Re: [Distutils] Announcement: TLSv1.2 will become mandatory in the future

Tue, 10 Jan 2017 20:05:33 -0800 

> On Jan 10, 2017, at 10:59 PM, Nick Coghlan <ncogh...@gmail.com> wrote:
> 
> On 10 January 2017 at 23:24, Donald Stufft <don...@stufft.io> wrote:
>> Looking at the download numbers, the absolute largest driver of TLSv1.0 and
>> TLSv1.1 traffic to PyPI are old versions of pip or other clients where I
>> cannot
>> tell the OS that they are being run on.
> 
> Can you tell the Python version they're running even with older clients?
> 
> I just checked the exact dates/versions where TLS v1.2 was properly
> enabled in the various versions of Python that Red Hat ships, and this
> change should be fine for:
> 
> * RHEL/CentOS 7.2+ (PEP 466 backport released November 2015)
> * Red Hat Software Collections 2.2+ (PEP 466 backport released May 2016)
> 
> However, folks currently using the system Python 2.6 installation in
> RHEL/CentOS 6 are going to need to upgrade to Python 2.7 somehow,
> whether that's by:
> 
> - upgrading to RHEL/CentOS 7
> - doing a parallel install via RHSCL/softwarecollections.org
> - doing a parallel install via ius.io
> 
> (The problem with RHEL 6 is that even though the *OS* has supported
> TLS v1.2 since RHEL 6.5, *Python 2.6* doesn't properly support
> accessing them through the standard library's SSL module, since it's
> missing the features backported from 3.x by PEP 466)
> 
> Cheers,
> Nick.
> 
> -- 
> Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia


No, but it doesn’t matter, the version of Python doesn’t control it at all 
since we use PROTOCOL_SSLv23 which will automatically negotiate the highest 
protocol OpenSSL supports, whether Python has bound the PROTOCOL_TLSv1_X 
constant and implemented the methods for it or not. So Python 2.6 is perfectly 
capable of talking to a TLSv1.2 site (it however, is not capable of explicitly 
saying it *needs*  only TLSv1.2).

See:

$ python2.6 -c "import urllib2,json; 
print(json.loads(urllib2.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"
TLS 1.2

—
Donald Stufft




_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Reply via email to