Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requests now forcing TLS 1.2 on Python 3.6.10 #5555

Closed
cleebp opened this issue Aug 11, 2020 · 2 comments
Closed

Requests now forcing TLS 1.2 on Python 3.6.10 #5555

cleebp opened this issue Aug 11, 2020 · 2 comments

Comments

@cleebp
Copy link

cleebp commented Aug 11, 2020

Due to the changes in this PR that made it into release 2.24.0 our stack went from using TLS 1.3 through pyopenssl to TLS 1.2 through the new requests/ssl path that is forced when ssl has SNI. This occurs when using Python 3.6.10.

Expected Result

On Python 3.6.10 with pyopenssl installed requests should use the highest TLS available, 1.3 (from pyopenssl), not 1.2 (from ssl).

Actual Result

On Python 3.6.10 TLS 1.2 is being used from ssl.

Reproduction Steps

import requests
tls_actual = requests.get('https://www.howsmyssl.com/a/check', verify=False).json()['tls_version']
print(tls_actual)

You can run the above easily from py36/py37 to observe the difference using conda:

  • conda create -n py36-test requests=2.24.0 python=3.6.10 pyopenssl=19.10.1
    • Output: TLS 1.2
  • conda create -n py37-test requests=2.24.0 python=3.7 pyopenssl=19.10.1
    • Output: TLS 1.3

System Information

$ python -m requests.help

{
  "chardet": {
    "version": "3.0.4"
  },
  "cryptography": {
    "version": "2.8"
  },
  "idna": {
    "version": "2.10"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.6.10"
  },
  "platform": {
    "release": "10",
    "system": "Windows"
  },
  "pyOpenSSL": {
    "openssl_version": "1010105f",
    "version": "19.1.0"
  },
  "requests": {
    "version": "2.24.0"
  },
  "system_ssl": {
    "version": "1000214f"
  },
  "urllib3": {
    "version": "1.25.9"
  },
  "using_pyopenssl": true
}

Note: this really isn't a blocker for us at all since we are currently upgrading from Python 3.6.10 -> 3.7 which fixes the issue since the 3.7 ssl has TLS 1.3 support. But for any users using Python 3.6.10 there may be unexpected consequences from this update.
@nateprewitt
Copy link
Member

nateprewitt commented Aug 11, 2020
edited

Hey @cleebp,

Thanks for bringing this up! I don't think we'd taken this into account when pushing pyopenssl to the background. You can still opt into using pyopenssl on 3.6 with:

from urllib3.contrib import pyopenssl
pyopenssl.inject_into_urllib3()

It may be worth adding some kind of messaging around a potential TLS downgrade but I don't know if a warning is too invasive.

@nateprewitt
Copy link
Member

Resolving since we haven't seen any further feedback on this and it's easily resolvable by the end user.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 29, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cleebp @nateprewitt