[issue22987] ssl module documentation: incorrect compatibility matrix
New submission from Kali Kaneko:
The SSLv23 row that can be read in the socket creation section in the documentation for the ssl module looks incorrect:
https://docs.python.org/2.7/library/ssl.html#socket-creation
by my tests (with python 2.7.8) that row should read:
yes no yes yes yes yes
instead of:
yes no yes no no no
as it does now.
Since a client specifying SSLv23 should be (and it seems to be) able to negotiate the highest available version that the server can offer, no matter if the server has chosen a tls version.
Is this an error in the documentation, or is there any situation in which the current values hold true?
----------
assignee: docs@python
components: Documentation
messages: 232078
nosy: docs@python, kali
priority: normal
severity: normal
status: open
title: ssl module documentation: incorrect compatibility matrix
versions: Python 2.7
_______________________________________
Python tracker
Alex Gaynor added the comment:
I agree this is a bug, but I believe the correct output is:
no yes yes yes yes yes
----------
nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
_______________________________________
Python tracker
Antoine Pitrou added the comment:
Alex is right. The current doc was valid for older OpenSSL versions, which sent a SSLv2 hello with SSLv23.
Reference from the OpenSSL docs:
"""If the cipher list does not contain any SSLv2 ciphersuites (the default cipher list does not) or extensions are required (for example server name) a client will send out TLSv1 client hello messages including extensions and will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols."""
(https://www.openssl.org/docs/ssl/SSL_CTX_new.html)
----------
_______________________________________
Python tracker
Roundup Robot added the comment:
New changeset 7af5d5493497 by Antoine Pitrou in branch '2.7':
Fix #22987: update the compatibility matrix for a SSLv23 client.
https://hg.python.org/cpython/rev/7af5d5493497
New changeset 9f03572690d2 by Antoine Pitrou in branch '3.4':
Fix #22987: update the compatibility matrix for a SSLv23 client.
https://hg.python.org/cpython/rev/9f03572690d2
New changeset 7509a0607c40 by Antoine Pitrou in branch 'default':
Fix #22987: update the compatibility matrix for a SSLv23 client.
https://hg.python.org/cpython/rev/7509a0607c40
----------
nosy: +python-dev
_______________________________________
Python tracker
Changes by Antoine Pitrou
Kali Kaneko added the comment:
my bad, I had not actually tested the sslv2 and sslv3 options, since they were not available in the python in debian sid.
thanks for the quick fix!
----------
_______________________________________
Python tracker
participants (4)
-
Alex Gaynor
-
Antoine Pitrou
-
Kali Kaneko
-
Roundup Robot