Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests

2019-10-29 Thread Michael Kesper
Hi all, On 27.10.19 17:27, Drew Parsons wrote: > On 2019-10-27 23:13, Daniele Tricoli wrote: >> On Sun, Oct 13, 2019 at 10:31:31PM +0800, Drew Parsons wrote: >>> It conditionally works.  Using curl, I found that TLSv1_0 or TLSv1_1 will >>> support a successful connection, but only if the maximum

Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests

2019-10-29 Thread Jeremy Stanley
On 2019-10-29 13:29:02 +0100 (+0100), Michael Kesper wrote: > On 27.10.19 17:27, Drew Parsons wrote: > > On 2019-10-27 23:13, Daniele Tricoli wrote: [...] > > > Not an expert here, but I think fallback is not done on > > > purpose due downgrade attacks: > > >

Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests

2019-10-29 Thread Ondrej Novy
Hi, út 29. 10. 2019 v 13:29 odesílatel Michael Kesper napsal: > > I see. Still an odd kind of protection though. The attacker can just > downgrade themselves. > > No. A sensible server will not talk to you if your requested SSL version > is too low. > pub.orcid.org seems to use absolutely

Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests

2019-10-29 Thread Michael Kesper
Hi all, On 29.10.19 14:15, Jeremy Stanley wrote: > On 2019-10-29 13:29:02 +0100 (+0100), Michael Kesper wrote: >> On 27.10.19 17:27, Drew Parsons wrote: >>> On 2019-10-27 23:13, Daniele Tricoli wrote: > [...] Not an expert here, but I think fallback is not done on purpose due downgrade