This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author dstufft
Recipients alex, christian.heimes, dstufft, pitrou
Date 2014-03-22.18:21:03
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1395512463.45.0.734089760077.issue21013@psf.upfronthosting.co.za>
In-reply-to
Content
That's not entirely true unfortunately :(

There are downgrade attacks that work all the way up through TLS 1.2. These are not strictly a problem of the protocol specs but instead of the implementations.

See: https://crypto.stackexchange.com/questions/10493/why-is-tls-susceptible-to-protocol-downgrade-attacks

The general gist of it is some servers/firewalls/etc have buggy implementations that cause a TLS1.0+ handshake to fail and some clients (browsers being a big one) decided to handle this by restarting the connection with SSL3.0 instead of TLS1.0+. So thus it is possible to effectively downgrade a client, even one that supports TLS1.2. It is not however possible to do it within a single connection.

The version selection process should not be considered a security feature but should instead be looked at as a way to opportunistically add newer features.
History
Date User Action Args
2014-03-22 18:21:03dstufftsetrecipients: + dstufft, pitrou, christian.heimes, alex
2014-03-22 18:21:03dstufftsetmessageid: <1395512463.45.0.734089760077.issue21013@psf.upfronthosting.co.za>
2014-03-22 18:21:03dstufftlinkissue21013 messages
2014-03-22 18:21:03dstufftcreate