Skip to content

bpo-33618: Enable TLS 1.3 in tests #7079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 23, 2018
Merged

bpo-33618: Enable TLS 1.3 in tests #7079

merged 1 commit into from
May 23, 2018

Conversation

tiran
Copy link
Member

@tiran tiran commented May 23, 2018
edited by bedevere-bot
Loading

TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS
client cert auth are now handled after the initialy handshake. Tests now
either send/recv data to trigger session and client certs. Or tests
ignore ConnectionResetError / BrokenPipeError on the server side to
handle clients that force-close the socket fd.

To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR
openssl/openssl#6340) is required.

Signed-off-by: Christian Heimes [email protected]

https://bugs.python.org/issue33618

@tiran tiran requested review from 1st1, asvetlov and a team as code owners May 23, 2018 18:13
@tiran tiran force-pushed the tls13-misc branch 2 times, most recently from 637d0fd to 847ccd9 Compare May 23, 2018 18:35
elprans
elprans reviewed May 23, 2018
View reviewed changes
Doc/library/ssl.rst Outdated
ChaCha20 cipher suites are enabled by default. The method
:meth:`SSLContext.set_ciphers` cannot enable or disable any TLS 1.3
ciphers yet, but :meth:`SSLContext.get_cipers` returns them.
- Session tickets are no longer send as part of the initial handshake and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sent

@tiran
bpo-33618: Enable TLS 1.3 in tests
a526cc7 
TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS
client cert auth are now handled after the initialy handshake. Tests now
either send/recv data to trigger session and client certs. Or tests
ignore ConnectionResetError / BrokenPipeError on the server side to
handle clients that force-close the socket fd.

To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR
openssl/openssl#6340) is required.

Signed-off-by: Christian Heimes <[email protected]>
@tiran
Copy link
Member Author

tiran commented May 23, 2018

Thanks Elvis, I fixed the typo.

@tiran tiran merged commit 529525f into python:master May 23, 2018
@miss-islington
Copy link
Contributor

Thanks @tiran for the PR 🌮🎉.. I'm working now to backport this PR to: 2.7, 3.6, 3.7.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request May 23, 2018
@tiran @miss-islington
bpo-33618: Enable TLS 1.3 in tests (pythonGH-7079)
8e35291 
TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS
client cert auth are now handled after the initialy handshake. Tests now
either send/recv data to trigger session and client certs. Or tests
ignore ConnectionResetError / BrokenPipeError on the server side to
handle clients that force-close the socket fd.

To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR
openssl/openssl#6340) is required.

Signed-off-by: Christian Heimes <[email protected]>
(cherry picked from commit 529525f)

Co-authored-by: Christian Heimes <[email protected]>
@bedevere-bot
Copy link

GH-7082 is a backport of this pull request to the 3.7 branch.

@miss-islington
Copy link
Contributor

Sorry, @tiran, I could not cleanly backport this to 3.6 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 529525fb5a8fd9b96ab4021311a598c77588b918 3.6

@miss-islington
Copy link
Contributor

Sorry, @tiran, I could not cleanly backport this to 2.7 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 529525fb5a8fd9b96ab4021311a598c77588b918 2.7

@tiran tiran deleted the tls13-misc branch May 23, 2018 20:27
tiran pushed a commit that referenced this pull request May 23, 2018
@miss-islington @tiran
[3.7] bpo-33618: Enable TLS 1.3 in tests (GH-7079) (GH-7082)
72ef4fc 
TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS
client cert auth are now handled after the initialy handshake. Tests now
either send/recv data to trigger session and client certs. Or tests
ignore ConnectionResetError / BrokenPipeError on the server side to
handle clients that force-close the socket fd.

To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR
openssl/openssl#6340) is required.

Signed-off-by: Christian Heimes <[email protected]>
(cherry picked from commit 529525f)
@stratakis
Copy link
Contributor

stratakis commented Nov 7, 2018
edited
Loading

The relevant fixes seem to have been backported for the 3.6 branch at #8760 . Could it be verified and have the respective label removed?

@duaneg duaneg mentioned this pull request Jun 16, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elprans elprans elprans left review comments

@1st1 1st1 Awaiting requested review from 1st1

@asvetlov asvetlov Awaiting requested review from asvetlov

Assignees

@tiran tiran

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@tiran @miss-islington @bedevere-bot @stratakis @elprans @the-knights-who-say-ni