Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OP_NO_TLSv1_3 #73322

Closed
tiran opened this issue Jan 2, 2017 · 14 comments
Closed

Add OP_NO_TLSv1_3 #73322

tiran opened this issue Jan 2, 2017 · 14 comments
Assignees
Labels
3.7 expert-SSL type-feature

Comments

@tiran
Copy link
Member

@tiran tiran commented Jan 2, 2017

BPO 29136
Nosy @larryhastings, @tiran, @benjaminp, @ned-deily, @alex, @Lukasa
PRs
  • #1363
  • #3444
  • #3446
  • #3483
  • #11877
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
    closed_at = <Date 2017-09-10.19:15:14.587>
    created_at = <Date 2017-01-02.21:07:24.729>
    labels = ['expert-SSL', 'type-feature', '3.7']
    title = 'Add OP_NO_TLSv1_3'
    updated_at = <Date 2019-02-15.15:31:23.753>
    user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2019-02-15.15:31:23.753>
    actor = 'cstratak'
    assignee = 'christian.heimes'
    closed = True
    closed_date = <Date 2017-09-10.19:15:14.587>
    closer = 'christian.heimes'
    components = ['SSL']
    creation = <Date 2017-01-02.21:07:24.729>
    creator = 'christian.heimes'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 29136
    keywords = ['patch']
    message_count = 14.0
    messages = ['284504', '284509', '286032', '286094', '286096', '286239', '301654', '301662', '301674', '301678', '301803', '301820', '301828', '301829']
    nosy_count = 7.0
    nosy_names = ['larry', 'christian.heimes', 'benjamin.peterson', 'ned.deily', 'Arfrever', 'alex', 'Lukasa']
    pr_nums = ['1363', '3444', '3446', '3483', '11877']
    priority = 'normal'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'enhancement'
    url = 'https://bugs.python.org/issue29136'
    versions = ['Python 2.7', 'Python 3.6', 'Python 3.7']

    @tiran
    Copy link
    Member Author

    @tiran tiran commented Jan 2, 2017

    OpenSSL 1.1.1 is going to provide TLS 1.3. The preferred protocols PROTOCOL_TLS (old name PROTOCOL_SSLv23), PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER are going to have TLS 1.3 enabled by default. In order to disable TLS 1.3, let's add OP_NO_TLSv1_3 to _ssl.c and guard it with #ifdef SSL_OP_NO_TLSv1_3

    https://github.com/openssl/openssl/blob/d2e491f225d465b11f18a466bf399d4a899cb50e/include/openssl/ssl.h#L346

    Benjamin, Larry, Ned, are you ok with a new flag? OpenSSL 1.1.1 won't be available any time soon. I like to add the flag *after* the upcoming round of releases.

    @tiran tiran added the 3.7 label Jan 2, 2017
    @tiran tiran self-assigned this Jan 2, 2017
    @tiran tiran added expert-SSL type-feature labels Jan 2, 2017
    @benjaminp
    Copy link
    Contributor

    @benjaminp benjaminp commented Jan 2, 2017

    I think that's fine for 2.7.

    On Mon, Jan 2, 2017, at 13:07, Christian Heimes wrote:

    New submission from Christian Heimes:

    OpenSSL 1.1.1 is going to provide TLS 1.3. The preferred protocols
    PROTOCOL_TLS (old name PROTOCOL_SSLv23), PROTOCOL_TLS_CLIENT and
    PROTOCOL_TLS_SERVER are going to have TLS 1.3 enabled by default. In
    order to disable TLS 1.3, let's add OP_NO_TLSv1_3 to _ssl.c and guard it
    with #ifdef SSL_OP_NO_TLSv1_3

    https://github.com/openssl/openssl/blob/d2e491f225d465b11f18a466bf399d4a899cb50e/include/openssl/ssl.h#L346

    Benjamin, Larry, Ned, are you ok with a new flag? OpenSSL 1.1.1 won't be
    available any time soon. I like to add the flag *after* the upcoming
    round of releases.

