SSL sockets should provide a way to query the current protocol version (e.g. "TLSv1.2"). OpenSSL makes it easy through SSL_get_version().Open question is whether we return the string returned by SSL_get_version(), or we convert it to one of the constants ssl.PROTOCOL_XXX.

(slightly related: should ssl.PROTOCOL_xxx constants become enum members?)

We could actually use the undocumented "int SSL_version(const SSL *s)" and convert the return value to one of our favourite protocol constants.

Sounds good to me.

Ok, it came to me that converting to one of the PROTOCOL* constants can fail in the following case: Python is linked with an OpenSSL that supports a more recent protocol version than the ssl module is aware of. SSL_get_version() can then return a protocol (e.g. "TLSv1.3") that we don't know about, and have no way of converting to an existing constant.So perhaps we should really simply return the same string as OpenSSL?

Debatable. Maybe I'm +0.1 for returning the plain string. IMO when it comes to stdlib modules, enums are only really useful for converting integer constants.

Here is a patch. Doc updates still missing.

Updated patch with doc.

New changeset648685f8d5e9 by Antoine Pitrou in branch 'default':Issue#20421: Add a .version() method to SSL sockets exposing the actual protocol version in use.http://hg.python.org/cpython/rev/648685f8d5e9

Pushed to default.

Should this be backported to 2.7.9?

It's as you want, now. I don't think this is really important, though.

Attached patch backports it (only change is the use of `closing()` and resolving the conflict inMisc/NEWS). I'll leave it up to benjamin whether he wants to commit (input from others welcome). My view is to prefer backporting stuff since it helps keep the diff small.

New changeset16c86a6bdbe2 by Alex Gaynor in branch '2.7':Issue#20421: Add a .version() method to SSL sockets exposing the actual protocol version in use.http://hg.python.org/cpython/rev/16c86a6bdbe2