diff --git a/_travis/install.sh b/_travis/install.sh index 73080d3e25..a2ceffaf04 100755 --- a/_travis/install.sh +++ b/_travis/install.sh @@ -29,9 +29,6 @@ if [[ "$(uname -s)" == 'Darwin' ]]; then install_mac_python $MACPYTHON - # Enable TLS 1.3 on macOS - sudo defaults write /Library/Preferences/com.apple.networkd tcp_connect_enable_tls13 1 - # Install Nox python3 -m pip install nox diff --git a/src/urllib3/contrib/_securetransport/bindings.py b/src/urllib3/contrib/_securetransport/bindings.py index b46e1e3b5d..d9b6733318 100644 --- a/src/urllib3/contrib/_securetransport/bindings.py +++ b/src/urllib3/contrib/_securetransport/bindings.py @@ -415,6 +415,7 @@ class SecurityConst(object): kTLSProtocol1 = 4 kTLSProtocol11 = 7 kTLSProtocol12 = 8 + # SecureTransport does not support TLS 1.3 even if there's a constant for it kTLSProtocol13 = 10 kTLSProtocolMaxSupported = 999 diff --git a/src/urllib3/contrib/securetransport.py b/src/urllib3/contrib/securetransport.py index 24e6b5c4d9..87d844afa7 100644 --- a/src/urllib3/contrib/securetransport.py +++ b/src/urllib3/contrib/securetransport.py @@ -144,13 +144,10 @@ ] # Basically this is simple: for PROTOCOL_SSLv23 we turn it into a low of -# TLSv1 and a high of TLSv1.3. For everything else, we pin to that version. -# TLSv1 to 1.2 are supported on macOS 10.8+ and TLSv1.3 is macOS 10.13+ +# TLSv1 and a high of TLSv1.2. For everything else, we pin to that version. +# TLSv1 to 1.2 are supported on macOS 10.8+ _protocol_to_min_max = { - util.PROTOCOL_TLS: ( - SecurityConst.kTLSProtocol1, - SecurityConst.kTLSProtocolMaxSupported, - ) + util.PROTOCOL_TLS: (SecurityConst.kTLSProtocol1, SecurityConst.kTLSProtocol12) } if hasattr(ssl, "PROTOCOL_SSLv2"): @@ -488,15 +485,7 @@ def handshake( result = Security.SSLSetProtocolVersionMin(self.context, min_version) _assert_no_error(result) - # TLS 1.3 isn't necessarily enabled by the OS - # so we have to detect when we error out and try - # setting TLS 1.3 if it's allowed. kTLSProtocolMaxSupported - # was added in macOS 10.13 along with kTLSProtocol13. result = Security.SSLSetProtocolVersionMax(self.context, max_version) - if result != 0 and max_version == SecurityConst.kTLSProtocolMaxSupported: - result = Security.SSLSetProtocolVersionMax( - self.context, SecurityConst.kTLSProtocol12 - ) _assert_no_error(result) # If there's a trust DB, we need to use it. We do that by telling @@ -707,7 +696,7 @@ def version(self): ) _assert_no_error(result) if protocol.value == SecurityConst.kTLSProtocol13: - return "TLSv1.3" + raise ssl.SSLError("SecureTransport does not support TLS 1.3") elif protocol.value == SecurityConst.kTLSProtocol12: return "TLSv1.2" elif protocol.value == SecurityConst.kTLSProtocol11: diff --git a/test/contrib/test_securetransport.py b/test/contrib/test_securetransport.py index de5ce7c777..cecd32b9ea 100644 --- a/test/contrib/test_securetransport.py +++ b/test/contrib/test_securetransport.py @@ -29,9 +29,8 @@ def teardown_module(): pass -# Currently TLSv1.3 doesn't work with SecureTransport despite -# Apple previously documenting support. See: -# https://github.com/python-trio/trio/issues/1165#issuecomment-526563135 +# SecureTransport does not support TLSv1.3 +# https://github.com/urllib3/urllib3/issues/1674 from ..with_dummyserver.test_https import ( # noqa: F401 TestHTTPS, TestHTTPS_TLSv1,