New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for TLS 1.3 to all HTTPSConnection implementations #1496
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1496 +/- ##
==========================================
- Coverage 99.94% 99.72% -0.23%
==========================================
Files 22 22
Lines 1826 1810 -16
==========================================
- Hits 1825 1805 -20
- Misses 1 5 +4
Continue to review full report at Codecov.
|
@@ -124,7 +124,7 @@ | |||
# Basically this is simple: for PROTOCOL_SSLv23 we turn it into a low of | |||
# TLSv1 and a high of TLSv1.2. For everything else, we pin to that version. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the high is now TLSv1.3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll update this. Also is kTLSProtocol13
not available? I'm not sure when it was added to SecureTransport but I'm getting Illegal Parameter errors for using it. :(
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://developer.apple.com/documentation/security/sslprotocol/ktlsprotocol13?language=objc mentions macOS 10.13+, which is what Travis uses. That's all I know, sorry!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need to still add the license of oscrypto to urllib3.contrib._securetransport.bindings
and remove the TLS 1.3 ciphers from our default cipher list as they're set by a different function that's not exposed by Python yet.
I rolled the IPv6 feature into this PR to avoid a monster of a merge conflict if that's fine with reviewers. If we want to split that into it's own PR I can do so. |
After seeing the latest build on master fail for the same reason as this PR makes me feel better about this issue. Will have to investigate on master, might be due to the new cryptography version? |
cc @theacodes @shazow I think this PR is ready for another round of review. The failures on the requests downstream tests are failing both on our master and on requests master. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nothing sticks out to me here.
Unfortunately I can't squash+merge myself due to CI failures. Windows had a transient failure and macOS Python is now failing to build cryptography wheels which I'll investigate outside of this PR. I'm ready for this to be merged anytime. Thanks reviewers! :) |
Just to confirm, do you want me to use black magic to force merge?
…On Wed, Feb 27, 2019, 11:50 AM Seth Michael Larson ***@***.***> wrote:
Unfortunately I can't squash+merge myself due to CI failures. macOS Python
is now failing to build cryptography wheels which I'll investigate outside
of this PR. I'm ready for this to be merged anytime.
Thanks reviewers! :)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1496 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAPUc2mXBeNvTYl88OSqYv9vS2IkwR9zks5vRtOSgaJpZM4ZHw_c>
.
|
@theacodes Yes please! ✨ |
Thanks for the fix! @theacodes @shazow @sethmlarson It looks like the last release was ~5 months ago. Is there any chance to get this released anytime soon? |
@webknjaz The next release is pending #1531 and python-hyper/rfc3986#50. |
@sethmlarson thanks for the hint! |
…b3#1496) * Add tests for specific TLS/SSL versions * Add change and update bindings * SSLSocket.version() not available sometimes * Add support for kTLSProtocolMaxSupported * Try setProtocolVersionMax again if error * Get ctypes.c_uint.value for SSLSocket.version() * Opt-in TLS 1.3 on macOS 10.13 * Update tornado to 5.1.1 * Add documentation updates for TLSv1.3 * Add wbond/oscrypto license to contrib/securetransport * Remove all TLS 1.3 ciphersuites from DEFAULT_CIPHERS * Experiment showing cipher list per protocol * Update test_https.py * Update test_https.py * Update test_https.py * Update changelog wording to exclude pyOpenSSL * minor rewording * Add support for IPv6 in subjectAltName * Don't use OP_ALL * Update CHANGES.rst * No PROTOCOL_TLSv1_3 * Remove DSS, rearrange SecureTransport ciphers * Use ECDSA before RSA with ECDHE * ReviReorder ciphers * ECDHE * Update test_https.py * Turns out we don't need version detection * Reorder per Hyneks post and favor ephemeral * Refactor HTTPS unit tests * Fix up tests * Test locking pytest-httpbin * Update requests.sh * remove whitespace
TLS 1.3 support came in OpenSSL 1.1.1 and Python 3.7 and we should start testing against it.
TLS 1.3 will be available under the following conditions:
Most of our users will be using TLS 1.3 through pyOpenSSL.
If TLS 1.3 is available and you don't hard-code a protocol version it'll be used by default.
Closes #1368
Closes #1386
Closes #1269
Closes #1451
Closes #1500
Closes #1537