Add support for TLS 1.3 to all HTTPSConnection implementations #1496
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1496 +/- ##
==========================================
- Coverage 99.94% 99.72% -0.23%
==========================================
Files 22 22
Lines 1826 1810 -16
==========================================
- Hits 1825 1805 -20
- Misses 1 5 +4
Continue to review full report at Codecov.
|
| @@ -124,7 +124,7 @@ | |||
| # Basically this is simple: for PROTOCOL_SSLv23 we turn it into a low of | |||
| # TLSv1 and a high of TLSv1.2. For everything else, we pin to that version. | |||
There was a problem hiding this comment.
I think the high is now TLSv1.3
There was a problem hiding this comment.
I'll update this. Also is kTLSProtocol13 not available? I'm not sure when it was added to SecureTransport but I'm getting Illegal Parameter errors for using it. :(
There was a problem hiding this comment.
https://developer.apple.com/documentation/security/sslprotocol/ktlsprotocol13?language=objc mentions macOS 10.13+, which is what Travis uses. That's all I know, sorry!
|
I rolled the IPv6 feature into this PR to avoid a monster of a merge conflict if that's fine with reviewers. If we want to split that into it's own PR I can do so. |
|
After seeing the latest build on master fail for the same reason as this PR makes me feel better about this issue. Will have to investigate on master, might be due to the new cryptography version? |
|
cc @theacodes @shazow I think this PR is ready for another round of review. The failures on the requests downstream tests are failing both on our master and on requests master. |
sethmlarson
requested review from
shazow and
theacodes
and removed request for
shazow
|
Unfortunately I can't squash+merge myself due to CI failures. Windows had a transient failure and macOS Python is now failing to build cryptography wheels which I'll investigate outside of this PR. I'm ready for this to be merged anytime. Thanks reviewers! :) |
|
Just to confirm, do you want me to use black magic to force merge?
…On Wed, Feb 27, 2019, 11:50 AM Seth Michael Larson ***@***.***> wrote:
Unfortunately I can't squash+merge myself due to CI failures. macOS Python
is now failing to build cryptography wheels which I'll investigate outside
of this PR. I'm ready for this to be merged anytime.
Thanks reviewers! :)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1496 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAPUc2mXBeNvTYl88OSqYv9vS2IkwR9zks5vRtOSgaJpZM4ZHw_c>
.
|
|
@theacodes Yes please! ✨ |
|
Thanks for the fix! @theacodes @shazow @sethmlarson It looks like the last release was ~5 months ago. Is there any chance to get this released anytime soon? |
|
@webknjaz The next release is pending #1531 and python-hyper/rfc3986#50. |
|
@sethmlarson thanks for the hint! |
…b3#1496) * Add tests for specific TLS/SSL versions * Add change and update bindings * SSLSocket.version() not available sometimes * Add support for kTLSProtocolMaxSupported * Try setProtocolVersionMax again if error * Get ctypes.c_uint.value for SSLSocket.version() * Opt-in TLS 1.3 on macOS 10.13 * Update tornado to 5.1.1 * Add documentation updates for TLSv1.3 * Add wbond/oscrypto license to contrib/securetransport * Remove all TLS 1.3 ciphersuites from DEFAULT_CIPHERS * Experiment showing cipher list per protocol * Update test_https.py * Update test_https.py * Update test_https.py * Update changelog wording to exclude pyOpenSSL * minor rewording * Add support for IPv6 in subjectAltName * Don't use OP_ALL * Update CHANGES.rst * No PROTOCOL_TLSv1_3 * Remove DSS, rearrange SecureTransport ciphers * Use ECDSA before RSA with ECDHE * ReviReorder ciphers * ECDHE * Update test_https.py * Turns out we don't need version detection * Reorder per Hyneks post and favor ephemeral * Refactor HTTPS unit tests * Fix up tests * Test locking pytest-httpbin * Update requests.sh * remove whitespace
TLS 1.3 support came in OpenSSL 1.1.1 and Python 3.7 and we should start testing against it.
TLS 1.3 will be available under the following conditions:
Most of our users will be using TLS 1.3 through pyOpenSSL.
If TLS 1.3 is available and you don't hard-code a protocol version it'll be used by default.
Closes #1368
Closes #1386
Closes #1269
Closes #1451
Closes #1500
Closes #1537