[issue32947] Support OpenSSL 1.1.1

2018-09-30 Thread Kurt Roeckx


Kurt Roeckx  added the comment:

Do you have any idea when the next release will be? I think python is currently 
our biggest blocker for getting OpenSSL 1.1.1 in Debian testing.

--

___
Python tracker 
<https://bugs.python.org/issue32947>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue32947] Support OpenSSL 1.1.1

2018-09-19 Thread Kurt Roeckx


Kurt Roeckx  added the comment:

Christian,

Do you have any update on this? Any idea when we can expect relased python 
versions that work with OpenSSL 1.1.1?

--

___
Python tracker 
<https://bugs.python.org/issue32947>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue32947] Support OpenSSL 1.1.1

2018-08-22 Thread Kurt Roeckx


Kurt Roeckx  added the comment:

This are automated tests for the packages in Debian. I uploaded the pre9 
version to unstable, and as a result of that all reverse dependencies got 
tested. I don't have any experience with python myself.

Anyway, the openssl.cnf in Debian contains:
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

So you might want to override that during the test suite by calling 
SSL_CTX_set_min_proto_version(ctx, 0).

--

___
Python tracker 
<https://bugs.python.org/issue32947>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue32947] Support OpenSSL 1.1.1

2018-08-22 Thread Kurt Roeckx


Kurt Roeckx  added the comment:

This are the errors I'm currently getting testing with the pre9 verion in 
Debian:
https://ci.debian.net/data/autopkgtest/testing/amd64/p/python2.7/865936/log.gz
https://ci.debian.net/data/autopkgtest/testing/amd64/p/python3.6/865937/log.gz
https://ci.debian.net/data/autopkgtest/testing/amd64/p/python3.7/865938/log.gz

--
nosy: +kroeckx

___
Python tracker 
<https://bugs.python.org/issue32947>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

2018-05-24 Thread Kurt Roeckx

Kurt Roeckx  added the comment:

The effect is the same as calling SSL_CTX_set_min_proto_version().

--

___
Python tracker 
<https://bugs.python.org/issue31453>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS

2018-05-24 Thread Kurt Roeckx

Kurt Roeckx  added the comment:

Note that the version in experimental only supports TLS 1.2 and 1.3 with the 
default config. It's moved from fixed in the code, to the default config file. 
I expect to upload that to unstable "soon", at which point people will be 
affected by this again.

--
nosy: +kroeckx

___
Python tracker 
<https://bugs.python.org/issue31453>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue32008] Example suggest to use a TLSv1 socket

2017-11-11 Thread Kurt Roeckx

New submission from Kurt Roeckx :

Here:
https://docs.python.org/3/library/ssl.html#ssl.SSLContext.check_hostname

And here:
https://docs.python.org/2/library/ssl.html#ssl.SSLContext.check_hostname

It uses ssl.PROTOCOL_TLSv1, which is a bad example. Please change it to 
PROTOCOL_SSLv23 or PROTOCOL_TLS.

(Those were the first 2 examples I could find via google on how to create an 
ssl connection using python.)

--
assignee: docs@python
components: Documentation
messages: 306093
nosy: docs@python, kroeckx
priority: normal
severity: normal
status: open
title: Example suggest to use a TLSv1 socket
type: enhancement

___
Python tracker 
<https://bugs.python.org/issue32008>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22935] Disabling SSLv3 support

2014-12-12 Thread Kurt Roeckx

Kurt Roeckx added the comment:

Most such sites actually seem to have dropped support for SSLv3.

One site where it depends on the cipher string is bugs.cdburnerxp.se

--

___
Python tracker 
<http://bugs.python.org/issue22935>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22935] Disabling SSLv3 support

2014-12-12 Thread Kurt Roeckx

Kurt Roeckx added the comment:

SSLv3 does not support the TLS extensions so it's going to send a totally 
different Client Hello.  It will for instance not indicate with elliptic curves 
it supports.  So yes the behavior for SSLv3 and SSLv23 can be totally 
different.  But even with both SSLv23 and a different cipher list you can get a 
different certificate.

So what I'm really saying is that if you have an API to get a certificate that 
creates a new connection and you can set the options for that connection too 
that you need to document that properly that you might get a different 
certificate.

--

___
Python tracker 
<http://bugs.python.org/issue22935>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22935] Disabling SSLv3 support

2014-12-12 Thread Kurt Roeckx

Kurt Roeckx added the comment:

So this seems to be a function that just gets the certificate?  You need to be 
careful with this since a server could perfectly decide to send a different 
certificate depending on the client hello it receives.  Like if you support 
ECDSA it might decide to send you the ECDSA certificate instead of the RSA 
certificate.  Or maybe you're even connecting to a different IP address?

In any case, you should always use SSLv23, stop supporting anything else.

--

___
Python tracker 
<http://bugs.python.org/issue22935>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22935] Disabling SSLv3 support

2014-12-08 Thread Kurt Roeckx

Kurt Roeckx added the comment:

I did update the documentation to mention that, but it seems none of my 
documentation changes got applied.

--

___
Python tracker 
<http://bugs.python.org/issue22935>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22935] Disabling SSLv3 support

2014-12-01 Thread Kurt Roeckx

Kurt Roeckx added the comment:

I've just signed the contributor agreement

--

___
Python tracker 
<http://bugs.python.org/issue22935>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22935] Disabling SSLv3 support

2014-11-24 Thread Kurt Roeckx

Kurt Roeckx added the comment:

I know what I uploaded to Debian experimental.  And I can't promise that I'll 
keep that define.  I suggest you assume that NO_SSL3 will disable both.

--

___
Python tracker 
<http://bugs.python.org/issue22935>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22935] Disabling SSLv3 support

2014-11-24 Thread Kurt Roeckx

New submission from Kurt Roeckx:

Hi,

The attached patch makes python work when openssl doesn't have SSLv3 support.  
It also updates the documentation, which has already improved a lot since my 
original patch.

The current upstream openssl when compiled with no-ssl2 it defines 
OPENSSL_NO_SSL2, drops the SSLv2_* method and drops support for SSLv2 in the 
SSLv23_* methods.  When build with no-ssl3 it defines OPENSSL_NO_SSL3 and 
currently just drops supports for SSLv3 in the SSLv23_method, it does not yet 
drop the SSLv3_* methods.  It's still being argued whether no-ssl3 should drop 
those symbols or that a new option will be used instead.

So that means that with OPENSSL_NO_SSL3 defined it could be that the SSLv3_* 
methods still exist and that you can create a socket that only support SSLv3.

I made the SSLv3 methods go away in python if OPENSSL_NO_SSL3 is defined.  This 
at least makes things easier for the test suite so that you know you can test a 
combination like v3 with v23 or not.

This patch is for 2.7.  Please let me know if you need a patch for a different 
version.

--
files: python2.7-nossl3.patch
keywords: patch
messages: 231624
nosy: kroeckx
priority: normal
severity: normal
status: open
title: Disabling SSLv3 support
Added file: http://bugs.python.org/file37268/python2.7-nossl3.patch

___
Python tracker 
<http://bugs.python.org/issue22935>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com