New submission from Kali Kaneko:
The SSLv23 row that can be read in the socket creation section in the documentation for the ssl module looks incorrect: https://docs.python.org/2.7/library/ssl.html#socket-creation
by my tests (with python 2.7.8) that row should read:
yes no yes yes yes yes
yes no yes no no no
as it does now.
Since a client specifying SSLv23 should be (and it seems to be) able to negotiate the highest available version that the server can offer, no matter if the server has chosen a tls version.
Is this an error in the documentation, or is there any situation in which the current values hold true?
---------- assignee: docs@python components: Documentation messages: 232078 nosy: docs@python, kali priority: normal severity: normal status: open title: ssl module documentation: incorrect compatibility matrix versions: Python 2.7
Alex Gaynor added the comment:
I agree this is a bug, but I believe the correct output is:
no yes yes yes yes yes
---------- nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
Antoine Pitrou added the comment:
Alex is right. The current doc was valid for older OpenSSL versions, which sent a SSLv2 hello with SSLv23.
Reference from the OpenSSL docs:
"""If the cipher list does not contain any SSLv2 ciphersuites (the default cipher list does not) or extensions are required (for example server name) a client will send out TLSv1 client hello messages including extensions and will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols."""
Roundup Robot added the comment:
New changeset 7af5d5493497 by Antoine Pitrou in branch '2.7': Fix #22987: update the compatibility matrix for a SSLv23 client. https://hg.python.org/cpython/rev/7af5d5493497
New changeset 9f03572690d2 by Antoine Pitrou in branch '3.4': Fix #22987: update the compatibility matrix for a SSLv23 client. https://hg.python.org/cpython/rev/9f03572690d2
New changeset 7509a0607c40 by Antoine Pitrou in branch 'default': Fix #22987: update the compatibility matrix for a SSLv23 client. https://hg.python.org/cpython/rev/7509a0607c40
---------- nosy: +python-dev
Changes by Antoine Pitrou firstname.lastname@example.org:
---------- resolution: -> fixed stage: -> resolved status: open -> closed versions: +Python 3.4, Python 3.5
Kali Kaneko added the comment:
my bad, I had not actually tested the sslv2 and sslv3 options, since they were not available in the python in debian sid.
thanks for the quick fix!