Only use HTTPS #178
Only use HTTPS #178
Conversation
|
There's a problem with Python 3.3: https://travis-ci.org/pylast/pylast/jobs/165224071#L216 |
|
On Wed, 2016-10-05 at 06:51:23 -0700, Hugo wrote:
Looks like create_default_context() doesn't exist in Python <3.4 and we
3.3 is still supported another year https://en.wikipedia.org/wiki/CPython#Version_history . What should we do about the 3.3 (and pypy3, sadly) users? Logging a warn I have some code on my machine which I'm sure can work. I'm getting it A side note: It looks like the supported URL for libre.fm now is |
|
Let's use HTTPS where available, and HTTP otherwise. That's an improvement over the current situation. There's still some usage of Python 3.3, but it's not huge in comparison: I'll update the Libre.fm URL. |
|
On Fri, 2016-10-07 at 07:55:29 -0700, Hugo wrote:
Where we can use it easily and securely by default? Or where we can use it period? Because we can use it everywhere, it just
Nice! |
|
Thoughts Hugo? I have both ideas coded I just need to know which one to push :) On Thu, 13 Oct 2016, at 21:51, Simon Lundström wrote:
|
|
@simmel Everywhere sounds good! |
|
@hugovk sadly I gave you false hope, using SSL securely everywhere isn't possible.
On 3.3 we have to use I think I'm done with this, can you review it? |
There was a problem hiding this comment.
About certifi, do any of these work? http://stackoverflow.com/q/21082091/724176
Alternatively, if you want to leave certifi out of setup.py, import certifi # pip install certifi is a good workaround for the install thing: if there's an ImportError on 3.3, it'll show this line with comment. That way non-3.3 don't need to install it at all.
| # <=3.3 doesn't support create_default_context() | ||
| # <2.7.9 and <3.2 never did any SSL verification | ||
| # FIXME This can be removed after 2017-09 when 3.3 is no longer supported and | ||
| # pypy3 uses 3.4 or later, see https://en.wikipedia.org/wiki/CPython#Version_history |
There was a problem hiding this comment.
pep8 thing: "E501 line too long (84 > 79 characters)" https://travis-ci.org/pylast/pylast/jobs/169897742#L196
| @@ -42,16 +42,33 @@ | |||
| def _deprecation_warning(message): | |||
| warnings.warn(message, DeprecationWarning) | |||
|
|
|||
|
|
|||
| def can_use_ssl_securely(): | |||
There was a problem hiding this comment.
Rename as _can_use_ssl_securely if intended to be private?
| @@ -42,16 +42,33 @@ | |||
| def _deprecation_warning(message): | |||
| warnings.warn(message, DeprecationWarning) | |||
|
|
|||
|
|
|||
| def can_use_ssl_securely(): | |||
| # 3.3 doesn't support create_default_context() but can be made to work | |||
There was a problem hiding this comment.
Let's explicitly make it's clear it's "Python 3.3".
| @@ -131,6 +148,32 @@ def _deprecation_warning(message): | |||
|
|
|||
| XML_ILLEGAL = re.compile(RE_XML_ILLEGAL) | |||
|
|
|||
| # <=3.3 doesn't support create_default_context() | |||
There was a problem hiding this comment.
Let's explicitly make it's clear it's "Python <=3.3"
|
Sweet! That SO link was exactly what I didn't find before! I settled for I hope I've fixed everything. This time, I ran pep8 two times before I commited ; ) |
|
|
||
| # Python >3.4 and >2.7.9 has sane defaults | ||
| elif sys.version_info > (3, 4) or ( | ||
| sys.version_info < (3, 0) and sys.version_info > (2, 7, 9)): |
There was a problem hiding this comment.
Can this use _can_use_ssl_securely()?
The logic for _can_use_ssl_securely() is slightly different:
v > (3, 3) or (v < (3, 0) and v > (2, 7, 9))Compared to here:
v > (3, 4) or (v < (3, 0) and v > (2, 7, 9))Are they intentionally different? They have similar comments:
>3.4 and >2.7.9 has sane defaults so use SSL there
And:
Python >3.4 and >2.7.9 has sane defaults
If we cannot reuse _can_use_ssl_securely(), let's use interval comparison:
v > (3, 4) or ((2, 7, 9) < v < (3, 0))There was a problem hiding this comment.
