[Distutils] Announcement: TLSv1.2 will become mandatory in the future

Donald Stufft donald at stufft.io
Tue Jan 10 23:04:19 EST 2017

> On Jan 10, 2017, at 10:59 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> On 10 January 2017 at 23:24, Donald Stufft <donald at stufft.io> wrote:
>> Looking at the download numbers, the absolute largest driver of TLSv1.0 and
>> TLSv1.1 traffic to PyPI are old versions of pip or other clients where I
>> cannot
>> tell the OS that they are being run on.
> Can you tell the Python version they're running even with older clients?
> I just checked the exact dates/versions where TLS v1.2 was properly
> enabled in the various versions of Python that Red Hat ships, and this
> change should be fine for:
> * RHEL/CentOS 7.2+ (PEP 466 backport released November 2015)
> * Red Hat Software Collections 2.2+ (PEP 466 backport released May 2016)
> However, folks currently using the system Python 2.6 installation in
> RHEL/CentOS 6 are going to need to upgrade to Python 2.7 somehow,
> whether that's by:
> - upgrading to RHEL/CentOS 7
> - doing a parallel install via RHSCL/softwarecollections.org
> - doing a parallel install via ius.io
> (The problem with RHEL 6 is that even though the *OS* has supported
> TLS v1.2 since RHEL 6.5, *Python 2.6* doesn't properly support
> accessing them through the standard library's SSL module, since it's
> missing the features backported from 3.x by PEP 466)
> Cheers,
> Nick.
> -- 
> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

No, but it doesn’t matter, the version of Python doesn’t control it at all since we use PROTOCOL_SSLv23 which will automatically negotiate the highest protocol OpenSSL supports, whether Python has bound the PROTOCOL_TLSv1_X constant and implemented the methods for it or not. So Python 2.6 is perfectly capable of talking to a TLSv1.2 site (it however, is not capable of explicitly saying it *needs*  only TLSv1.2).


$ python2.6 -c "import urllib2,json; print(json.loads(urllib2.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"
TLS 1.2

Donald Stufft

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170110/6f183d6a/attachment.html>

More information about the Distutils-SIG mailing list