New submission from Kali Kaneko:
The SSLv23 row that can be read in the socket creation section in the documentation for the ssl module looks incorrect: https://docs.python.org/2.7/library/ssl.html#socket-creation
by my tests (with python 2.7.8) that row should read:
yes no yes yes yes yes
instead of:
yes no yes no no no
as it does now.
Since a client specifying SSLv23 should be (and it seems to be) able to negotiate the highest available version that the server can offer, no matter if the server has chosen a tls version.
Is this an error in the documentation, or is there any situation in which the current values hold true?
---------- assignee: docs@python components: Documentation messages: 232078 nosy: docs@python, kali priority: normal severity: normal status: open title: ssl module documentation: incorrect compatibility matrix versions: Python 2.7
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue22987 _______________________________________
Alex Gaynor added the comment:
I agree this is a bug, but I believe the correct output is:
no yes yes yes yes yes
---------- nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue22987 _______________________________________
Antoine Pitrou added the comment:
Alex is right. The current doc was valid for older OpenSSL versions, which sent a SSLv2 hello with SSLv23.
Reference from the OpenSSL docs:
"""If the cipher list does not contain any SSLv2 ciphersuites (the default cipher list does not) or extensions are required (for example server name) a client will send out TLSv1 client hello messages including extensions and will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols."""
(https://www.openssl.org/docs/ssl/SSL_CTX_new.html)
----------
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue22987 _______________________________________
Roundup Robot added the comment:
New changeset 7af5d5493497 by Antoine Pitrou in branch '2.7': Fix #22987: update the compatibility matrix for a SSLv23 client. https://hg.python.org/cpython/rev/7af5d5493497
New changeset 9f03572690d2 by Antoine Pitrou in branch '3.4': Fix #22987: update the compatibility matrix for a SSLv23 client. https://hg.python.org/cpython/rev/9f03572690d2
New changeset 7509a0607c40 by Antoine Pitrou in branch 'default': Fix #22987: update the compatibility matrix for a SSLv23 client. https://hg.python.org/cpython/rev/7509a0607c40
---------- nosy: +python-dev
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue22987 _______________________________________
Changes by Antoine Pitrou pitrou@free.fr:
---------- resolution: -> fixed stage: -> resolved status: open -> closed versions: +Python 3.4, Python 3.5
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue22987 _______________________________________
Kali Kaneko added the comment:
my bad, I had not actually tested the sslv2 and sslv3 options, since they were not available in the python in debian sid.
thanks for the quick fix!
----------
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue22987 _______________________________________
-
Alex Gaynor -
Antoine Pitrou
-
Kali Kaneko
-
Roundup Robot