Issue 32609: Add setter and getter for min/max protocol version (original) (raw)

Issue32609

Created on 2018-01-21 14:00 by christian.heimes, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Pull Requests
URL	Status	Linked	Edit
PR 5259	open	christian.heimes,2018-01-21 14:02

Messages (2)
msg310374 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2018-01-21 14:00
OpenSSL 1.1 has introduced a new API to set the minimum and maximum supported protocol version. The API is easier to use than the old OP_NO_TLSv1 option flags, too https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_min_proto_version.html Debian used the new setters to disable TLS 1.0 and 1.1 in testing, #31453. The old TLS versions have been enabled again for now. Python must expose the new API in case Debian decides to disable them again. I also like to deprecate the old OP_NO_TLSv1 et al. flags in favor of the new API. The option flags are awkward to use and easy to get wrong. For example applications must not leave holes in the OP_NO range (e.g. allow TLS 1.0 and 1.2 but disable 1.1).
msg312919 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2018-02-26 11:43
bpo-31453 is the Debian issue that made me start to implement the setter and getter for min/max protocol version.

History
Date	User	Action	Args
2022-04-11 14:58:56	admin	set	github: 76790
2018-02-26 11:43:04	christian.heimes	set	status: open -> closedsuperseder: Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLStitle: Add setter and getter for min/max protocol ersion -> Add setter and getter for min/max protocol versionmessages: + versions: + Python 3.8resolution: duplicatestage: patch review -> resolved
2018-02-25 20:25:37	christian.heimes	link	issue27876 superseder
2018-01-21 14:02:47	christian.heimes	set	keywords: + patchstage: needs patch -> patch reviewpull_requests: + <pull%5Frequest5106>
2018-01-21 14:00:24	christian.heimes	create