Feature Request: Support for TLS 1.2

Bug #1020632 reported by Thom Nichols on 2012-07-03
This bug affects 9 people
Affects Status Importance Assigned to Milestone
Fix Committed
Jean-Paul Calderone

Bug Description

When building against OpenSSL 1.0.1, it should be possible to take advantage of TLS 1.2 support. I believe this would require the addition of a OpenSSL.SSL.TLSv1_2_METHOD to signal the use of a TLS 1.2 handshake.

Also there is no TLS 1.1 method but it's unclear if that's covered by the OpenSSL.SSL.TLSv1_METHOD. There should be an explicit method for TLS v1.1 as well. Thanks!

Related branches

Fedor Brunner (fedor-brunner) wrote :

This patch will add support for TLS v1.1 and TLS v1.2 . These protocols protect against SSL/TLS new attacks

Jean-Paul Calderone (exarkun) wrote :

This patch looks reasonable. However, please contribute future patches against *trunk* so that they don't need to be ported to trunk.

Changed in pyopenssl:
assignee: nobody → Jean-Paul Calderone (exarkun)
importance: Undecided → Medium
status: New → In Progress
Andy Lutomirski (luto-mit) wrote :

After staring at the utter crap OpenSSL docs for a while, it turns out that, almost regardless of what you're trying to interoperate with, the correct method to use is SSL.SSLv23_METHOD. TLSv1_2_METHOD means TLS 1.2 *only*. Similarly, TLSv1_METHOD means TLS 1.0 *only* (in particular, TLSv1_METHOD disallows TLSv1.2).

If you use SSL.SSLv23_METHOD and set SSL.OP_NO_SSLv2 (and optionally SSL.OP_NO_SSLv3) then you get reasonable results, including the availability of GCM ciphers.

Changed in pyopenssl:
status: In Progress → Fix Committed
Thom Nichols (tmnichols) wrote :

FWIW, our use case requires enforcing TLS v.1.2 ONLY. However good to know how you would achieve support for any TLS 1.x versions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers