatibility is handled - for the docs - might be a challenge). |
pitrou
added
stdlib
|
(ping) |
|
Michele, your latest patch doesn't apply on the default branch. However, I'll still do a review. |
|
Ok, some review comments: + .. warning:: requires at least openssl version 1.0.1 + .. warning:: requires at least openssl version 1.0.1 The warnings are not warranted here. You might simply say "Available only with openssl version 1.0.1+." +def skip_if_unsupported_tlsv1_1(func): This decorator looks like it would be impressed in a simpler way using unittest.skipIf (or unittest.skipUnless). + try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False, Not sure why you test only with OP_NO_TLSv1_1. It would be nice to check that connecting succeeds from a TLSv1_1 client on a SSLv23 server. |
|
synced with tip
yep, thanks.
PS: I have removed ssl.PROTOCOL_* from test_constants, since they are already used in the global variable PROTOCOLS. |
|
.. sorry for all these trivialities. |
|
Thanks. I don't know what happened, but the last patch fails to apply: $ patch -p1 < issue16692.3.patch
patching file Doc/library/ssl.rst
patching file Doc/whatsnew/3.4.rst
patching file Lib/ssl.py
patching file Lib/test/test_ssl.py
patching file Misc/NEWS
Hunk #1 succeeded at 1005 (offset 46 lines).
patching file Modules/_ssl.c
patch: **** malformed patch at line 291: struct py_ssl_error_code {
$ hg import --no-commit issue16692.3.patch
application de issue16692.3.patch
abandon : bad hunk #2 @@ -73,7 +78,13 @@
(7 7 15 13) |
|
Ok, yet another issue :-) Testing on a machine with OpenSSL 1.0.0 gives the following failures. I think you mixed up skipIf / skipUnless. ====================================================================== Traceback (most recent call last):
File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f
return func(*args, **kwargs)
File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1493, in test_protocol_sslv2
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1363, in try_protocol_combo
chatty=False, connectionchatty=False)
File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1301, in server_params_test
s.connect((HOST, server.port))
File "/home/antoine/cpython/default/Lib/ssl.py", line 582, in connect
self._real_connect(addr, False)
File "/home/antoine/cpython/default/Lib/ssl.py", line 572, in _real_connect
self.do_handshake()
File "/home/antoine/cpython/default/Lib/ssl.py", line 552, in do_handshake
self._sslobj.do_handshake()
ConnectionResetError: [Errno 104] Connection reset by peer====================================================================== Traceback (most recent call last):
File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f
return func(*args, **kwargs)
File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1582, in test_protocol_tlsv1_1
try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, True)
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_1'====================================================================== Traceback (most recent call last):
File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f
return func(*args, **kwargs)
File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1602, in test_protocol_tlsv1_2
try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, True,
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_2' |
|
Here is an updated patch fixing the aforementioned issue (as well as another small issue with the set_ciphers("ALL") hack). |
|
New changeset 02a89bd646ca by Antoine Pitrou in branch 'default': |
|
Finally committed. Thanks for the patches! |
|
Is there any chance of this being backported to Python 2.7? Given NIST's complete deprecation of SHA1 and TLS 1.0 by end of 2013, I imagine there are at least a few folks who can't upgrade to Python 3.x, but need TLS 1.2 support. I think Ruby just recently implemented TLS 1.2 in 2.0, and backported it to the 1.9.3 tree. Thanks. |
No, sorry. 2.7 only gets bug fixes. |
|
Raw backport for Python 2.7. ›raw‹ like in some options are in _ssl only. (_ssl.{err_names_to_codes,err_codes_to_names,lib_codes_to_names,…}) |
|
Ha. If you're insisting on backporting SSL stuff, I think the best option would be to create a third-party backport of the whole ssl module on PyPI. |
|
http://docs.python.org/3.4/whatsnew/3.4.html#ssl re: Backporting to Python 2.7: maybe something like: backports.ssl (like backports.ssl_match_hostname) |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: