Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests

2019-10-29 Thread Michael Kesper
Hi all, On 29.10.19 14:15, Jeremy Stanley wrote: > On 2019-10-29 13:29:02 +0100 (+0100), Michael Kesper wrote: >> On 27.10.19 17:27, Drew Parsons wrote: >>> On 2019-10-27 23:13, Daniele Tricoli wrote: > [...] Not an expert here, but I think fallback is not done on purpose due downgrade

Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests

2019-10-29 Thread Jeremy Stanley
On 2019-10-29 13:29:02 +0100 (+0100), Michael Kesper wrote: > On 27.10.19 17:27, Drew Parsons wrote: > > On 2019-10-27 23:13, Daniele Tricoli wrote: [...] > > > Not an expert here, but I think fallback is not done on > > > purpose due downgrade attacks: > > >

Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests

2019-10-29 Thread Ondrej Novy
Hi, út 29. 10. 2019 v 13:29 odesílatel Michael Kesper napsal: > > I see. Still an odd kind of protection though. The attacker can just > downgrade themselves. > > No. A sensible server will not talk to you if your requested SSL version > is too low. > pub.orcid.org seems to use absolutely

Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests

2019-10-29 Thread Michael Kesper
Hi all, On 27.10.19 17:27, Drew Parsons wrote: > On 2019-10-27 23:13, Daniele Tricoli wrote: >> On Sun, Oct 13, 2019 at 10:31:31PM +0800, Drew Parsons wrote: >>> It conditionally works.  Using curl, I found that TLSv1_0 or TLSv1_1 will >>> support a successful connection, but only if the maximum

Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests

2019-10-27 Thread Drew Parsons
On 2019-10-27 23:13, Daniele Tricoli wrote: On Sun, Oct 13, 2019 at 10:31:31PM +0800, Drew Parsons wrote: It conditionally works. Using curl, I found that TLSv1_0 or TLSv1_1 will support a successful connection, but only if the maximum SSL_VERSION is constrained to TLSv1_0 or TLSv1_1 (e.g.

Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests

2019-10-27 Thread Daniele Tricoli
On Sun, Oct 13, 2019 at 10:31:31PM +0800, Drew Parsons wrote: > It conditionally works. Using curl, I found that TLSv1_0 or TLSv1_1 will > support a successful connection, but only if the maximum SSL_VERSION is > constrained to TLSv1_0 or TLSv1_1 (e.g. curl -v --tlsv1.1 --tls-max 1.1 >

Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests

2019-10-13 Thread Drew Parsons
Daniele wrote: I hope to have the time to investigate also this: urllib3/contrib/pyopenssl.py contains code to have SSL with SNI_-support for Python 2 and it depends on pyOpenSSL, cryptography and idna. Maybe looking at them can give us more clues. Also, could you see if using Python3 the

Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests

2019-10-12 Thread Daniele Tricoli
Hi Drew, On 12/10/2019 07:57, Drew Parsons wrote: > Hi Daniele, just letting you know I uploaded python-urllib3 1.25.6 to > experimental. Thanks for taking care of urllib3. > I was having some SSL trouble connecting to https://pub.orcid.org.  The error > trace cited

python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests

2019-10-12 Thread Drew Parsons
Hi Daniele, just letting you know I uploaded python-urllib3 1.25.6 to experimental. I was having some SSL trouble connecting to https://pub.orcid.org. The error trace cited urllib3/contrib/pyopenssl.py, so I downloaded and installed python-urllib3 1.25.6 to see if updates to default SSL/TLS