No we can't since _can_use_ssl_securely() also includes 3.3.
Switched to clever code.
| # FIXME This can be removed after 2017-09 when 3.3 is no longer supported and | ||
| # pypy3 uses 3.4 or later, see | ||
| # https://en.wikipedia.org/wiki/CPython#Version_history | ||
| if sys.version_info < (3, 3, float("inf")) and sys.version_info > (3, 2): |
There was a problem hiding this comment.
So this matches 3.2.x. Let's use:
if sys.version_info[0] == 3 and sys.version_info[1] == 2:There was a problem hiding this comment.
3.3 actually, but yes let's.
| # <2.7.9 and <3.2 never did any SSL verification so don't do SSL there. | ||
| # >3.4 and >2.7.9 has sane defaults so use SSL there. | ||
| v = sys.version_info | ||
| return v > (3, 3) or (v < (3, 0) and v > (2, 7, 9)) |
There was a problem hiding this comment.
We can use interval comparison:
return v > (3, 3) or ((2, 7, 9) < v < (3, 0))There was a problem hiding this comment.
Looks like clever code but I'll allow it. Interval comparison looks neat (but clever)!
|
On Wed, 2016-10-19 at 04:48:29 -0700, Hugo wrote:
Ugh, sorry for spreading false hope. <2.7.9 and <3.2 we can't do good how much we try. Should they use SSL 3.3 we can make sane via the
|
There was a problem hiding this comment.
Thanks for the updates!
I'm not expecting all the CI tests to pass due to #171, and so far 2.7 looks fine (and 3.4, pypy and pypy3 are still pending), but 3.3 complains:
NetworkError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:548)
[<TracebackEntry /home/travis/build/pylast/pylast/tests/test_pylast.py:37>, <TracebackEntry /home/travis/build/pylast/pylast/tests/test_pylast.py:120>, <TracebackEntry /home/travis/build/pylast/pylast/pylast/__init__.py:2640>, <TracebackEntry /home/travis/build/pylast/pylast/pylast/__init__.py:1370>, <TracebackEntry /home/travis/build/pylast/pylast/pylast/__init__.py:1196>, <TracebackEntry /home/travis/build/pylast/pylast/pylast/__init__.py:1178>]
https://travis-ci.org/pylast/pylast/jobs/170886479
What's up there?
|
I'm clueless. TravisCI uses precise, an older Ubuntu version so I thought it might be a problem with too old OpenSSL but that doesn't seem to be the case: https://travis-ci.org/pylast/pylast/jobs/170998686#L198 Might be that pypy3 doesn't seem to have OpenSSL statically build in either but I'll try to list the ciphers in pypy3 some how. |
|
Ah yes, ancient OpenSSL https://travis-ci.org/pylast/pylast/builds/171464271#L210 |
|
Should work now. |
|
@hugovk they passed. On pypy3 the tests timed out though, any idea why? Looks like there were ~20ish tests left. Looks like it always takes that long in pull requests https://travis-ci.org/pylast/pylast/builds/167208560 |
|
Not sure what caused that pypy3 timeout. Yes, my PR's have access to the secrets. One way is for you to add your encrypted credentials like another contributor has (see f1e14f5), or if we do something from #171. Now Python 3.3 complains:
|
|
On Sat, 29 Oct 2016, at 14:39, Hugo wrote:
Sounds reasonable. In my "now playing"-script for irssi I've just made
Links: |
|
Thanks. By the way, that error is from Python 3.3, not PyPy3. |
https://docs.python.org/2/library/ssl.html#best-defaults Deal with older Pythons which didn't do certificate validation, have sane defaults or even provided a cipher string.
|
@hugovk looks like this is why Mozillas SSL guide uses the expanded and not the compact version of the cipher strings. |
|
@simmel Thanks for all the work, merged! |
|
Released in pylast 1.7.0. |
Update python_requires to specify the exact x.y.z 2.7.10 version required. (From HTTPS changes in #178.)
Closes #151