-
-
Notifications
You must be signed in to change notification settings - Fork 30.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OP_NO_TLSv1_3 #73322
Comments
OpenSSL 1.1.1 is going to provide TLS 1.3. The preferred protocols PROTOCOL_TLS (old name PROTOCOL_SSLv23), PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER are going to have TLS 1.3 enabled by default. In order to disable TLS 1.3, let's add OP_NO_TLSv1_3 to _ssl.c and guard it with #ifdef SSL_OP_NO_TLSv1_3 Benjamin, Larry, Ned, are you ok with a new flag? OpenSSL 1.1.1 won't be available any time soon. I like to add the flag *after* the upcoming round of releases. |
I think that's fine for 2.7. On Mon, Jan 2, 2017, at 13:07, Christian Heimes wrote:
|
memo to me: Update the TLS cipher list to include TLS 1.3 ciphers. TLS 1.3 uses a disjunct set of cipher suites. No member of the current cipher suite set is compatible with TLS 1.3. Handshake with TLS 1.3 enabled servers is going to fail. As of today OpenSSL 1.1.1-dev provides one of five TLS 1.3 ciphers: TLS13-AES-128-GCM-SHA256. TLS13-AES-256-GCM-SHA384 and TLS13-CHACHA20-POLY1305 are not yet implemented as are CCM block mode. |
We can easily just add |
No, of course it does not work (yet): $ LD_LIBRARY_PATH=. apps/openssl ciphers TLS13
Error in cipher list
140546693477888:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2100: |
For those who want to keep track, the relevant OpenSSL ticket for configuring TLSv1.3 cipher suites is openssl/openssl#2276. |
PR 1363 also introduced ssl.HAS_TLSv1_3 flag for unit tests. The flag is required because OpenSSL 1.1.1-dev can be compiled without TLS 1.3 support. The development version always defines OP_NO_TLSv1_3 to a non-zero value. Further more the PR adds a test for TLS 1.3. |
In backport to 2.7 branch, ".. versionadded:: 2.7.15" and ".. versionchanged:: 2.7.15" were used. However, in backport to 3.6 branch, ".. versionadded:: 3.7" and ".. versionchanged:: 3.7" were used, instead of expected ".. versionadded:: 3.6.3" and ".. versionchanged:: 3.6.3". |
Good catch, thanks! I'll update the documentation. |
Thanks, I fixed versionchanged. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: