[issue29136] Add OP_NO_TLSv1_3

[Charalampos Stratakis]

Change by Charalampos Stratakis :


--
pull_requests: +11911

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

Christian Heimes added the comment:


New changeset 28580316a57d1757978196c27286f989d21ec0f3 by Christian Heimes in 
branch '3.6':
bpo-29136: Fix versionchange for TLS 1.3 changes (#3483)
https://github.com/python/cpython/commit/28580316a57d1757978196c27286f989d21ec0f3


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

Christian Heimes added the comment:

Thanks, I fixed versionchanged.

--
stage: patch review -> resolved
status: open -> closed
versions: +Python 2.7, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

Changes by Christian Heimes :


--
pull_requests: +3473
stage: needs patch -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

Christian Heimes added the comment:

Good catch, thanks! I'll update the documentation.

--
stage: resolved -> needs patch
status: closed -> open
versions:  -Python 2.7, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Arfrever Frehtes Taifersar Arahesis]

Arfrever Frehtes Taifersar Arahesis added the comment:

In backport to 2.7 branch, ".. versionadded:: 2.7.15" and ".. versionchanged:: 
2.7.15" were used.

However, in backport to 3.6 branch, ".. versionadded:: 3.7" and ".. 
versionchanged:: 3.7" were used, instead of expected ".. versionadded:: 3.6.3" 
and ".. versionchanged:: 3.6.3".

--
nosy: +Arfrever

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

Changes by Christian Heimes :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

Christian Heimes added the comment:


New changeset b9a860f3bf80b0d4a6c25d0f2f6ef849d9bf3594 by Christian Heimes in 
branch '2.7':
[2.7] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (#3446)
https://github.com/python/cpython/commit/b9a860f3bf80b0d4a6c25d0f2f6ef849d9bf3594


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

Christian Heimes added the comment:


New changeset 9f2b3d4c2899f9caea2e47063061a76e460ac618 by Christian Heimes in 
branch '3.6':
[3.6] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (#3444)
https://github.com/python/cpython/commit/9f2b3d4c2899f9caea2e47063061a76e460ac618


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

Changes by Christian Heimes :


--
pull_requests: +3442

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

Changes by Christian Heimes :


--
keywords: +patch
pull_requests: +3440
stage: needs patch -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

Christian Heimes added the comment:


New changeset cb5b68abdeb1b1d56c581d5b4d647018703d61e3 by Christian Heimes in 
branch 'master':
bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (#1363)
https://github.com/python/cpython/commit/cb5b68abdeb1b1d56c581d5b4d647018703d61e3


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

Christian Heimes added the comment:

PR 1363 also introduced ssl.HAS_TLSv1_3 flag for unit tests. The flag is 
required because OpenSSL 1.1.1-dev can be compiled without TLS 1.3 support. The 
development version always defines OP_NO_TLSv1_3 to a non-zero value. Further 
more the PR adds a test for TLS 1.3.

--
versions:  -Python 3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

Changes by Christian Heimes :


--
pull_requests: +1473

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Cory Benfield]

Cory Benfield added the comment:

For those who want to keep track, the relevant OpenSSL ticket for configuring 
TLSv1.3 cipher suites is https://github.com/openssl/openssl/issues/2276.

--
nosy: +Lukasa

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

Christian Heimes added the comment:

No, of course it does not work (yet):

$ LD_LIBRARY_PATH=. apps/openssl ciphers TLS13
Error in cipher list
140546693477888:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher 
match:ssl/ssl_lib.c:2100:

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Alex Gaynor]

Alex Gaynor added the comment:

We can easily just add `TLS13:...` at the from of our ciphersuite list and 
it'll be ok though right? (Note to self, do the same in urllib3, twisted, 
requests, god only knows what else)

--
nosy: +alex

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

Christian Heimes added the comment:

memo to me: Update the TLS cipher list to include TLS 1.3 ciphers. TLS 1.3 uses 
a disjunct set of cipher suites. No member of the current cipher suite set is 
compatible with TLS 1.3. Handshake with TLS 1.3 enabled servers is going to 
fail.

As of today OpenSSL 1.1.1-dev provides one of five TLS 1.3 ciphers: 
TLS13-AES-128-GCM-SHA256. TLS13-AES-256-GCM-SHA384 and TLS13-CHACHA20-POLY1305 
are not yet implemented as are CCM block mode.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Benjamin Peterson]

Benjamin Peterson added the comment:

I think that's fine for 2.7.

On Mon, Jan 2, 2017, at 13:07, Christian Heimes wrote:
> 
> New submission from Christian Heimes:
> 
> OpenSSL 1.1.1 is going to provide TLS 1.3. The preferred protocols
> PROTOCOL_TLS (old name PROTOCOL_SSLv23), PROTOCOL_TLS_CLIENT and
> PROTOCOL_TLS_SERVER are going to have TLS 1.3 enabled by default. In
> order to disable TLS 1.3, let's add OP_NO_TLSv1_3 to _ssl.c and guard it
> with #ifdef SSL_OP_NO_TLSv1_3
> 
> https://github.com/openssl/openssl/blob/d2e491f225d465b11f18a466bf399d4a899cb50e/include/openssl/ssl.h#L346
> 
> Benjamin, Larry, Ned, are you ok with a new flag? OpenSSL 1.1.1 won't be
> available any time soon. I like to add the flag *after* the upcoming
> round of releases.
> 
> --
> assignee: christian.heimes
> components: SSL
> messages: 284504
> nosy: benjamin.peterson, christian.heimes, larry, ned.deily
> priority: normal
> severity: normal
> stage: needs patch
> status: open
> title: Add OP_NO_TLSv1_3
> type: enhancement
> versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7
> 
> ___
> Python tracker 
> 
> ___

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29136] Add OP_NO_TLSv1_3

[Christian Heimes]

New submission from Christian Heimes:

OpenSSL 1.1.1 is going to provide TLS 1.3. The preferred protocols PROTOCOL_TLS 
(old name PROTOCOL_SSLv23), PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER are 
going to have TLS 1.3 enabled by default. In order to disable TLS 1.3, let's 
add OP_NO_TLSv1_3 to _ssl.c and guard it with #ifdef SSL_OP_NO_TLSv1_3

https://github.com/openssl/openssl/blob/d2e491f225d465b11f18a466bf399d4a899cb50e/include/openssl/ssl.h#L346

Benjamin, Larry, Ned, are you ok with a new flag? OpenSSL 1.1.1 won't be 
available any time soon. I like to add the flag *after* the upcoming round of 
releases.

--
assignee: christian.heimes
components: SSL
messages: 284504
nosy: benjamin.peterson, christian.heimes, larry, ned.deily
priority: normal
severity: normal
stage: needs patch
status: open
title: Add OP_NO_TLSv1_3
type: enhancement
versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com