[issue32947] Support OpenSSL 1.1.1
Kurt Roeckx added the comment: Do you have any idea when the next release will be? I think python is currently our biggest blocker for getting OpenSSL 1.1.1 in Debian testing. -- ___ Python tracker <https://bugs.python.org/issue32947> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32947] Support OpenSSL 1.1.1
Kurt Roeckx added the comment: Christian, Do you have any update on this? Any idea when we can expect relased python versions that work with OpenSSL 1.1.1? -- ___ Python tracker <https://bugs.python.org/issue32947> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32947] Support OpenSSL 1.1.1
Kurt Roeckx added the comment: This are automated tests for the packages in Debian. I uploaded the pre9 version to unstable, and as a result of that all reverse dependencies got tested. I don't have any experience with python myself. Anyway, the openssl.cnf in Debian contains: [system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2 So you might want to override that during the test suite by calling SSL_CTX_set_min_proto_version(ctx, 0). -- ___ Python tracker <https://bugs.python.org/issue32947> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32947] Support OpenSSL 1.1.1
Kurt Roeckx added the comment: This are the errors I'm currently getting testing with the pre9 verion in Debian: https://ci.debian.net/data/autopkgtest/testing/amd64/p/python2.7/865936/log.gz https://ci.debian.net/data/autopkgtest/testing/amd64/p/python3.6/865937/log.gz https://ci.debian.net/data/autopkgtest/testing/amd64/p/python3.7/865938/log.gz -- nosy: +kroeckx ___ Python tracker <https://bugs.python.org/issue32947> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS
Kurt Roeckx <k...@roeckx.be> added the comment: The effect is the same as calling SSL_CTX_set_min_proto_version(). -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31453> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS
Kurt Roeckx <k...@roeckx.be> added the comment: Note that the version in experimental only supports TLS 1.2 and 1.3 with the default config. It's moved from fixed in the code, to the default config file. I expect to upload that to unstable "soon", at which point people will be affected by this again. -- nosy: +kroeckx ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31453> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32008] Example suggest to use a TLSv1 socket
New submission from Kurt Roeckx <k...@roeckx.be>: Here: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.check_hostname And here: https://docs.python.org/2/library/ssl.html#ssl.SSLContext.check_hostname It uses ssl.PROTOCOL_TLSv1, which is a bad example. Please change it to PROTOCOL_SSLv23 or PROTOCOL_TLS. (Those were the first 2 examples I could find via google on how to create an ssl connection using python.) -- assignee: docs@python components: Documentation messages: 306093 nosy: docs@python, kroeckx priority: normal severity: normal status: open title: Example suggest to use a TLSv1 socket type: enhancement ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32008> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22935] Disabling SSLv3 support
Kurt Roeckx added the comment: So this seems to be a function that just gets the certificate? You need to be careful with this since a server could perfectly decide to send a different certificate depending on the client hello it receives. Like if you support ECDSA it might decide to send you the ECDSA certificate instead of the RSA certificate. Or maybe you're even connecting to a different IP address? In any case, you should always use SSLv23, stop supporting anything else. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22935 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22935] Disabling SSLv3 support
Kurt Roeckx added the comment: SSLv3 does not support the TLS extensions so it's going to send a totally different Client Hello. It will for instance not indicate with elliptic curves it supports. So yes the behavior for SSLv3 and SSLv23 can be totally different. But even with both SSLv23 and a different cipher list you can get a different certificate. So what I'm really saying is that if you have an API to get a certificate that creates a new connection and you can set the options for that connection too that you need to document that properly that you might get a different certificate. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22935 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22935] Disabling SSLv3 support
Kurt Roeckx added the comment: Most such sites actually seem to have dropped support for SSLv3. One site where it depends on the cipher string is bugs.cdburnerxp.se -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22935 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22935] Disabling SSLv3 support
Kurt Roeckx added the comment: I did update the documentation to mention that, but it seems none of my documentation changes got applied. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22935 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22935] Disabling SSLv3 support
Kurt Roeckx added the comment: I've just signed the contributor agreement -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22935 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22935] Disabling SSLv3 support
New submission from Kurt Roeckx: Hi, The attached patch makes python work when openssl doesn't have SSLv3 support. It also updates the documentation, which has already improved a lot since my original patch. The current upstream openssl when compiled with no-ssl2 it defines OPENSSL_NO_SSL2, drops the SSLv2_* method and drops support for SSLv2 in the SSLv23_* methods. When build with no-ssl3 it defines OPENSSL_NO_SSL3 and currently just drops supports for SSLv3 in the SSLv23_method, it does not yet drop the SSLv3_* methods. It's still being argued whether no-ssl3 should drop those symbols or that a new option will be used instead. So that means that with OPENSSL_NO_SSL3 defined it could be that the SSLv3_* methods still exist and that you can create a socket that only support SSLv3. I made the SSLv3 methods go away in python if OPENSSL_NO_SSL3 is defined. This at least makes things easier for the test suite so that you know you can test a combination like v3 with v23 or not. This patch is for 2.7. Please let me know if you need a patch for a different version. -- files: python2.7-nossl3.patch keywords: patch messages: 231624 nosy: kroeckx priority: normal severity: normal status: open title: Disabling SSLv3 support Added file: http://bugs.python.org/file37268/python2.7-nossl3.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22935 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22935] Disabling SSLv3 support
Kurt Roeckx added the comment: I know what I uploaded to Debian experimental. And I can't promise that I'll keep that define. I suggest you assume that NO_SSL3 will disable both. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22935 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