    ----------
    assignee: christian.heimes
    components: SSL
    messages: 284504
    nosy: benjamin.peterson, christian.heimes, larry, ned.deily
    priority: normal
    severity: normal
    stage: needs patch
    status: open
    title: Add OP_NO_TLSv1_3
    type: enhancement
    versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7


    Python tracker <report@bugs.python.org>
    <http://bugs.python.org/issue29136\>


    @tiran
    Copy link
    Member Author

    @tiran tiran commented Jan 22, 2017

    memo to me: Update the TLS cipher list to include TLS 1.3 ciphers. TLS 1.3 uses a disjunct set of cipher suites. No member of the current cipher suite set is compatible with TLS 1.3. Handshake with TLS 1.3 enabled servers is going to fail.

    As of today OpenSSL 1.1.1-dev provides one of five TLS 1.3 ciphers: TLS13-AES-128-GCM-SHA256. TLS13-AES-256-GCM-SHA384 and TLS13-CHACHA20-POLY1305 are not yet implemented as are CCM block mode.

    @alex
    Copy link
    Member

    @alex alex commented Jan 23, 2017

    We can easily just add TLS13:... at the from of our ciphersuite list and it'll be ok though right? (Note to self, do the same in urllib3, twisted, requests, god only knows what else)

    @tiran
    Copy link
    Member Author

    @tiran tiran commented Jan 23, 2017

    No, of course it does not work (yet):

    $ LD_LIBRARY_PATH=. apps/openssl ciphers TLS13
    Error in cipher list
    140546693477888:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2100:

    @Lukasa
    Copy link
    Mannequin

    @Lukasa Lukasa mannequin commented Jan 25, 2017

    For those who want to keep track, the relevant OpenSSL ticket for configuring TLSv1.3 cipher suites is openssl/openssl#2276.

    @tiran
    Copy link
    Member Author

    @tiran tiran commented Sep 8, 2017

    PR 1363 also introduced ssl.HAS_TLSv1_3 flag for unit tests. The flag is required because OpenSSL 1.1.1-dev can be compiled without TLS 1.3 support. The development version always defines OP_NO_TLSv1_3 to a non-zero value. Further more the PR adds a test for TLS 1.3.

    @tiran
    Copy link
    Member Author

    @tiran tiran commented Sep 8, 2017

    New changeset cb5b68a by Christian Heimes in branch 'master':
    bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (bpo-1363)
    cb5b68a

    @tiran
    Copy link
    Member Author

    @tiran tiran commented Sep 8, 2017

    New changeset 9f2b3d4 by Christian Heimes in branch '3.6':
    [3.6] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (bpo-3444)
    9f2b3d4

    @tiran
    Copy link
    Member Author

    @tiran tiran commented Sep 8, 2017

    New changeset b9a860f by Christian Heimes in branch '2.7':
    [2.7] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (bpo-3446)
    b9a860f

    @tiran tiran closed this Sep 8, 2017
    @Arfrever
    Copy link
    Mannequin

    @Arfrever Arfrever mannequin commented Sep 10, 2017

    In backport to 2.7 branch, ".. versionadded:: 2.7.15" and ".. versionchanged:: 2.7.15" were used.

    However, in backport to 3.6 branch, ".. versionadded:: 3.7" and ".. versionchanged:: 3.7" were used, instead of expected ".. versionadded:: 3.6.3" and ".. versionchanged:: 3.6.3".

    @tiran
    Copy link
    Member Author

    @tiran tiran commented Sep 10, 2017

    Good catch, thanks! I'll update the documentation.

    @tiran tiran removed the 3.7 label Sep 10, 2017
    @tiran tiran reopened this Sep 10, 2017
    @tiran
    Copy link
    Member Author

    @tiran tiran commented Sep 10, 2017

    New changeset 2858031 by Christian Heimes in branch '3.6':
    bpo-29136: Fix versionchange for TLS 1.3 changes (bpo-3483)
    2858031

    @tiran
    Copy link
    Member Author

    @tiran tiran commented Sep 10, 2017

    Thanks, I fixed versionchanged.

    @tiran tiran added the 3.7 label Sep 10, 2017
    @tiran tiran closed this Sep 10, 2017
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.7 expert-SSL type-feature
    Projects
    None yet
    Development

    No branches or pull requests

    3 participants