[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Christian Heimes added the comment: Python 2.7 is out of supports. 3.6 will reach end of security support soon. More recent Python versions have TLS 1.0 and 1.1 deprecated and contain workarounds for tests. -- resolution: -> out of date stage: patch review -> resolved status: open -

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

bryan mabra added the comment: FYI, This is how I figured out and fixed the issue on my debian system. -Run nmap to figure out what ssl version is being used by the server nmap -p443 -sV --script ssl-enum-ciphers 10.10.10.7 output says TLSv1.0 test 10.10.10.7 using example in this comment (get

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Kurt Roeckx added the comment: The effect is the same as calling SSL_CTX_set_min_proto_version(). -- ___ Python tracker ___ ___ Pyth

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Christian Heimes added the comment: Thanks Kurt, which API are you using to disable TLS 1.0 and 1.1? Is it the old SSL_CTX_set_options() or the new SSL_CTX_set_min/max_proto_version() API? -- ___ Python tracker

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Kurt Roeckx added the comment: Note that the version in experimental only supports TLS 1.2 and 1.3 with the default config. It's moved from fixed in the code, to the default config file. I expect to upload that to unstable "soon", at which point people will be affected by this again. ---

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Christian Heimes added the comment: The problem no longer affects Python 3.7 and 3.8. It may affects Python 3.6 and 2.7 if Debian to decide to disable TLS 1.0 and 1.1 again. If Debian uses the new OpenSSL 1.1.0 API to disable the protocols, then I have to backport https://bugs.python.org/issu

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Ned Deily added the comment: Christian, ping again: can this be closed? In any case, it would not seem to be a "deferred blocker"; downgrading to "critical". Please close or update, thanks! -- priority: deferred blocker -> critical ___ Python tra

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Change by Ned Deily : -- versions: +Python 2.7, Python 3.6 -Python 3.7, Python 3.8 ___ Python tracker ___ ___ Python-bugs-list mailin

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Ned Deily added the comment: Christian, ping. Can we close this? -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubs

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Ned Deily added the comment: Christian, is there more needed for this issue or can it be closed? -- ___ Python tracker ___ ___ Pytho

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Christian Heimes added the comment: Ned, I have pushed the enhancement now. I feel a bit guilty about the last minute push, but I honestly believe it's in our best interesting. There is a high chance that the new APIs will be required for Debian and other distros in the near future. OpenSSL

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

miss-islington added the comment: New changeset 4c842b09209ccf1b4f853106b1f58bb888da02ef by Miss Islington (bot) in branch '3.7': bpo-31453: Add setter for min/max protocol version (GH-5259) https://github.com/python/cpython/commit/4c842b09209ccf1b4f853106b1f58bb888da02ef -- nosy: +m

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Change by miss-islington : -- pull_requests: +5697 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mai

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Christian Heimes added the comment: I have another good reason to land PR 5259 in 3.7. OpenSSL 1.1.0 has deprecated the old way to disable/enable protocol versions with set option. The OP_NO_TLSv1* constants will likely get removed in OpenSSL 1.2.0. I'm expecting to see a 1.2.0 release within

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Christian Heimes added the comment: I have closed the feature newer BPO-32609 in favor of this bug because Ned gave this bug a deferred blocker priority. OpenSSL 1.1 has introduced a new API to set the minimum and maximum supported protocol version. The API is easier to use than the old OP_N

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Change by Christian Heimes : -- pull_requests: +5675 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://m

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Christian Heimes added the comment: The feature is still useful -- whether or not Debian disables TLS 1.0 and 1.1. The new API is easier to use and more convenient than the old bitmask approach. "option &=~OP_NO_SSLv3" is just horrible. :) -- ___ P

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Ned Deily added the comment: I'm not clear if this is still needed, i.e. has Debian backed off on their change across the board? If it is still needed, I'm going to allow an extension for landing of it until 3.7.0b2, currently scheduled for 2018-02-26. If anyone else can help Christian get

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Ned Deily added the comment: FWIW, Debian seems to have re-enabled TLS 1.0 and 1.1 in "testing". As a result, test_ssl now passes again. openssl (1.1.0g-1) unstable; urgency=medium * New upstream version - Fixes CVE-2017-3735 - Fixes CVE-2017-3736 * Remove patches applied upstrea

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Christian Heimes added the comment: PR 3662 undos Debian's patching of OpenSSL. I'm not keen to undo a security improvement. However Debian is breaking backwards compatibility. For Python 3.7 we could consider to disable TLS 1.0 and TLS 1.1 for PROTOCOL_TLS_SERVER and PROTOCOL_TLS_CLIENT. ---

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Changes by Christian Heimes : -- keywords: +patch pull_requests: +3651 stage: -> patch review ___ Python tracker ___ ___ Python-bugs

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Christian Heimes added the comment: It's an ugly hack and not a long term solution. The PROTOCOL_TLSv* constants and ssl.wrap_socket() are discouraged and will be removed soon. -- ___ Python tracker _

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Christian Heimes added the comment: Matthias, this issue affects Debian and probably Ubuntu, too. Could you please discuss it with Debian maintainers and propose a workaround? Python does not expose the new OpenSSL 1.1.0 SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() calls

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Adrian Vollmer added the comment: I have a workaround for now: versions = [ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, ] firstbytes = s.recv(16, socket.MSG_PEEK) ss = ssl.wrap_socket(

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Changes by Christian Heimes : -- title: ssl.PROTOCOL_TLS only select TLSv1.2 -> Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS ___ Python tracker ___ __

[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

Changes by Christian Heimes : -- versions: +Python 3.6, Python 3.7 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscri