bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 #6976

tiran · 2018-05-18T19:53:21Z

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
default.

Also update multissltests and Travis config to test with latest OpenSSL.

Signed-off-by: Christian Heimes [email protected]

https://bugs.python.org/issue33570

gpshead · 2018-05-20T16:23:38Z

Lib/test/test_asyncio/test_subprocess.py

@@ -73,6 +74,29 @@ def test_proc_exited(self):

        transport.close()

+    def test_subprocess_repr(self):


I don't think the changes in this file belong in this PR?

gpshead · 2018-05-20T16:27:49Z

Lib/test/test_ssl.py

@@ -3440,16 +3437,15 @@ def test_do_handshake_enotconn(self):
            self.assertEqual(cm.exception.errno, errno.ENOTCONN)

    def test_default_ciphers(self):


this is called test_default_ciphers but the test seems to be explicitly setting which ciphers are used so the name doesn't make much sense. I don't see any defaults. it appears to be testing that defaults can be overridden and that cipher negotiation fails properly?

if i'm misunderstanding, i suggest adding a comment to explain the test. :)

I agree that the test name doesn't reflect the test case. In fact I don't know the original intention of the test. Let's rename it to test_no_shared_ciphers

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests and Travis config to test with latest OpenSSL. Signed-off-by: Christian Heimes <[email protected]>

tiran · 2018-05-22T19:55:57Z

@gpshead PR is ready

gpshead · 2018-05-22T20:03:38Z

i'll let you do the merging.

miss-islington · 2018-05-22T20:50:14Z

Thanks @tiran for the PR 🌮🎉.. I'm working now to backport this PR to: 2.7, 3.6, 3.7.
🐍🍒⛏🤖

tiran · 2018-05-22T20:50:37Z

thx @gpshead
3.6 and 2.7 will need manual backporting

bedevere-bot · 2018-05-22T20:51:27Z

GH-7064 is a backport of this pull request to the 3.7 branch.

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests and Travis config to test with latest OpenSSL. Signed-off-by: Christian Heimes <[email protected]> (cherry picked from commit e8eb6cb) Co-authored-by: Christian Heimes <[email protected]>

miss-islington · 2018-05-22T20:52:17Z

Sorry, @tiran, I could not cleanly backport this to 2.7 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker e8eb6cb7920ded66abc5d284319a8539bdc2bae3 2.7

miss-islington · 2018-05-22T20:53:17Z

Sorry, @tiran, I could not cleanly backport this to 3.6 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker e8eb6cb7920ded66abc5d284319a8539bdc2bae3 3.6

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests and Travis config to test with latest OpenSSL. Signed-off-by: Christian Heimes <[email protected]> (cherry picked from commit e8eb6cb) Co-authored-by: Christian Heimes <[email protected]>

bedevere-bot · 2018-08-14T07:43:19Z

GH-8760 is a backport of this pull request to the 3.6 branch.

Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <[email protected]>

…ythonGH-8760) Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <[email protected]>. (cherry picked from commit 3e630c5) Co-authored-by: Christian Heimes <[email protected]>

GH-10607) Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <[email protected]>. (cherry picked from commit 3e630c5) Co-authored-by: Christian Heimes <[email protected]>

tiran added needs backport to 3.6 labels May 18, 2018

the-knights-who-say-ni added the CLA signed label May 18, 2018

bedevere-bot added the awaiting merge label May 18, 2018

tiran force-pushed the bpo-33570-tls13-ciphers branch from 2419687 to 999d316 Compare May 20, 2018 14:48

tiran requested a review from gpshead as a code owner May 20, 2018 15:56

tiran force-pushed the bpo-33570-tls13-ciphers branch from 33bdb1f to d897229 Compare May 20, 2018 16:21

gpshead reviewed May 20, 2018

View reviewed changes

tiran force-pushed the bpo-33570-tls13-ciphers branch 2 times, most recently from b69f2fd to 2fdba44 Compare May 20, 2018 19:24

tiran force-pushed the bpo-33570-tls13-ciphers branch from 2fdba44 to c412812 Compare May 22, 2018 19:09

gpshead approved these changes May 22, 2018

View reviewed changes

tiran merged commit e8eb6cb into python:master May 22, 2018

bedevere-bot removed the awaiting merge label May 22, 2018

tiran deleted the bpo-33570-tls13-ciphers branch May 22, 2018 20:50

bedevere-bot removed the needs backport to 3.7 label May 22, 2018

miss-islington assigned tiran May 22, 2018

bedevere-bot removed the needs backport to 3.6 label Aug 14, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 #6976

bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 #6976

Uh oh!

tiran commented May 18, 2018 •

edited by bedevere-bot

Loading

Uh oh!

gpshead May 20, 2018

Uh oh!

gpshead May 20, 2018

Uh oh!

gpshead May 20, 2018

Uh oh!

tiran May 20, 2018

Uh oh!

tiran commented May 22, 2018

Uh oh!

gpshead commented May 22, 2018

Uh oh!

miss-islington commented May 22, 2018

Uh oh!

tiran commented May 22, 2018

Uh oh!

bedevere-bot commented May 22, 2018

Uh oh!

miss-islington commented May 22, 2018

Uh oh!

miss-islington commented May 22, 2018

Uh oh!

bedevere-bot commented Aug 14, 2018

Uh oh!

Uh oh!

		@@ -73,6 +74,29 @@ def test_proc_exited(self):

		transport.close()

		def test_subprocess_repr(self):

		@@ -3440,16 +3437,15 @@ def test_do_handshake_enotconn(self):
		self.assertEqual(cm.exception.errno, errno.ENOTCONN)

		def test_default_ciphers(self):

Uh oh!

bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 #6976

bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 #6976

Uh oh!

Conversation

tiran commented May 18, 2018 • edited by bedevere-bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

gpshead May 20, 2018

Choose a reason for hiding this comment

Uh oh!

gpshead May 20, 2018

Choose a reason for hiding this comment

Uh oh!

gpshead May 20, 2018

Choose a reason for hiding this comment

Uh oh!

tiran May 20, 2018

Choose a reason for hiding this comment

Uh oh!

tiran commented May 22, 2018

Uh oh!

gpshead commented May 22, 2018

Uh oh!

miss-islington commented May 22, 2018

Uh oh!

tiran commented May 22, 2018

Uh oh!

bedevere-bot commented May 22, 2018

Uh oh!

miss-islington commented May 22, 2018

Uh oh!

miss-islington commented May 22, 2018

Uh oh!

bedevere-bot commented Aug 14, 2018

Uh oh!

Uh oh!

tiran commented May 18, 2018 •

edited by bedevere-bot

Loading