Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport TLS 1.1 and 1.2 support for ssl_version #65195

Closed
dstufft opened this issue Mar 20, 2014 · 4 comments
Closed

Backport TLS 1.1 and 1.2 support for ssl_version #65195

dstufft opened this issue Mar 20, 2014 · 4 comments

Comments

@dstufft
Copy link
Member

dstufft commented Mar 20, 2014

BPO 20996
Nosy @jcea, @ncoghlan, @pitrou, @tiran, @alex, @dstufft

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2014-08-28.21:31:30.738>
created_at = <Date 2014-03-20.14:16:45.159>
labels = []
title = 'Backport TLS 1.1 and 1.2 support for ssl_version'
updated_at = <Date 2014-08-28.21:31:30.737>
user = 'https://github.com/dstufft'

bugs.python.org fields:

activity = <Date 2014-08-28.21:31:30.737>
actor = 'alex'
assignee = 'none'
closed = True
closed_date = <Date 2014-08-28.21:31:30.738>
closer = 'alex'
components = []
creation = <Date 2014-03-20.14:16:45.159>
creator = 'dstufft'
dependencies = []
files = []
hgrepos = []
issue_num = 20996
keywords = []
message_count = 4.0
messages = ['214241', '214242', '214274', '226043']
nosy_count = 7.0
nosy_names = ['jcea', 'ncoghlan', 'pitrou', 'christian.heimes', 'Arfrever', 'alex', 'dstufft']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue20996'
versions = ['Python 2.7', 'Python 3.2', 'Python 3.3']
@dstufft
Copy link
Member Author

dstufft commented Mar 20, 2014

Python 3.4 has constants and code to enable forcing the ssl_version to TLS 1.1 or 1.2. As it stands now Python 2.7, 3.2, and 3.3 can successfully connect and will use a TLS 1.1 or 1.2 connection if it's available (new enough OpenSSL) but cannot _force_ a connection to use TLS 1.1 or 1.2.

It would be good to backport this from 3.4, it would involve adding constants to ssl.py, and minimal code to _ssl.c to handle actually forcing the TLS method.

@pitrou
Copy link
Member

pitrou commented Mar 20, 2014

Two questions:

  • does it fix a bug in Python?
  • does it fix a security issue in Python?

@ncoghlan
Copy link
Contributor

Yes, I have been persuaded this fixes a security issue in the Python 2
ecosystem: the current barriers to good web security practices are too high.

I have been vocal in pointing out that Python 2 will remain a commercially
supported platform for at least another decade. However, for that to be a
valid claim, it needs to be possible to make effective use of modern web
protocols and security standards.

This is a PEP level discussion though - I'll get something up by tomorrow.

@alex
Copy link
Member

alex commented Aug 28, 2014

This is resolved now.

@alex alex closed this as completed Aug 28, 2014
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alex @dstufft @ncoghlan @pitrou