[issue22987] ssl module documentation: incorrect compatibility matrix

New submission from Kali Kaneko: The SSLv23 row that can be read in the socket creation section in the documentation for the ssl module looks incorrect: https://docs.python.org/2.7/library/ssl.html#socket-creation by my tests (with python 2.7.8) that row should read: yes no yes yes yes yes instead of: yes no yes no no no as it does now. Since a client specifying SSLv23 should be (and it seems to be) able to negotiate the highest available version that the server can offer, no matter if the server has chosen a tls version. Is this an error in the documentation, or is there any situation in which the current values hold true? ---------- assignee: docs@python components: Documentation messages: 232078 nosy: docs@python, kali priority: normal severity: normal status: open title: ssl module documentation: incorrect compatibility matrix versions: Python 2.7 _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue22987> _______________________________________

Alex Gaynor added the comment: I agree this is a bug, but I believe the correct output is: no yes yes yes yes yes ---------- nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue22987> _______________________________________

Antoine Pitrou added the comment: Alex is right. The current doc was valid for older OpenSSL versions, which sent a SSLv2 hello with SSLv23. Reference from the OpenSSL docs: """If the cipher list does not contain any SSLv2 ciphersuites (the default cipher list does not) or extensions are required (for example server name) a client will send out TLSv1 client hello messages including extensions and will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.""" (https://www.openssl.org/docs/ssl/SSL_CTX_new.html) ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue22987> _______________________________________

Roundup Robot added the comment: New changeset 7af5d5493497 by Antoine Pitrou in branch '2.7': Fix #22987: update the compatibility matrix for a SSLv23 client. https://hg.python.org/cpython/rev/7af5d5493497 New changeset 9f03572690d2 by Antoine Pitrou in branch '3.4': Fix #22987: update the compatibility matrix for a SSLv23 client. https://hg.python.org/cpython/rev/9f03572690d2 New changeset 7509a0607c40 by Antoine Pitrou in branch 'default': Fix #22987: update the compatibility matrix for a SSLv23 client. https://hg.python.org/cpython/rev/7509a0607c40 ---------- nosy: +python-dev _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue22987> _______________________________________

Changes by Antoine Pitrou <pitrou@free.fr>: ---------- resolution: -> fixed stage: -> resolved status: open -> closed versions: +Python 3.4, Python 3.5 _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue22987> _______________________________________

Kali Kaneko added the comment: my bad, I had not actually tested the sslv2 and sslv3 options, since they were not available in the python in debian sid. thanks for the quick fix! ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue22987> _______________________________________
participants (4)
-
Alex Gaynor
-
Antoine Pitrou
-
Kali Kaneko
-
Roundup Robot