<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jan 10, 2017, at 10:59 PM, Nick Coghlan <<a href="mailto:ncoghlan@gmail.com" class="">ncoghlan@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">On 10 January 2017 at 23:24, Donald Stufft <<a href="mailto:donald@stufft.io" class="">donald@stufft.io</a>> wrote:<br class=""><blockquote type="cite" class="">Looking at the download numbers, the absolute largest driver of TLSv1.0 and<br class="">TLSv1.1 traffic to PyPI are old versions of pip or other clients where I<br class="">cannot<br class="">tell the OS that they are being run on.<br class=""></blockquote><br class="">Can you tell the Python version they're running even with older clients?<br class=""><br class="">I just checked the exact dates/versions where TLS v1.2 was properly<br class="">enabled in the various versions of Python that Red Hat ships, and this<br class="">change should be fine for:<br class=""><br class="">* RHEL/CentOS 7.2+ (PEP 466 backport released November 2015)<br class="">* Red Hat Software Collections 2.2+ (PEP 466 backport released May 2016)<br class=""><br class="">However, folks currently using the system Python 2.6 installation in<br class="">RHEL/CentOS 6 are going to need to upgrade to Python 2.7 somehow,<br class="">whether that's by:<br class=""><br class="">- upgrading to RHEL/CentOS 7<br class="">- doing a parallel install via RHSCL/<a href="http://softwarecollections.org" class="">softwarecollections.org</a><br class="">- doing a parallel install via <a href="http://ius.io" class="">ius.io</a><br class=""><br class="">(The problem with RHEL 6 is that even though the *OS* has supported<br class="">TLS v1.2 since RHEL 6.5, *Python 2.6* doesn't properly support<br class="">accessing them through the standard library's SSL module, since it's<br class="">missing the features backported from 3.x by PEP 466)<br class=""><br class="">Cheers,<br class="">Nick.<br class=""><br class="">-- <br class="">Nick Coghlan   |   <a href="mailto:ncoghlan@gmail.com" class="">ncoghlan@gmail.com</a>   |   Brisbane, Australia<br class=""></div></div></blockquote></div><br class=""><div class=""><br class="webkit-block-placeholder"></div><div class="">No, but it doesn’t matter, the version of Python doesn’t control it at all since we use PROTOCOL_SSLv23 which will automatically negotiate the highest protocol OpenSSL supports, whether Python has bound the PROTOCOL_TLSv1_X constant and implemented the methods for it or not. So Python 2.6 is perfectly capable of talking to a TLSv1.2 site (it however, is not capable of explicitly saying it *needs*  only TLSv1.2).</div><div class=""><br class=""></div><div class="">See:</div><div class=""><br class=""></div><div class=""><div class="">$ python2.6 -c "import urllib2,json; print(json.loads(urllib2.urlopen('<a href="https://www.howsmyssl.com/a/check" class="">https://www.howsmyssl.com/a/check</a>').read())['tls_version'])"</div><div class="">TLS 1.2</div></div><div class="">
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class="">—<br class="">Donald Stufft<br class=""></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""></div><br class="Apple-interchange-newline">
</div>
<br class=""></body></html>