[issue16692] Support TLS 1.1 and TLS 1.2
Wes Turner added the comment: http://docs.python.org/3.4/whatsnew/3.4.html#ssl re: Backporting to Python 2.7: maybe something like: backports.ssl (like backports.ssl_match_hostname) https://pypi.python.org/pypi/backports/ -- nosy: +westurner ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Mark Kubacki added the comment: Raw backport for Python 2.7. ›raw‹ like in some options are in _ssl only. (_ssl.{err_names_to_codes,err_codes_to_names,lib_codes_to_names,…}) -- nosy: +markk Added file: http://bugs.python.org/file30761/python-2.7.5-tls1.1-and-tls1.2.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Antoine Pitrou added the comment: Ha. If you're insisting on backporting SSL stuff, I think the best option would be to create a third-party backport of the whole ssl module on PyPI. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Thom Nichols added the comment: Is there any chance of this being backported to Python 2.7? Given NIST's complete deprecation of SHA1 and TLS 1.0 by end of 2013, I imagine there are at least a few folks who can't upgrade to Python 3.x, but need TLS 1.2 support. I think Ruby just recently implemented TLS 1.2 in 2.0, and backported it to the 1.9.3 tree. Thanks. -- nosy: +Thom.Nichols ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Antoine Pitrou added the comment: Is there any chance of this being backported to Python 2.7? Given NIST's complete deprecation of SHA1 and TLS 1.0 by end of 2013, I imagine there are at least a few folks who can't upgrade to Python 3.x, but need TLS 1.2 support. I think Ruby just recently implemented TLS 1.2 in 2.0, and backported it to the 1.9.3 tree. Thanks. No, sorry. 2.7 only gets bug fixes. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Roundup Robot added the comment: New changeset 02a89bd646ca by Antoine Pitrou in branch 'default': Issue #16692: The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù. http://hg.python.org/cpython/rev/02a89bd646ca -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Antoine Pitrou added the comment: Finally committed. Thanks for the patches! -- resolution: - fixed stage: patch review - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Michele Orrù added the comment: .. sorry for all these trivialities. -- Added file: http://bugs.python.org/file29584/issue16692.3.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Antoine Pitrou added the comment: Thanks. I don't know what happened, but the last patch fails to apply: $ patch -p1 issue16692.3.patch patching file Doc/library/ssl.rst patching file Doc/whatsnew/3.4.rst patching file Lib/ssl.py patching file Lib/test/test_ssl.py patching file Misc/NEWS Hunk #1 succeeded at 1005 (offset 46 lines). patching file Modules/_ssl.c patch: malformed patch at line 291: struct py_ssl_error_code { $ hg import --no-commit issue16692.3.patch application de issue16692.3.patch abandon : bad hunk #2 @@ -73,7 +78,13 @@ (7 7 15 13) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Changes by Michele Orrù maker...@gmail.com: Added file: http://bugs.python.org/file29587/issue16692.4.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Antoine Pitrou added the comment: Ok, yet another issue :-) Testing on a machine with OpenSSL 1.0.0 gives the following failures. I think you mixed up skipIf / skipUnless. == ERROR: test_protocol_sslv2 (test.test_ssl.ThreadedTests) Connecting to an SSLv2 server with various client options -- Traceback (most recent call last): File /home/antoine/cpython/default/Lib/test/test_ssl.py, line 87, in f return func(*args, **kwargs) File /home/antoine/cpython/default/Lib/test/test_ssl.py, line 1493, in test_protocol_sslv2 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True) File /home/antoine/cpython/default/Lib/test/test_ssl.py, line 1363, in try_protocol_combo chatty=False, connectionchatty=False) File /home/antoine/cpython/default/Lib/test/test_ssl.py, line 1301, in server_params_test s.connect((HOST, server.port)) File /home/antoine/cpython/default/Lib/ssl.py, line 582, in connect self._real_connect(addr, False) File /home/antoine/cpython/default/Lib/ssl.py, line 572, in _real_connect self.do_handshake() File /home/antoine/cpython/default/Lib/ssl.py, line 552, in do_handshake self._sslobj.do_handshake() ConnectionResetError: [Errno 104] Connection reset by peer == ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options. -- Traceback (most recent call last): File /home/antoine/cpython/default/Lib/test/test_ssl.py, line 87, in f