[New-bugs-announce] [issue32609] Add setter and getter for min/max protocol ersion
Christian Heimes
report at bugs.python.org
Sun Jan 21 09:00:24 EST 2018
New submission from Christian Heimes <lists at cheimes.de>:
OpenSSL 1.1 has introduced a new API to set the minimum and maximum supported protocol version. The API is easier to use than the old OP_NO_TLSv1 option flags, too
https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_min_proto_version.html
Debian used the new setters to disable TLS 1.0 and 1.1 in testing, #31453. The old TLS versions have been enabled again for now. Python must expose the new API in case Debian decides to disable them again.
I also like to deprecate the old OP_NO_TLSv1 et al. flags in favor of the new API. The option flags are awkward to use and easy to get wrong. For example applications must not leave holes in the OP_NO range (e.g. allow TLS 1.0 and 1.2 but disable 1.1).
----------
assignee: christian.heimes
components: SSL
messages: 310374
nosy: christian.heimes
priority: normal
severity: normal
stage: needs patch
status: open
title: Add setter and getter for min/max protocol ersion
type: enhancement
versions: Python 3.7
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32609>
_______________________________________
More information about the New-bugs-announce
mailing list