bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 #6976

tiran · 2018-05-18T19:53:21Z

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
default.

Also update multissltests and Travis config to test with latest OpenSSL.

Signed-off-by: Christian Heimes [email protected]

https://bugs.python.org/issue33570

gpshead · 2018-05-20T16:23:38Z

Lib/test/test_asyncio/test_subprocess.py

I don't think the changes in this file belong in this PR?

gpshead · 2018-05-20T16:27:49Z

Lib/test/test_ssl.py

this is called test_default_ciphers but the test seems to be explicitly setting which ciphers are used so the name doesn't make much sense. I don't see any defaults. it appears to be testing that defaults can be overridden and that cipher negotiation fails properly?

if i'm misunderstanding, i suggest adding a comment to explain the test. :)

I agree that the test name doesn't reflect the test case. In fact I don't know the original intention of the test. Let's rename it to test_no_shared_ciphers

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests and Travis config to test with latest OpenSSL. Signed-off-by: Christian Heimes <[email protected]>

tiran · 2018-05-22T19:55:57Z

@gpshead PR is ready

gpshead · 2018-05-22T20:03:38Z

i'll let you do the merging.

miss-islington · 2018-05-22T20:50:14Z

Thanks @tiran for the PR 🌮🎉.. I'm working now to backport this PR to: 2.7, 3.6, 3.7.
🐍🍒⛏🤖

tiran · 2018-05-22T20:50:37Z

thx @gpshead
3.6 and 2.7 will need manual backporting

bedevere-bot · 2018-05-22T20:51:27Z

GH-7064 is a backport of this pull request to the 3.7 branch.

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests and Travis config to test with latest OpenSSL. Signed-off-by: Christian Heimes <[email protected]> (cherry picked from commit e8eb6cb) Co-authored-by: Christian Heimes <[email protected]>

miss-islington · 2018-05-22T20:52:17Z

Sorry, @tiran, I could not cleanly backport this to 2.7 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker e8eb6cb7920ded66abc5d284319a8539bdc2bae3 2.7

miss-islington · 2018-05-22T20:53:17Z

Sorry, @tiran, I could not cleanly backport this to 3.6 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker e8eb6cb7920ded66abc5d284319a8539bdc2bae3 3.6

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests and Travis config to test with latest OpenSSL. Signed-off-by: Christian Heimes <[email protected]> (cherry picked from commit e8eb6cb) Co-authored-by: Christian Heimes <[email protected]>

bedevere-bot · 2018-08-14T07:43:19Z

GH-8760 is a backport of this pull request to the 3.6 branch.

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <[email protected]>

…ythonGH-8760) Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <[email protected]>. (cherry picked from commit 3e630c5) Co-authored-by: Christian Heimes <[email protected]>

GH-10607) Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <[email protected]>. (cherry picked from commit 3e630c5) Co-authored-by: Christian Heimes <[email protected]>

tiran added needs backport to 3.6 labels May 18, 2018

the-knights-who-say-ni added the CLA signed label May 18, 2018

bedevere-bot added the awaiting merge label May 18, 2018

tiran force-pushed the bpo-33570-tls13-ciphers branch from 2419687 to 999d316 Compare May 20, 2018 14:48

tiran requested a review from gpshead as a code owner May 20, 2018 15:56

tiran force-pushed the bpo-33570-tls13-ciphers branch from 33bdb1f to d897229 Compare May 20, 2018 16:21

gpshead reviewed May 20, 2018

View reviewed changes

tiran force-pushed the bpo-33570-tls13-ciphers branch 2 times, most recently from b69f2fd to 2fdba44 Compare May 20, 2018 19:24

tiran force-pushed the bpo-33570-tls13-ciphers branch from 2fdba44 to c412812 Compare May 22, 2018 19:09

gpshead approved these changes May 22, 2018

View reviewed changes

tiran merged commit e8eb6cb into python:master May 22, 2018

bedevere-bot removed the awaiting merge label May 22, 2018

tiran deleted the bpo-33570-tls13-ciphers branch May 22, 2018 20:50

bedevere-bot removed the needs backport to 3.7 label May 22, 2018

miss-islington assigned tiran May 22, 2018

bedevere-bot removed the needs backport to 3.6 label Aug 14, 2018

Uh oh!

bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 #6976

bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 #6976

Uh oh!

Conversation

tiran commented May 18, 2018 • edited by bedevere-bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

gpshead May 20, 2018

Choose a reason for hiding this comment

Uh oh!

gpshead May 20, 2018

Choose a reason for hiding this comment

Uh oh!

gpshead May 20, 2018

Choose a reason for hiding this comment

Uh oh!

tiran May 20, 2018

Choose a reason for hiding this comment

Uh oh!

tiran commented May 22, 2018

Uh oh!

gpshead commented May 22, 2018

Uh oh!

miss-islington commented May 22, 2018

Uh oh!

tiran commented May 22, 2018

Uh oh!

bedevere-bot commented May 22, 2018

Uh oh!

miss-islington commented May 22, 2018

Uh oh!

miss-islington commented May 22, 2018

Uh oh!

bedevere-bot commented Aug 14, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

tiran commented May 18, 2018 •

edited by bedevere-bot

Loading