diff options
| author | Christian Heimes <christian@python.org> | 2018-05-23 20:24:45 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-05-23 20:24:45 (GMT) |
| commit | 529525fb5a8fd9b96ab4021311a598c77588b918 (patch) | |
| tree | eeac65af9dbfed139cb87c514523b653dd6b4f73 /Doc/library/ssl.rst | |
| parent | 28b9178023a445b1da2694774c265cd4b7a244ec (diff) | |
| download | cpython-529525fb5a8fd9b96ab4021311a598c77588b918.zip cpython-529525fb5a8fd9b96ab4021311a598c77588b918.tar.gz cpython-529525fb5a8fd9b96ab4021311a598c77588b918.tar.bz2 | |
bpo-33618: Enable TLS 1.3 in tests (GH-7079)
TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS
client cert auth are now handled after the initialy handshake. Tests now
either send/recv data to trigger session and client certs. Or tests
ignore ConnectionResetError / BrokenPipeError on the server side to
handle clients that force-close the socket fd.
To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR
https://github.com/openssl/openssl/pull/6340) is required.
Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'Doc/library/ssl.rst')
| -rw-r--r-- | Doc/library/ssl.rst | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 2ccea13..14eac2c 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -2587,7 +2587,33 @@ successful call of :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or :func:`~ssl.RAND_pseudo_bytes` is sufficient. -.. ssl-libressl: +.. _ssl-tlsv1_3: + +TLS 1.3 +------- + +.. versionadded:: 3.7 + +Python has provisional and experimental support for TLS 1.3 with OpenSSL +1.1.1. The new protocol behaves slightly differently than previous version +of TLS/SSL. Some new TLS 1.3 features are not yet available. + +- TLS 1.3 uses a disjunct set of cipher suites. All AES-GCM and + ChaCha20 cipher suites are enabled by default. The method + :meth:`SSLContext.set_ciphers` cannot enable or disable any TLS 1.3 + ciphers yet, but :meth:`SSLContext.get_cipers` returns them. +- Session tickets are no longer sent as part of the initial handshake and + are handled differently. :attr:`SSLSocket.session` and :class:`SSLSession` + are not compatible with TLS 1.3. +- Client-side certificates are also no longer verified during the initial + handshake. A server can request a certificate at any time. Clients + process certificate requests while they send or receive application data + from the server. +- TLS 1.3 features like early data, deferred TLS client cert request, + signature algorithm configuration, and rekeying are not supported yet. + + +.. _ssl-libressl: LibreSSL support ---------------- |