Issue 20996: Backport TLS 1.1 and 1.2 support for ssl_version (original) (raw)

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/65195

classification

process

Created on 2014-03-20 14:16 by dstufft, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (4)
msg214241 - (view)	Author: Donald Stufft (dstufft) *	Date: 2014-03-20 14:16
Python 3.4 has constants and code to enable forcing the ssl_version to TLS 1.1 or 1.2. As it stands now Python 2.7, 3.2, and 3.3 can successfully connect and will use a TLS 1.1 or 1.2 connection if it's available (new enough OpenSSL) but cannot _force_ a connection to use TLS 1.1 or 1.2. It would be good to backport this from 3.4, it would involve adding constants to ssl.py, and minimal code to _ssl.c to handle actually forcing the TLS method.
msg214242 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2014-03-20 14:26
Two questions: - does it fix a bug in Python? - does it fix a security issue in Python?
msg214274 - (view)	Author: Alyssa Coghlan (ncoghlan) *	Date: 2014-03-20 20:31
Yes, I have been persuaded this fixes a security issue in the Python 2 ecosystem: the current barriers to good web security practices are too high. I have been vocal in pointing out that Python 2 will remain a commercially supported platform for at least another decade. However, for that to be a valid claim, it needs to be possible to make effective use of modern web protocols and security standards. This is a PEP level discussion though - I'll get something up by tomorrow.
msg226043 - (view)	Author: Alex Gaynor (alex) *	Date: 2014-08-28 21:31
This is resolved now.