cli
cli copied to clipboard
httpie
Deprecate PROTOCOL_SSLv23
Enhancement request
Move away from PROTOCOL_SSLv23 as it now defaults to PROTOCOL_TLS … and we should (probably?) use PROTOCOL_TLS_CLIENT explicitly.
Problem it solves
Deprecated since 3.6, might be needed for going ahead with features like #722 where a range of SSLContext.* is needed etc.
Additional information, screenshots, or code examples
The backstory is I was originally quite puzzled by the docs:
-ssl=ssl2.3
"This will default to SSL v2.3 which will negotiate the highest protocol"
like "WTF is this SSL v2.3 you speak of" as there's nothing like that in the world… until I figured out through the actual source this comes from Python's PROTOCOL_SSLv23 constant, that itself comes from OpenSSL value SSLv23 — which is nonetheless not meant as an arbitrary SSL version, but rather a "magic value" used by OpenSSL to mean “all supported versions”.
So there's really no "SSL v2.3", and it also means neither SSL2 nor SSL3 as in "SSL v2-3" as those are not available in Python today anymore yet this constant still enables current TLS versions.
That value has been luckily deprecated and is today the equivalent of PROTOCOL_TLS, and the https command defaults +params should reflect this.
So I propose the new default to be something more understandable like -ssl=tls for PROTOCOL_TLS or maybe even PROTOCOL_TLS_CLIENT i. e. "negotiate the highest protocol version for me ktxbye", for future compatibility.
Since this might be a breaking change not sure if that means a major version bump, or better getting away with backward compatibility by cheating like:
- just keeping the old
-ssl=ssl2.3to keep resolving toPROTOCOL_SSLv23therefore actually toPROTOCOL_TLS - adding new default
-ssl=tlspicking the newPROTOCOL_TLS_CLIENT
What this might impact is things like verify:
https://github.com/httpie/httpie/blob/9241a093605cf6afbd6a52b42db4c946badea420/httpie/ssl_.py#L70-L82
as this comes with *_CLIENT constant etc.