cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon httpie

--ssl — TLS 1.3 & Python 3.7 compatibility

Open jaimejim opened this issue 7 years ago • 4 comments

Now that TLS1.3 is out [1] it would be great to add that to the list of supported ssl parameters.

[--ssl {ssl2.3,tls1,tls1.1,tls1.2}] [--cert CERT]

[1] https://tools.ietf.org/html/rfc8446

jaimejim avatar Oct 17 '18 10:10 jaimejim

I've tried to declare support (see the merge request). This would require OpenSSL v.1.1.1 (announcement) and the up-to-date python version (issue 33618 should be merged) merged.

dair-targ avatar Nov 01 '18 06:11 dair-targ

Merged, release coming soon. Cheers.

jkbrzt avatar Nov 02 '18 14:11 jkbrzt

Per Python 3.7's documentation there won't be a PROTOCOL_TLSv1_3 definition in the ssl module. To force the use TLSv1.3 in Python you have to do PROTOCOL_TLS | OP_NO_TLSv1_2 | OP_NO_TLSv1_1 | ...

sethmlarson avatar Jan 17 '19 14:01 sethmlarson

@sethmlarson I actually think (and might have verified that in the past) that the current implementation works by running the constants in creating custom context through create_urllib3_context() that changes ssl.PROTOCOL_* to TLSVersion.* in background so that might be the reason this nonexistent "PROTOCOL_TLSv1_3" value fed into the lib does actually silently parse to TLSVersion.TLSv1_3 which itself is indeed valid for SSLContext.min|max* values. But yea, I wouldn't trust this construct not breaking anytime in the future with my life though;)

EDIT: Or I might have just been lucky that the server I tested against only supported TLSv1.3 or the cipher suite I tested meant using this highest version exclusively… so my observation might have been completely skewed 🤷

janbrasna avatar May 10 '22 20:05 janbrasna