Author christian.heimes
Recipients Alex Gaynor, adrianv, christian.heimes, doko, ned.deily, njs
Date 2018-02-27.10:01:00
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1519725660.82.0.467229070634.issue31453@psf.upfronthosting.co.za>
In-reply-to
Content
I have another good reason to land PR 5259 in 3.7. OpenSSL 1.1.0 has deprecated the old way to disable/enable protocol versions with set option. The OP_NO_TLSv1* constants will likely get removed in OpenSSL 1.2.0. I'm expecting to see a 1.2.0 release within the next two years. Therefore we should include SSLContext.maximum_version and SSLContext.minimum_version now. We may even have to backport them to 3.6 and 2.7.

https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_options.html

> SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2
>    These options turn off the SSLv3, TLSv1, TLSv1.1 or TLSv1.2 protocol versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS, respectively. As of OpenSSL 1.1.0, these options are deprecated, use SSL_CTX_set_min_proto_version and SSL_CTX_set_max_proto_version instead.
History
Date User Action Args
2018-02-27 10:01:00christian.heimessetrecipients: + christian.heimes, doko, ned.deily, njs, Alex Gaynor, adrianv
2018-02-27 10:01:00christian.heimessetmessageid: <1519725660.82.0.467229070634.issue31453@psf.upfronthosting.co.za>
2018-02-27 10:01:00christian.heimeslinkissue31453 messages
2018-02-27 10:01:00christian.heimescreate