bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 #6976

tiran · 2018-05-18T19:53:21Z

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
default.

Also update multissltests and Travis config to test with latest OpenSSL.

Signed-off-by: Christian Heimes christian@python.org

https://bugs.python.org/issue33570

gpshead · 2018-05-20T16:29:52Z

Lib/test/test_asyncio/test_subprocess.py

@@ -73,6 +74,29 @@ def test_proc_exited(self):

        transport.close()

+    def test_subprocess_repr(self):


I don't think the changes in this file belong in this PR?

gpshead · 2018-05-20T16:29:52Z

Lib/test/test_ssl.py

@@ -3440,16 +3437,15 @@ def test_do_handshake_enotconn(self):
            self.assertEqual(cm.exception.errno, errno.ENOTCONN)

    def test_default_ciphers(self):


this is called test_default_ciphers but the test seems to be explicitly setting which ciphers are used so the name doesn't make much sense. I don't see any defaults. it appears to be testing that defaults can be overridden and that cipher negotiation fails properly?

if i'm misunderstanding, i suggest adding a comment to explain the test. :)

I agree that the test name doesn't reflect the test case. In fact I don't know the original intention of the test. Let's rename it to test_no_shared_ciphers

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests and Travis config to test with latest OpenSSL. Signed-off-by: Christian Heimes <christian@python.org>

tiran · 2018-05-22T19:55:57Z

@gpshead PR is ready

gpshead · 2018-05-22T20:03:38Z

i'll let you do the merging.

miss-islington · 2018-05-22T20:50:14Z

Thanks @tiran for the PR 🌮🎉.. I'm working now to backport this PR to: 2.7, 3.6, 3.7.
🐍🍒⛏🤖

tiran · 2018-05-22T20:50:37Z

thx @gpshead
3.6 and 2.7 will need manual backporting

bedevere-bot · 2018-05-22T20:51:27Z

GH-7064 is a backport of this pull request to the 3.7 branch.

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests and Travis config to test with latest OpenSSL. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit e8eb6cb) Co-authored-by: Christian Heimes <christian@python.org>

miss-islington · 2018-05-22T20:52:17Z

Sorry, @tiran, I could not cleanly backport this to 2.7 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker e8eb6cb7920ded66abc5d284319a8539bdc2bae3 2.7

miss-islington · 2018-05-22T20:53:17Z

Sorry, @tiran, I could not cleanly backport this to 3.6 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker e8eb6cb7920ded66abc5d284319a8539bdc2bae3 3.6

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests and Travis config to test with latest OpenSSL. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit e8eb6cb) Co-authored-by: Christian Heimes <christian@python.org>

bedevere-bot · 2018-08-14T07:43:19Z

GH-8760 is a backport of this pull request to the 3.6 branch.

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <christian@python.org>

…ythonGH-8760) Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 3e630c5) Co-authored-by: Christian Heimes <christian@python.org>

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests and Travis config to test with latest OpenSSL. Signed-off-by: Christian Heimes <christian@python.org>

…ythonGH-8760) Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 3e630c5) Co-authored-by: Christian Heimes <christian@python.org>

GH-10607) Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 3e630c5) Co-authored-by: Christian Heimes <christian@python.org>

tiran added needs backport to 3.6 needs backport to 3.7 labels May 18, 2018

the-knights-who-say-ni added the CLA signed label May 18, 2018

bedevere-bot added the awaiting merge label May 18, 2018

tiran force-pushed the bpo-33570-tls13-ciphers branch from 2419687 to 999d316 Compare May 20, 2018

tiran requested a review from gpshead as a code owner May 20, 2018

tiran force-pushed the bpo-33570-tls13-ciphers branch from 33bdb1f to d897229 Compare May 20, 2018

gpshead reviewed May 20, 2018

View changes

tiran force-pushed the bpo-33570-tls13-ciphers branch 2 times, most recently from b69f2fd to 2fdba44 Compare May 20, 2018

tiran force-pushed the bpo-33570-tls13-ciphers branch from 2fdba44 to c412812 Compare May 22, 2018

gpshead approved these changes May 22, 2018

View changes

tiran merged commit e8eb6cb into python:master May 22, 2018

bedevere-bot removed the awaiting merge label May 22, 2018

tiran deleted the bpo-33570-tls13-ciphers branch May 22, 2018

bedevere-bot removed the needs backport to 3.7 label May 22, 2018

miss-islington assigned tiran May 22, 2018

bedevere-bot removed the needs backport to 3.6 label Aug 14, 2018

bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 #6976

bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 #6976

tiran commented May 18, 2018 •

edited by bedevere-bot

gpshead May 20, 2018

gpshead May 20, 2018

gpshead May 20, 2018

tiran May 20, 2018

tiran commented May 22, 2018

gpshead commented May 22, 2018

miss-islington commented May 22, 2018

tiran commented May 22, 2018

bedevere-bot commented May 22, 2018

miss-islington commented May 22, 2018

miss-islington commented May 22, 2018

bedevere-bot commented Aug 14, 2018

		@@ -73,6 +74,29 @@ def test_proc_exited(self):

		transport.close()

		def test_subprocess_repr(self):

		@@ -3440,16 +3437,15 @@ def test_do_handshake_enotconn(self):
		self.assertEqual(cm.exception.errno, errno.ENOTCONN)

		def test_default_ciphers(self):

bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 #6976

bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 #6976

Conversation

tiran commented May 18, 2018 • edited by bedevere-bot

gpshead May 20, 2018

Choose a reason for hiding this comment

gpshead May 20, 2018

Choose a reason for hiding this comment

gpshead May 20, 2018

Choose a reason for hiding this comment

tiran May 20, 2018

Choose a reason for hiding this comment

tiran commented May 22, 2018

gpshead commented May 22, 2018

miss-islington commented May 22, 2018

tiran commented May 22, 2018

bedevere-bot commented May 22, 2018

miss-islington commented May 22, 2018

miss-islington commented May 22, 2018

bedevere-bot commented Aug 14, 2018

tiran commented May 18, 2018 •

edited by bedevere-bot