Author christian.heimes
Recipients Alex Gaynor, adrianv, christian.heimes, doko, ned.deily, njs
Date 2018-02-26.11:48:19
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1519645699.24.0.467229070634.issue31453@psf.upfronthosting.co.za>
In-reply-to
Content
I have closed the feature newer BPO-32609 in favor of this bug because Ned gave this bug a deferred blocker priority.


OpenSSL 1.1 has introduced a new API to set the minimum and maximum supported protocol version. The API is easier to use than the old OP_NO_TLSv1 option flags, too

https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_min_proto_version.html

Debian used the new setters to disable TLS 1.0 and 1.1 in testing, #31453. The old TLS versions have been enabled again for now. Python must expose the new API in case Debian decides to disable them again. Another $DIST has considered to implement a virtually the same policy as Debian.

I also like to deprecate the old OP_NO_TLSv1 et al. flags in favor of the new API. The option flags are awkward to use and easy to get wrong. For example applications must not leave holes in the OP_NO range (e.g. allow TLS 1.0 and 1.2 but disable 1.1).
History
Date User Action Args
2018-02-26 11:48:19christian.heimessetrecipients: + christian.heimes, doko, ned.deily, njs, Alex Gaynor, adrianv
2018-02-26 11:48:19christian.heimessetmessageid: <1519645699.24.0.467229070634.issue31453@psf.upfronthosting.co.za>
2018-02-26 11:48:19christian.heimeslinkissue31453 messages
2018-02-26 11:48:19christian.heimescreate