cli
cli copied to clipboard
Change insecure SSL/TLS to deprecated
SSL (not TLS) is widely considered insecure and is also deprecated in the Python Docs (PROTOCOL_SSLv2, PROTOCOL_SSLv3). Also, TLS 1.0 and 1.1 are deprecated in the latest version of major browsers (MDN Web Docs).
Thus, I think it is better to either remove it support or change to specify explicitly when using it (such as config and command-line args).
"Deprecated since version 3.6: OpenSSL has deprecated all version specific protocols. Use the default protocol PROTOCOL_TLS_SERVER or PROTOCOL_TLS_CLIENT with SSLContext.minimum_version and SSLContext.maximum_version instead."
So there's more to address than actually phasing out this version param itself (as seen in #724 where a need for pinpointing only a part of the range arose), yet at the same time I believe that unless you specify any of the legacy protocols, they won't be downgraded to from default TLS connection. Or not at least with the new PROTOCOL_TLS*
as should be the solution going forwards #1400
The other side of things is e. g. PEP-0644 where since 3.10 (that's the current dependency) the OpenSSL 1.1.1 used no longer even supports any SSLv2 connections at all if I understand it correctly, so trying to forcibly connect won't even work.
So keeping the legacy options around for some low-level testing is IMO legit. If they're not going to get degraded to from default settings. However they don't necessarily have to function at all given the underlying OpenSSL/PEP changes in time.