New submission from Christian Heimes <li...@cheimes.de>:

OpenSSL 1.1 has introduced a new API to set the minimum and maximum supported 
protocol version. The API is easier to use than the old OP_NO_TLSv1 option 
flags, too

https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_min_proto_version.html

Debian used the new setters to disable TLS 1.0 and 1.1 in testing, #31453. The 
old TLS versions have been enabled again for now. Python must expose the new 
API in case Debian decides to disable them again.

I also like to deprecate the old OP_NO_TLSv1 et al. flags in favor of the new 
API. The option flags are awkward to use and easy to get wrong. For example 
applications must not leave holes in the OP_NO range (e.g. allow TLS 1.0 and 
1.2 but disable 1.1).

----------
assignee: christian.heimes
components: SSL
messages: 310374
nosy: christian.heimes
priority: normal
severity: normal
stage: needs patch
status: open
title: Add setter and getter for min/max protocol ersion
type: enhancement
versions: Python 3.7

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32609>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to