[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Christian Heimes
Christian Heimes added the comment: Ah, here we go: https://anonscm.debian.org/viewvc/pkg-openssl/openssl/branches/1.1.0/debian/patches/tls1_2_default.patch Debian patched the default for SSL_CTX_set_min_proto_version(). The SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Adrian Vollmer
Adrian Vollmer added the comment: Okay, thanks for your time! -- ___ Python tracker ___ ___ Python-bugs-list

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Christian Heimes
Christian Heimes added the comment: Please report this issue to the Debian maintainers. I don't know how Debian has disabled TLS 1.0 and TLS 1.1 for the SSL_METHOD *TLS_method(void). It might not be possible to enable auto-negotiation for old protocols at all. --

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Adrian Vollmer
Adrian Vollmer added the comment: Doesn't seem to do anything: >>> ctx.options 2181170175L >>> ctx.options & ~(ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1) 2181170175L -- ___ Python tracker

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Christian Heimes
Christian Heimes added the comment: You have to enable the protocols by applying a reverse bitmask to SSLContext.options: ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) ctx.load_cert_chain('server.pem') ctx.options &= ~(ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1) sslsock = ctx.wrap_socket(s,

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Adrian Vollmer
Adrian Vollmer added the comment: I read about that, but I don't understand. If I use openssl s_server -port , I can connect using either one of the three protocols. Even if that's the new default, is there no way now to get python on Buster/Sid to use OpenSSL in a non-default mode and

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Christian Heimes
Christian Heimes added the comment: Debian Buster has patched OpenSSL to disable TLS 1.0 and 1.1 by default, https://lists.debian.org/debian-devel-announce/2017/08/msg4.html -- ___ Python tracker

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Adrian Vollmer
Adrian Vollmer added the comment: Debian buster/sid -- ___ Python tracker ___ ___ Python-bugs-list mailing

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Adrian Vollmer
New submission from Adrian Vollmer: According to the documentation (https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_TLS), using ssl_version = ssl.PROTOCOL_TLS in a server socket should offer all TLS/SSL versions. However, it only offers TLSv1_2. I attached a proof of concept. $

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Alex Gaynor
Alex Gaynor added the comment: What operating system are you on? -- nosy: +Alex Gaynor ___ Python tracker ___