Support TLS 1.1 and TLS 1.2

[pitrou]

BPO	16692
Nosy	@jcea, @pitrou, @giampaolo, @tiran, @mmaker, @westurner
Files	issue16692.patch issue16692.1.patch issue16692.2.patch issue16692.3.patch issue16692.4.patch tls12.patch python-2.7.5-tls1.1-and-tls1.2.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2013-03-28.21:30:16.089>
created_at = <Date 2012-12-15.17:31:05.873>
labels = ['extension-modules', 'easy', 'type-feature', 'library']
title = 'Support TLS 1.1 and TLS 1.2'
updated_at = <Date 2013-08-04.18:12:40.327>
user = 'https://github.com/pitrou'

bugs.python.org fields:

activity = <Date 2013-08-04.18:12:40.327>
actor = 'westurner'
assignee = 'none'
closed = True
closed_date = <Date 2013-03-28.21:30:16.089>
closer = 'pitrou'
components = ['Extension Modules', 'Library (Lib)']
creation = <Date 2012-12-15.17:31:05.873>
creator = 'pitrou'
dependencies = []
files = ['29022', '29066', '29501', '29584', '29587', '29588', '30761']
hgrepos = []
issue_num = 16692
keywords = ['patch', 'easy']
message_count = 16.0
messages = ['177541', '184300', '184341', '184342', '184745', '185300', '185301', '185305', '185308', '185470', '185471', '189873', '189879', '192249', '192250', '194404']
nosy_count = 10.0
nosy_names = ['jcea', 'pitrou', 'giampaolo.rodola', 'christian.heimes', 'Arfrever', 'maker', 'python-dev', 'Thom.Nichols', 'markk', 'westurner']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue16692'
versions = ['Python 3.4']

[pitrou]

Recent OpenSSL versions (e.g. 1.0.1c) have explicit support for TLS 1.1 and (presumably, although undocumented-ly) TLS 1.2 through TLSv1_1_method() and TLSv1_2_method(). It should be easy to add such support to the ssl module (although figuring out how exactly protocol version compatibility is handled - for the docs - might be a challenge).

[mmaker]

(ping)

[pitrou]

Michele, your latest patch doesn't apply on the default branch. However, I'll still do a review.

[pitrou]

Ok, some review comments:

+ .. warning:: requires at least openssl version 1.0.1

+ .. warning:: requires at least openssl version 1.0.1

The warnings are not warranted here. You might simply say "Available only with openssl version 1.0.1+."

+def skip_if_unsupported_tlsv1_1(func):

This decorator looks like it would be impressed in a simpler way using unittest.skipIf (or unittest.skipUnless).

+ try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False,
+ client_options=ssl.OP_NO_TLSv1_1)

Not sure why you test only with OP_NO_TLSv1_1. It would be nice to check that connecting succeeds from a TLSv1_1 client on a SSLv23 server.

[mmaker]

synced with tip

This decorator looks like it would be impressed in a simpler way,
using unittest.skipIf (or unittest.skipUnless).

It would be nice to check that connecting succeeds from a
TLSv1_1 client on a SSLv23 server.

yep, thanks.

Not sure why you test only with OP_NO_TLSv1_1.
I've just emulated older tests against older TSL protocols. Is there anything wrong you see?

PS: I have removed ssl.PROTOCOL_* from test_constants, since they are already used in the global variable PROTOCOLS.

[mmaker]

.. sorry for all these trivialities.

[pitrou]

Thanks. I don't know what happened, but the last patch fails to apply:

$ patch -p1 < issue16692.3.patch 
patching file Doc/library/ssl.rst
patching file Doc/whatsnew/3.4.rst
patching file Lib/ssl.py
patching file Lib/test/test_ssl.py
patching file Misc/NEWS
Hunk #1 succeeded at 1005 (offset 46 lines).
patching file Modules/_ssl.c
patch: **** malformed patch at line 291:  struct py_ssl_error_code {


$ hg import --no-commit issue16692.3.patch 
application de issue16692.3.patch
abandon : bad hunk #2 @@ -73,7 +78,13 @@
 (7 7 15 13)

[pitrou]

Ok, yet another issue :-) Testing on a machine with OpenSSL 1.0.0 gives the following failures. I think you mixed up skipIf / skipUnless.

======================================================================
ERROR: test_protocol_sslv2 (test.test_ssl.ThreadedTests)
Connecting to an SSLv2 server with various client options
----------------------------------------------------------------------

Traceback (most recent call last):
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f
    return func(*args, **kwargs)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1493, in test_protocol_sslv2
    try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1363, in try_protocol_combo
    chatty=False, connectionchatty=False)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1301, in server_params_test
    s.connect((HOST, server.port))
  File "/home/antoine/cpython/default/Lib/ssl.py", line 582, in connect
    self._real_connect(addr, False)
  File "/home/antoine/cpython/default/Lib/ssl.py", line 572, in _real_connect
    self.do_handshake()
  File "/home/antoine/cpython/default/Lib/ssl.py", line 552, in do_handshake
    self._sslobj.do_handshake()
ConnectionResetError: [Errno 104] Connection reset by peer

======================================================================
ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1.1 server with various client options.
----------------------------------------------------------------------

Traceback (most recent call last):
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f
    return func(*args, **kwargs)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1582, in test_protocol_tlsv1_1
    try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, True)
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_1'

======================================================================
ERROR: test_protocol_tlsv1_2 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1.2 server with various client options.
----------------------------------------------------------------------

Traceback (most recent call last):
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f
    return func(*args, **kwargs)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1602, in test_protocol_tlsv1_2
    try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, True,
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_2'

[pitrou]

Here is an updated patch fixing the aforementioned issue (as well as another small issue with the set_ciphers("ALL") hack).

[python-dev]

New changeset 02a89bd646ca by Antoine Pitrou in branch 'default':
Issue bpo-16692: The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù.
http://hg.python.org/cpython/rev/02a89bd646ca

[pitrou]

Finally committed. Thanks for the patches!

[ThomNichols]

Is there any chance of this being backported to Python 2.7? Given NIST's complete deprecation of SHA1 and TLS 1.0 by end of 2013, I imagine there are at least a few folks who can't upgrade to Python 3.x, but need TLS 1.2 support. I think Ruby just recently implemented TLS 1.2 in 2.0, and backported it to the 1.9.3 tree. Thanks.

[pitrou]

Is there any chance of this being backported to Python 2.7? Given
NIST's complete deprecation of SHA1 and TLS 1.0 by end of 2013, I
imagine there are at least a few folks who can't upgrade to Python
3.x, but need TLS 1.2 support. I think Ruby just recently implemented
TLS 1.2 in 2.0, and backported it to the 1.9.3 tree. Thanks.

No, sorry. 2.7 only gets bug fixes.

[markk]

Raw backport for Python 2.7. ›raw‹ like in some options are in _ssl only. (_ssl.{err_names_to_codes,err_codes_to_names,lib_codes_to_names,…})

[pitrou]

Ha. If you're insisting on backporting SSL stuff, I think the best option would be to create a third-party backport of the whole ssl module on PyPI.

[westurner]

http://docs.python.org/3.4/whatsnew/3.4.html#ssl

re: Backporting to Python 2.7: maybe something like:

backports.ssl (like backports.ssl_match_hostname)

https://pypi.python.org/pypi/backports/