duo_client_python icon indicating copy to clipboard operation
duo_client_python copied to clipboard

Published 20 hours ago verified publisher icon duosecurity

Deprecated SSL protocol in CertValidatingHTTPSConnection

Open jpeak5 opened this issue 2 years ago • 4 comments

tl;dr: Line 72 of duo_client/https_wrapper.py hard-codes a deprecated (since Python 3.6) SSL protocol.

The only similar issue I found in this queue is #31, but it's pretty historic (2016) and only slightly related.

We've just upgraded Python (to 3.10.5) and found that at least one of our scripts using duo_client_python is emitting a new-to-us deprecation warning:

/path/to/python3.10/site-packages/duo_client/https_wrapper.py:72: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
  context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

Line 72, referenced in the warning above is

context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

ssl.PROTOCOL_SSLv23 is deprecated since Python 3.6 (docs.python.org). The replacement, ssl.PROTOCOL_TLS, which was introduced in Python 3.6 is itself deprecated, now, under Python 3.10:

Deprecated since version 3.10: TLS clients and servers require different default settings for secure communication. The generic TLS protocol constant is deprecated in favor of PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER.

(docs.python.org)

ssl.PROTOCOL_TLS_CLIENT:

Auto-negotiate the highest protocol version that both the client and server support, and configure the context client-side connections. The protocol enables CERT_REQUIRED and check_hostname by default.

(docs.python.org)

jpeak5 avatar Aug 22 '22 17:08 jpeak5

This is probably left over from our Python 2 and 3.5 support - I'll see if we can remove it.

AaronAtDuo avatar Aug 25 '22 13:08 AaronAtDuo

I'll see if we can remove it.

@AaronAtDuo any movement?

I see that back in June (before this report), there was an unrelated deprecation fix (dea8d14e4b9becb9139c341b367ec8d3ab03c954) in the same module. Would be nice to be able to turn warnings back on (-Wall).

jpeak5 avatar Jan 24 '23 19:01 jpeak5

Thanks for the ping! This fell off our radar but should be a quick fix. I've posted https://github.com/duosecurity/duo_client_python/pull/190 to at least move off the deprecated PROTOCOL_SSLv23. Going all the way to PROTOCOL_TLS_CLIENT actually broke some tests, so I need to look into that; but the intermediate step to PROTOCOL_TLS seems safe.

AaronAtDuo avatar Jan 25 '23 19:01 AaronAtDuo

Ok https://github.com/duosecurity/duo_client_python/pull/191 is up to go all the way to TLS_PROTOCOL_CLIENT, but that changes the default behavior of the client, so needs a bit more discussion.

AaronAtDuo avatar Jan 25 '23 20:01 AaronAtDuo