Movatterモバイル変換

[0]ホーム
URL:

homepage

Issue31518

This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title:ftplib, urllib2, poplib, httplib, urllib2_localnet use ssl.PROTOCOL_TLSv1 unconditionally
Type:behaviorStage:resolved
Components:SSLVersions:Python 3.7, Python 3.6, Python 2.7
process
Status:closedResolution:fixed
Dependencies:Superseder:
Assigned To: christian.heimesNosy List: christian.heimes, doko
Priority:normalKeywords:patch

Created on2017-09-19 13:35 bydoko, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.

Pull Requests
URLStatusLinkedEdit
PR 3660mergedchristian.heimes,2017-09-19 18:55
PR 3661mergedchristian.heimes,2017-09-19 18:56
Messages (8)
msg302524 -(view)Author: Matthias Klose (doko)*(Python committer)Date: 2017-09-19 13:35
Debian's OpenSSL now disables TLS 1.0 and 1.1, letting some of the python tests fail.  Please make them use a newer protocol version, or make the use of the older versions conditional.
msg302526 -(view)Author: Matthias Klose (doko)*(Python committer)Date: 2017-09-19 13:39
failing tests:https://ci.debian.net/data/packages/unstable/amd64/p/python3.6/latest-autopkgtest/log.gz
msg302527 -(view)Author: Christian Heimes (christian.heimes)*(Python committer)Date: 2017-09-19 13:43
3.7 does no longer use PROTOCOL_TLSv1 except for test_ssl.py, see#31346By the way Debian Sid/Buster broke support for SSL and TLS < 1.2. see#31453. There is no way to enable the protocols from Python.
msg302531 -(view)Author: Christian Heimes (christian.heimes)*(Python committer)Date: 2017-09-19 15:00
Two tests are failing in 3.7 branch:======================================================================ERROR: test_PROTOCOL_TLS (test.test_ssl.ThreadedTests)Connecting to an SSLv23 server with various client options----------------------------------------------------------------------Traceback (most recent call last):  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2660, in test_PROTOCOL_TLS    try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2343, in try_protocol_combo    chatty=False, connectionchatty=False)  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2268, in server_params_test    s.connect((HOST, server.port))  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1108, in connect    self._real_connect(addr, False)  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1099, in _real_connect    self.do_handshake()  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1076, in do_handshake    self._sslobj.do_handshake()  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 697, in do_handshake    self._sslobj.do_handshake()ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:864)======================================================================ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests)Connecting to a TLSv1.1 server with various client options.----------------------------------------------------------------------Traceback (most recent call last):  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2734, in test_protocol_tlsv1_1    try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2343, in try_protocol_combo    chatty=False, connectionchatty=False)  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2268, in server_params_test    s.connect((HOST, server.port))  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1108, in connect    self._real_connect(addr, False)  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1099, in _real_connect    self.do_handshake()  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1076, in do_handshake    self._sslobj.do_handshake()  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 697, in do_handshake    self._sslobj.do_handshake()ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:864)----------------------------------------------------------------------Matthias,is there any way to detect Debian's modifications of OpenSSL from header files or with an API call? Otherwise we have no way to reliable detect and correctly skip the test. At the moment there is no way to retrieve the minimum protocol from OpenSSL SSL_CTX. I landed an OpenSSL patch just a couple of days ago to add SSL_CTX_get_min_proto_version(),https://github.com/openssl/openssl/pull/4364
msg302558 -(view)Author: Matthias Klose (doko)*(Python committer)Date: 2017-09-19 19:02
Christian, I assume you'd like to see a test which can be done at *runtime*, not *buildtime*.  Assuming you have that openssl upstream patch available in your build dependency, would that help with the detection?  If yes, I'll talk to Debian's and Ubuntu's openssl maintainers to backport it, so the _ssl module could use it depending on a configure check.
msg302562 -(view)Author: Christian Heimes (christian.heimes)*(Python committer)Date: 2017-09-19 19:24
PR 3660 andPR 3661 address most of the failing tests. The two failures inmsg302531 are discussed in issue#31453.
msg312766 -(view)Author: Christian Heimes (christian.heimes)*(Python committer)Date: 2018-02-24 23:45
New changesetaab225840360719516eca55a7a69cfee45aee2af by Christian Heimes in branch '3.6':bpo-31518: Change TLS protocol for Debian (#3660)https://github.com/python/cpython/commit/aab225840360719516eca55a7a69cfee45aee2af
msg312767 -(view)Author: Christian Heimes (christian.heimes)*(Python committer)Date: 2018-02-24 23:45
New changeset8d4d17399fb82801eaaca5beeb97a19908b40222 by Christian Heimes in branch '2.7':bpo-31518: Change TLS protocol for Debian (#3661)https://github.com/python/cpython/commit/8d4d17399fb82801eaaca5beeb97a19908b40222
History
DateUserActionArgs
2022-04-11 14:58:52adminsetgithub: 75699
2018-02-24 23:46:23christian.heimessetstatus: open -> closed
type: behavior
resolution: fixed
stage: patch review -> resolved
2018-02-24 23:45:56christian.heimessetmessages: +msg312767
2018-02-24 23:45:26christian.heimessetmessages: +msg312766
2017-09-19 19:24:40christian.heimessetmessages: +msg302562
2017-09-19 19:02:16dokosetmessages: +msg302558
2017-09-19 18:56:55christian.heimessetpull_requests: +pull_request3650
2017-09-19 18:55:42christian.heimessetkeywords: +patch
stage: patch review
pull_requests: +pull_request3649
2017-09-19 15:00:43christian.heimessetmessages: +msg302531
versions: + Python 3.7
2017-09-19 13:43:32christian.heimessetmessages: +msg302527
versions: - Python 3.7
2017-09-19 13:39:42dokosetmessages: +msg302526
2017-09-19 13:35:27dokocreate
Supported byThe Python Software Foundation,
Powered byRoundup
Copyright © 1990-2022,Python Software Foundation
Legal Statements
[8]ページ先頭
©2009-2026 Movatter.jp