-
Notifications
You must be signed in to change notification settings - Fork 10.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cleanup METHOD_SSLv3 #5634
Cleanup METHOD_SSLv3 #5634
Conversation
Codecov Report
@@ Coverage Diff @@
## master #5634 +/- ##
==========================================
+ Coverage 88.40% 88.85% +0.44%
==========================================
Files 162 162
Lines 10850 10964 +114
Branches 1861 1894 +33
==========================================
+ Hits 9592 9742 +150
+ Misses 975 942 -33
+ Partials 283 280 -3
|
We need to update https://docs.scrapy.org/en/latest/topics/settings.html#downloader-client-tls-method as well. |
Signed-off-by: Gábor Lipták <gliptak@gmail.com>
@Gallaecio updated |
Hey! In install_requires we list pyOpenSSL 21.0 as a minimum requirement; should we support SSLv3 if older pyOpenSSL is installed? I.e. do getattr instead of removing the support completely? @Gallaecio @wRAR what do you think about backporting the fix (e.g. for 2.6.3)? |
Since web browsers only support TLS 1.2+, and SSLv3 is worse than TLS 1.0, I don’t think it is a big deal. In fact, I would be OK with dropping TLS 1.0 and 1.1 as well from there, just as the latest Twisted does, based on the argument that we aim to replicate browser behavior. Not a strong opinion, though. @wRAR? About backporting the fix, +1, since 2.7 may not be released for a while, and |
Ok, let's kill SSLv3 :) Thanks for the help @gliptak! |
how to kill SSLv3? |
It's killed in master @xhMiao; we're also going to do 2.6.3 release (#5637), but it's not released yet. For now you can pin pyOpenSSL version, as described in #5635 (comment). |
Signed-off-by: Gábor Lipták gliptak@gmail.com
docs generation is not running for PRs?
Fixes #5632, fixes #5635.