Remove TLS 1.3 support in SecureTransport (urllib3#1703)

It's not actually supported by the OS. In other words, instead of trying TLS 1.3 and being forced to fallback on TLS 1.2, we just use TLS 1.2 by default.
Dobatymo · Oct 4, 2019 · 575b9c7 · 575b9c7
1 parent 3e6db1c
commit 575b9c7
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 21 deletions.
diff --git a/_travis/install.sh b/_travis/install.sh
@@ -29,9 +29,6 @@ if [[ "$(uname -s)" == 'Darwin' ]]; then
 
     install_mac_python $MACPYTHON
 
-    # Enable TLS 1.3 on macOS
-    sudo defaults write /Library/Preferences/com.apple.networkd tcp_connect_enable_tls13 1
-
     # Install Nox
     python3 -m pip install nox
 

diff --git a/src/urllib3/contrib/_securetransport/bindings.py b/src/urllib3/contrib/_securetransport/bindings.py
@@ -415,6 +415,7 @@ class SecurityConst(object):
     kTLSProtocol1 = 4
     kTLSProtocol11 = 7
     kTLSProtocol12 = 8
+    # SecureTransport does not support TLS 1.3 even if there's a constant for it
     kTLSProtocol13 = 10
     kTLSProtocolMaxSupported = 999
 

diff --git a/src/urllib3/contrib/securetransport.py b/src/urllib3/contrib/securetransport.py
@@ -144,13 +144,10 @@
 ]
 
 # Basically this is simple: for PROTOCOL_SSLv23 we turn it into a low of
-# TLSv1 and a high of TLSv1.3. For everything else, we pin to that version.
-# TLSv1 to 1.2 are supported on macOS 10.8+ and TLSv1.3 is macOS 10.13+
+# TLSv1 and a high of TLSv1.2. For everything else, we pin to that version.
+# TLSv1 to 1.2 are supported on macOS 10.8+
 _protocol_to_min_max = {
-    util.PROTOCOL_TLS: (
-        SecurityConst.kTLSProtocol1,
-        SecurityConst.kTLSProtocolMaxSupported,
-    )
+    util.PROTOCOL_TLS: (SecurityConst.kTLSProtocol1, SecurityConst.kTLSProtocol12)
 }
 
 if hasattr(ssl, "PROTOCOL_SSLv2"):
@@ -488,15 +485,7 @@ def handshake(
         result = Security.SSLSetProtocolVersionMin(self.context, min_version)
         _assert_no_error(result)
 
-        # TLS 1.3 isn't necessarily enabled by the OS
-        # so we have to detect when we error out and try
-        # setting TLS 1.3 if it's allowed. kTLSProtocolMaxSupported
-        # was added in macOS 10.13 along with kTLSProtocol13.
         result = Security.SSLSetProtocolVersionMax(self.context, max_version)
-        if result != 0 and max_version == SecurityConst.kTLSProtocolMaxSupported:
-            result = Security.SSLSetProtocolVersionMax(
-                self.context, SecurityConst.kTLSProtocol12
-            )
         _assert_no_error(result)
 
         # If there's a trust DB, we need to use it. We do that by telling
@@ -707,7 +696,7 @@ def version(self):
         )
         _assert_no_error(result)
         if protocol.value == SecurityConst.kTLSProtocol13:
-            return "TLSv1.3"
+            raise ssl.SSLError("SecureTransport does not support TLS 1.3")
         elif protocol.value == SecurityConst.kTLSProtocol12:
             return "TLSv1.2"
         elif protocol.value == SecurityConst.kTLSProtocol11:

diff --git a/test/contrib/test_securetransport.py b/test/contrib/test_securetransport.py
@@ -29,9 +29,8 @@ def teardown_module():
         pass
 
 
-# Currently TLSv1.3 doesn't work with SecureTransport despite
-# Apple previously documenting support. See:
-# https://github.com/python-trio/trio/issues/1165#issuecomment-526563135
+# SecureTransport does not support TLSv1.3
+# https://github.com/urllib3/urllib3/issues/1674
 from ..with_dummyserver.test_https import (  # noqa: F401
     TestHTTPS,
     TestHTTPS_TLSv1,