| msg284504 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2017-01-02 21:07 |
| OpenSSL 1.1.1 is going to provide TLS 1.3. The preferred protocols PROTOCOL_TLS (old name PROTOCOL_SSLv23), PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER are going to have TLS 1.3 enabled by default. In order to disable TLS 1.3, let's add OP_NO_TLSv1_3 to _ssl.c and guard it with #ifdef SSL_OP_NO_TLSv1_3 https://github.com/openssl/openssl/blob/d2e491f225d465b11f18a466bf399d4a899cb50e/include/openssl/ssl.h#L346 Benjamin, Larry, Ned, are you ok with a new flag? OpenSSL 1.1.1 won't be available any time soon. I like to add the flag *after* the upcoming round of releases. |
|
|
| msg284509 - (view) |
Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2017-01-02 21:58 |
| I think that's fine for 2.7. On Mon, Jan 2, 2017, at 13:07, Christian Heimes wrote: > > New submission from Christian Heimes: > > OpenSSL 1.1.1 is going to provide TLS 1.3. The preferred protocols > PROTOCOL_TLS (old name PROTOCOL_SSLv23), PROTOCOL_TLS_CLIENT and > PROTOCOL_TLS_SERVER are going to have TLS 1.3 enabled by default. In > order to disable TLS 1.3, let's add OP_NO_TLSv1_3 to _ssl.c and guard it > with #ifdef SSL_OP_NO_TLSv1_3 > > https://github.com/openssl/openssl/blob/d2e491f225d465b11f18a466bf399d4a899cb50e/include/openssl/ssl.h#L346 > > Benjamin, Larry, Ned, are you ok with a new flag? OpenSSL 1.1.1 won't be > available any time soon. I like to add the flag *after* the upcoming > round of releases. > > ---------- > assignee: christian.heimes > components: SSL > messages: 284504 > nosy: benjamin.peterson, christian.heimes, larry, ned.deily > priority: normal > severity: normal > stage: needs patch > status: open > title: Add OP_NO_TLSv1_3 > type: enhancement > versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7 > > _______________________________________ > Python tracker <report@bugs.python.org> > <http://bugs.python.org/issue29136> > _______________________________________ |
|
|
| msg286032 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2017-01-22 22:39 |
| memo to me: Update the TLS cipher list to include TLS 1.3 ciphers. TLS 1.3 uses a disjunct set of cipher suites. No member of the current cipher suite set is compatible with TLS 1.3. Handshake with TLS 1.3 enabled servers is going to fail. As of today OpenSSL 1.1.1-dev provides one of five TLS 1.3 ciphers: TLS13-AES-128-GCM-SHA256. TLS13-AES-256-GCM-SHA384 and TLS13-CHACHA20-POLY1305 are not yet implemented as are CCM block mode. |
|
|
| msg286094 - (view) |
Author: Alex Gaynor (alex) * |
Date: 2017-01-23 16:29 |
| We can easily just add `TLS13:...` at the from of our ciphersuite list and it'll be ok though right? (Note to self, do the same in urllib3, twisted, requests, god only knows what else) |
|
|
| msg286096 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2017-01-23 16:35 |
| No, of course it does not work (yet): $ LD_LIBRARY_PATH=. apps/openssl ciphers TLS13 Error in cipher list 140546693477888:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2100: |
|
|
| msg286239 - (view) |
Author: Cory Benfield (Lukasa) * |
Date: 2017-01-25 10:42 |
| For those who want to keep track, the relevant OpenSSL ticket for configuring TLSv1.3 cipher suites is https://github.com/openssl/openssl/issues/2276. |
|
|
| msg301654 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2017-09-08 00:10 |
| PR 1363 also introduced ssl.HAS_TLSv1_3 flag for unit tests. The flag is required because OpenSSL 1.1.1-dev can be compiled without TLS 1.3 support. The development version always defines OP_NO_TLSv1_3 to a non-zero value. Further more the PR adds a test for TLS 1.3. |
|
|
| msg301662 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2017-09-08 01:07 |
| New changeset cb5b68abdeb1b1d56c581d5b4d647018703d61e3 by Christian Heimes in branch 'master': bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (#1363) https://github.com/python/cpython/commit/cb5b68abdeb1b1d56c581d5b4d647018703d61e3 |
|
|
| msg301674 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2017-09-08 03:23 |
| New changeset 9f2b3d4c2899f9caea2e47063061a76e460ac618 by Christian Heimes in branch '3.6': [3.6] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (#3444) https://github.com/python/cpython/commit/9f2b3d4c2899f9caea2e47063061a76e460ac618 |
|
|
| msg301678 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2017-09-08 05:31 |
| New changeset b9a860f3bf80b0d4a6c25d0f2f6ef849d9bf3594 by Christian Heimes in branch '2.7': [2.7] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (#3446) https://github.com/python/cpython/commit/b9a860f3bf80b0d4a6c25d0f2f6ef849d9bf3594 |
|
|
| msg301803 - (view) |
Author: Arfrever Frehtes Taifersar Arahesis (Arfrever) *  |
Date: 2017-09-10 07:35 |
| In backport to 2.7 branch, ".. versionadded:: 2.7.15" and ".. versionchanged:: 2.7.15" were used. However, in backport to 3.6 branch, ".. versionadded:: 3.7" and ".. versionchanged:: 3.7" were used, instead of expected ".. versionadded:: 3.6.3" and ".. versionchanged:: 3.6.3". |
|
|
| msg301820 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2017-09-10 17:28 |
| Good catch, thanks! I'll update the documentation. |
|
|
| msg301828 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2017-09-10 19:14 |
| New changeset 28580316a57d1757978196c27286f989d21ec0f3 by Christian Heimes in branch '3.6': bpo-29136: Fix versionchange for TLS 1.3 changes (#3483) https://github.com/python/cpython/commit/28580316a57d1757978196c27286f989d21ec0f3 |
|
|
| msg301829 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2017-09-10 19:15 |
| Thanks, I fixed versionchanged. |
|
|