Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support TLS 1.3 #77799

Closed
tiran opened this issue May 23, 2018 · 9 comments
Closed

Support TLS 1.3 #77799

tiran opened this issue May 23, 2018 · 9 comments
Assignees
@tiran
Labels
3.7 (EOL) end of life 3.8 only security fixes type-feature A feature request or enhancement

Comments

@tiran
Copy link
Member

tiran commented May 23, 2018

BPO 33618
Nosy @tiran, @benjaminp, @ned-deily, @alex, @dstufft, @zmwangx, @Dreamsorcerer, @pprindeville
PRs
  • bpo-33618: Enable TLS 1.3 in tests #7079
  • [3.7] bpo-33618: Enable TLS 1.3 in tests (GH-7079) #7082
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
closed_at = <Date 2020-05-31.19:36:27.330>
created_at = <Date 2018-05-23.14:38:43.679>
labels = ['3.8', 'type-feature', '3.7']
title = 'Support TLS 1.3'
updated_at = <Date 2021-09-03.17:04:05.689>
user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2021-09-03.17:04:05.689>
actor = 'philipp'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2020-05-31.19:36:27.330>
closer = 'christian.heimes'
components = []
creation = <Date 2018-05-23.14:38:43.679>
creator = 'christian.heimes'
dependencies = []
files = []
hgrepos = []
issue_num = 33618
keywords = ['patch']
message_count = 9.0
messages = ['317413', '317414', '317448', '317449', '317451', '317452', '317453', '317455', '317533']
nosy_count = 9.0
nosy_names = ['janssen', 'christian.heimes', 'benjamin.peterson', 'ned.deily', 'alex', 'dstufft', 'zmwangx', 'dreamsorcerer', 'philipp']
pr_nums = ['7079', '7082']
priority = 'high'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue33618'
versions = ['Python 2.7', 'Python 3.6', 'Python 3.7', 'Python 3.8']
    @tiran
    Copy link
    Member Author

    tiran commented May 23, 2018

    Epic for various TLS 1.3 related tasks and improvements

    TLS 1.3 requires some changes to the SSL module and tests. The TLS 1.3 handshake behaves slightly differently, which causes some tests to fail. The new handshake and deferred non-application data also affect applications.

    • TLS 1.3 cipher suites are now set by SSL_CTX_set_ciphersuites(), while SSL to TLS 1.2 cipher suites are still set by SSL_CTX_set_cipher_list(). Therefore SSLContext.set_ciphers() no longer fails with invalid cipher suites, because TLS 1.3 are still available. TLS 1.3 cipher suites also cannot be changed or disabled by SSLContext.set_ciphers().

    • TLS client cert authentication occurs after SSL_do_handshake() has finished. SSLSocket.connect() / handshake no longer fail, when the server requests a client cert or the available client cert is invalid. The actual authentication occurs when the client performs the first SSL_read() / SSL_write().

    • Session tickets are exchanged after the handshake, too. On the client side, the session ticket is only available after the first SSL_read() or other operations that perform a read(). The session ticket class and code no longer works with TLS 1.3.

    • TLS 1.3 sends two session tickets instead of one.

    • Server-side handshake can fail with ConnectionResetError or BrokenPipeError, when the client closes the fd while the server is still send non-application data like new session ticket or client cert request.

    • Client-side unwrap() / shutdown used to fail when a session ticket was stuck on the wire. This problem will be fixed by OpenSSL 1.1.1-pre7, see Auto retry in shutdown openssl/openssl#6340

    I'll add a TLS 1.3 section to the ssl module documentation. TLS 1.3 will be a tech-preview and not production-ready until at least OpenSSL 1.1.1-final and Python 3.7.1. Ned, Benjamin, are you OK with that?

    @tiran tiran added 3.7 (EOL) end of life 3.8 only security fixes labels May 23, 2018
    @tiran tiran self-assigned this May 23, 2018
    @tiran tiran added the type-feature A feature request or enhancement label May 23, 2018
    @tiran
    Copy link
    Member Author

    tiran commented May 23, 2018

    More:

    • We also need a new API to request TLS client cert authentication *after* some application data was requested. The use case is e.g. HTTP web server. A client sends a GET request and then the server gets to decide if the route requires authentication or not.

    • Renegotiation is no longer available (good). TLS 1.3 has a new re-keying mechanism to establish a new master key.

    @ned-deily
    Copy link
    Member

    Ned, Benjamin, are you OK with that?

    Just to be clear, you wish to merge a backport of PR 7079 for 3.7.0rc1?

    @tiran
    Copy link
    Member Author

    tiran commented May 23, 2018

    Yes, if that's ok with you. It's only documentation and test updates.

    @ned-deily
    Copy link
    Member

    As long as it doesn't break 1.0.2 and 1.1.0 support, sure :)

    @tiran
    Copy link
    Member Author

    tiran commented May 23, 2018

    Tests with 1.0.2o and 1.1.0h are passing.

    @tiran
    Copy link
    Member Author

    tiran commented May 23, 2018

    New changeset 529525f by Christian Heimes in branch 'master':
    bpo-33618: Enable TLS 1.3 in tests (GH-7079)
    529525f

    @tiran
    Copy link
    Member Author

    tiran commented May 23, 2018

    New changeset 72ef4fc by Christian Heimes (Miss Islington (bot)) in branch '3.7':
    [3.7] bpo-33618: Enable TLS 1.3 in tests (GH-7079) (GH-7082)
    72ef4fc

    @benjaminp
    Copy link
    Contributor

    2.7 is okay, too. The next release isn't for a while, so it'll have time to bake.

    @tiran tiran closed this as completed May 31, 2020
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @tiran tiran

    Labels
    3.7 (EOL) end of life 3.8 only security fixes type-feature A feature request or enhancement
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    3 participants
    @benjaminp @tiran @ned-deily