return func(*args, **kwargs) File /home/antoine/cpython/default/Lib/test/test_ssl.py, line 1582, in test_protocol_tlsv1_1 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, True) AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_1' == ERROR: test_protocol_tlsv1_2 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.2 server with various client options. -- Traceback (most recent call last): File /home/antoine/cpython/default/Lib/test/test_ssl.py, line 87, in f return func(*args, **kwargs) File /home/antoine/cpython/default/Lib/test/test_ssl.py, line 1602, in test_protocol_tlsv1_2 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, True, AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_2' -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Antoine Pitrou added the comment: Here is an updated patch fixing the aforementioned issue (as well as another small issue with the set_ciphers(ALL) hack). -- Added file: http://bugs.python.org/file29588/tls12.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Michele Orrù added the comment: synced with tip This decorator looks like it would be impressed in a simpler way, using unittest.skipIf (or unittest.skipUnless). It would be nice to check that connecting succeeds from a TLSv1_1 client on a SSLv23 server. yep, thanks. Not sure why you test only with OP_NO_TLSv1_1. I've just emulated older tests against older TSL protocols. Is there anything wrong you see? PS: I have removed ssl.PROTOCOL_* from test_constants, since they are already used in the global variable PROTOCOLS. -- Added file: http://bugs.python.org/file29501/issue16692.2.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Michele Orrù added the comment: (ping) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Antoine Pitrou added the comment: Michele, your latest patch doesn't apply on the default branch. However, I'll still do a review. -- stage: needs patch - patch review ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Antoine Pitrou added the comment: Ok, some review comments: + .. warning:: requires at least openssl version 1.0.1 + .. warning:: requires at least openssl version 1.0.1 The warnings are not warranted here. You might simply say Available only with openssl version 1.0.1+. +def skip_if_unsupported_tlsv1_1(func): This decorator looks like it would be impressed in a simpler way using unittest.skipIf (or unittest.skipUnless). +try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False, + client_options=ssl.OP_NO_TLSv1_1) Not sure why you test only with OP_NO_TLSv1_1. It would be nice to check that connecting succeeds from a TLSv1_1 client on a SSLv23 server. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Changes by Michele Orrù maker...@gmail.com: -- nosy: +eric.araujo ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Changes by Michele Orrù maker...@gmail.com: Added file: http://bugs.python.org/file29066/issue16692.1.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Changes by Éric Araujo mer...@netwok.org: -- nosy: -eric.araujo ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Changes by Michele Orrù maker...@gmail.com: -- keywords: +patch nosy: +maker Added file: http://bugs.python.org/file29022/issue16692.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Changes by Christian Heimes li...@cheimes.de: -- components: +Extension Modules nosy: +christian.heimes ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Changes by Jesús Cea Avión j...@jcea.es: -- nosy: +jcea ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Changes by Giampaolo Rodola' g.rod...@gmail.com: -- nosy: +giampaolo.rodola ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
New submission from Antoine Pitrou: Recent OpenSSL versions (e.g. 1.0.1c) have explicit support for TLS 1.1 and (presumably, although undocumented-ly) TLS 1.2 through TLSv1_1_method() and TLSv1_2_method(). It should be easy to add such support to the ssl module (although figuring out how exactly protocol version compatibility is handled - for the docs - might be a challenge). -- components: Library (Lib) keywords: easy messages: 177541 nosy: pitrou priority: normal severity: normal stage: needs patch status: open title: Support TLS 1.1 and TLS 1.2 type: enhancement versions: Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16692] Support TLS 1.1 and TLS 1.2
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com: -- nosy: +Arfrever ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16692 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com