Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate ssl_version option #2992

Merged
merged 1 commit into from May 11, 2023
Merged

Deprecate ssl_version option #2992

merged 1 commit into from May 11, 2023

Conversation

tsaarni
Copy link
Contributor

@tsaarni tsaarni commented May 11, 2023

This change defaults SSLContext to Python's ssl.create_default_context() and marks ssl_version option as deprecated. The option value will be ignored, and warning will be printed in stderr. The reason for deprecation is that ssl_version option was depending on old method of setting TLS min/max version. Rationale for ignoring the given value is that the method has not worked well anymore with modern Python versions. See discussion thread #2649 (comment).

As an alternative, config file can be used to set the min/max values, for example:

def ssl_context(conf, default_ssl_context_factory):
    import ssl
    context = default_ssl_context_factory()
    context.minimum_version = ssl.TLSVersion.TLSv1_3
    context.maximum_version = ssl.TLSVersion.TLSv1_3
    return context

Additionally, this PR fixes some documentation discrepancies by regenerating settings.rst from config.py. The PR also suggests small modification to docs/gunicorn_ext.py that makes it possible to get sane defaults generated to settings.rst for user, group and chdir options, which otherwise will reset to whatever was effective for the user who regenerated the documentation.

@tsaarni
Deprecate ssl_version option
d8c3b14 
This change defaults SSLContext to Python's ssl.create_default_context() and
marks ssl_version option as deprecated. The option value will be ignored and
warnign will be printed in stderr.

The ssl_version option was depending on old method of setting TLS min/max
version, which has not worked well anymore with modern Python versions.
@benoitc
Copy link
Owner

benoitc commented May 11, 2023

thanks for the documentation fixes and new default. Merging it as is :)

@benoitc benoitc merged commit b7242be into benoitc:master May 11, 2023
1 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tsaarni @benoitc