Modules/_ssl.c, repeated 'SSL_OP_NO_TLSv1_2'

[brotherbeer]

BPO	44389
Nosy	@tiran, @miss-islington, @nanjekyejoannah, @erlend-aasland, @j178, @brotherbeer
PRs	bpo-44389: Remove duplicate SSL_OP_NO_TLSv1_2 flag #26680 bpo-44389: Mark ssl.OP_NO_TLSv1_3 as deprecated #26699 bpo-44389: Fix deprecation of OP_NO_TLSv1_3 (GH-26700) #26700 [3.10] bpo-44389: Remove duplicate SSL_OP_NO_TLSv1_2 flag (GH-26680) #26704 [3.10] bpo-44389: Fix deprecation of OP_NO_TLSv1_3 (GH-26700) #26705 bpo-44389: Fix typo in ssl deprecation warning message #26754 [3.10] bpo-44389: Fix typo in ssl deprecation warning message (GH-26754) #26765
Files	_ssl_c_line_3576.png

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2021-06-13.12:07:25.518>
created_at = <Date 2021-06-11.08:23:58.962>
labels = ['type-bug', '3.10', '3.11']
title = "Modules/_ssl.c, repeated 'SSL_OP_NO_TLSv1_2'"
updated_at = <Date 2021-06-17.10:01:15.800>
user = 'https://github.com/brotherbeer'

bugs.python.org fields:

activity = <Date 2021-06-17.10:01:15.800>
actor = 'miss-islington'
assignee = 'none'
closed = True
closed_date = <Date 2021-06-13.12:07:25.518>
closer = 'christian.heimes'
components = []
creation = <Date 2021-06-11.08:23:58.962>
creator = 'brotherbeer'
dependencies = []
files = ['50103']
hgrepos = []
issue_num = 44389
keywords = ['patch']
message_count = 16.0
messages = ['395612', '395703', '395704', '395706', '395707', '395709', '395710', '395711', '395713', '395739', '395741', '395742', '395743', '395744', '395981', '395982']
nosy_count = 6.0
nosy_names = ['christian.heimes', 'miss-islington', 'nanjekyejoannah', 'erlendaasland', 'johnj', 'brotherbeer']
pr_nums = ['26680', '26699', '26700', '26704', '26705', '26754', '26765']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue44389'
versions = ['Python 3.10', 'Python 3.11']

[brotherbeer]

cpython-3.10.0b2/Modules/_ssl.c line 3576

3570 static int
3571 set_options(PySSLContext *self, PyObject *arg, void *c)
3572 {
3573 long new_opts, opts, set, clear;
3574 long opt_no = (
3575 SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
3576 SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_2
3577 );

'SSL_OP_NO_TLSv1_2' is repeated, are any other items missing?

[nanjekyejoannah]

New changeset cb7230c by Erlend Egeberg Aasland in branch 'main':
bpo-44389: Remove duplicate SSL_OP_NO_TLSv1_2 flag (GH-26680)
cb7230c

[erlend-aasland]

Thanks for the report, Brother Beer.

[tiran]

It's a typo, not a duplicate entry. Correct line is:

SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3

[erlend-aasland]

But TLSv1.3 is included in openssl 1.1.1, no?

[tiran]

3.10 requires OpenSSL >= 1.1.1

The code checks for presence of deprecated options and emits a warning for all SSL_OP_NO_TLS/SSL* constants.

[erlend-aasland]

Yes, and judging from PEP-644, I figured the TLSv1.3 flag was _not_ deprecated. Sorry for the misunderstanding/noise.

[erlend-aasland]

Let me know if you want me to open a PR that adds the correct flag and adds deprecation wrappers to the tests.

[erlend-aasland]

Ah, I see now that it's deprecated in the docs as well: https://docs.python.org/3/library/ssl.html#ssl.OP_NO_TLSv1_3

[miss-islington]

New changeset f30f484 by Miss Islington (bot) in branch '3.10':
bpo-44389: Remove duplicate SSL_OP_NO_TLSv1_2 flag (GH-26680)
f30f484

[tiran]

New changeset bf52727 by Christian Heimes in branch 'main':
bpo-44389: Fix deprecation of OP_NO_TLSv1_3 (GH-26700)
bf52727

[tiran]

OpenSSL has deprecated these constants:

SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2

As of OpenSSL 1.1.0, these options are deprecated, use SSL_CTX_set_min_proto_version(3) and SSL_CTX_set_max_proto_version(3) instead.

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_options.html

[miss-islington]

New changeset 4becc56 by Miss Islington (bot) in branch '3.10':
[3.10] bpo-44389: Fix deprecation of OP_NO_TLSv1_3 (GH-26700) (GH-26705)
4becc56

[erlend-aasland]

Thanks, Christian.

[miss-islington]

New changeset c544393 by Joe in branch 'main':
bpo-44389: Fix typo in ssl deprecation warning message (GH-26754)
c544393

[miss-islington]

New changeset 08f2b9d by Miss Islington (bot) in branch '3.10':
bpo-44389: Fix typo in ssl deprecation warning message (GH-26754)
08f2b9d