summaryrefslogtreecommitdiffstats
path: root/Doc/whatsnew
diff options
context:
space:
mode:
authorChristian Heimes <christian@python.org>2018-05-23 20:24:45 (GMT)
committerGitHub <noreply@github.com>2018-05-23 20:24:45 (GMT)
commit529525fb5a8fd9b96ab4021311a598c77588b918 (patch)
treeeeac65af9dbfed139cb87c514523b653dd6b4f73 /Doc/whatsnew
parent28b9178023a445b1da2694774c265cd4b7a244ec (diff)
downloadcpython-529525fb5a8fd9b96ab4021311a598c77588b918.zip
cpython-529525fb5a8fd9b96ab4021311a598c77588b918.tar.gz
cpython-529525fb5a8fd9b96ab4021311a598c77588b918.tar.bz2
bpo-33618: Enable TLS 1.3 in tests (GH-7079)
TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS client cert auth are now handled after the initialy handshake. Tests now either send/recv data to trigger session and client certs. Or tests ignore ConnectionResetError / BrokenPipeError on the server side to handle clients that force-close the socket fd. To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR https://github.com/openssl/openssl/pull/6340) is required. Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'Doc/whatsnew')
-rw-r--r--Doc/whatsnew/3.7.rst12
1 files changed, 8 insertions, 4 deletions
diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst
index af2aad9..46015af 100644
--- a/Doc/whatsnew/3.7.rst
+++ b/Doc/whatsnew/3.7.rst
@@ -1244,8 +1244,8 @@ Host name validation can be customized with
.. note::
The improved host name check requires a *libssl* implementation compatible
with OpenSSL 1.0.2 or 1.1. Consequently, OpenSSL 0.9.8 and 1.0.1 are no
- longer supported and LibreSSL is temporarily not supported until it gains
- the necessary OpenSSL 1.0.2 APIs.
+ longer supported. The ssl module is mostly compatible with LibreSSL 2.7.2
+ and newer.
The ``ssl`` module no longer sends IP addresses in SNI TLS extension.
(Contributed by Christian Heimes in :issue:`32185`.)
@@ -1270,8 +1270,12 @@ rather than the U-label form (``"pythön.org"``). (Contributed by
Nathaniel J. Smith and Christian Heimes in :issue:`28414`.)
The ``ssl`` module has preliminary and experimental support for TLS 1.3 and
-OpenSSL 1.1.1. (Contributed by Christian Heimes in :issue:`32947`,
-:issue:`20995`, :issue:`29136`, and :issue:`30622`)
+OpenSSL 1.1.1. At the time of Python 3.7.0 release, OpenSSL 1.1.1 is still
+under development and TLS 1.3 hasn't been finalized yet. The TLS 1.3
+handshake and protocol behaves slightly differently than TLS 1.2 and earlier,
+see :ref:`ssl-tlsv1_3`.
+(Contributed by Christian Heimes in :issue:`32947`, :issue:`20995`,
+:issue:`29136`, :issue:`30622` and :issue:`33618`)
:class:`~ssl.SSLSocket` and :class:`~ssl.SSLObject` no longer have a public
constructor. Direct instantiation was never a documented and supported