You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SSL (not TLS) is widely considered insecure and is also deprecated in the Python Docs (PROTOCOL_SSLv2, PROTOCOL_SSLv3).
Also, TLS 1.0 and 1.1 are deprecated in the latest version of major browsers (MDN Web Docs).
Thus, I think it is better to either remove it support or change to specify explicitly when using it (such as config and command-line args).
The text was updated successfully, but these errors were encountered:
So there's more to address than actually phasing out this version param itself (as seen in #724 where a need for pinpointing only a part of the range arose), yet at the same time I believe that unless you specify any of the legacy protocols, they won't be downgraded to from default TLS connection. Or not at least with the new PROTOCOL_TLS* as should be the solution going forwards #1400
The other side of things is e. g. PEP-0644 where since 3.10 (that's the current dependency) the OpenSSL 1.1.1 used no longer even supports any SSLv2 connections at all if I understand it correctly, so trying to forcibly connect won't even work.
So keeping the legacy options around for some low-level testing is IMO legit. If they're not going to get degraded to from default settings. However they don't necessarily have to function at all given the underlying OpenSSL/PEP changes in time.
SSL (not TLS) is widely considered insecure and is also deprecated in the Python Docs (PROTOCOL_SSLv2, PROTOCOL_SSLv3).
Also, TLS 1.0 and 1.1 are deprecated in the latest version of major browsers (MDN Web Docs).
Thus, I think it is better to either remove it support or change to specify explicitly when using it (such as config and command-line args).
The text was updated successfully, but these errors were encountered: