diff options
author | Christian Heimes <christian@python.org> | 2018-05-23 20:24:45 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-05-23 20:24:45 (GMT) |
commit | 529525fb5a8fd9b96ab4021311a598c77588b918 (patch) | |
tree | eeac65af9dbfed139cb87c514523b653dd6b4f73 /Doc/whatsnew | |
parent | 28b9178023a445b1da2694774c265cd4b7a244ec (diff) | |
download | cpython-529525fb5a8fd9b96ab4021311a598c77588b918.zip cpython-529525fb5a8fd9b96ab4021311a598c77588b918.tar.gz cpython-529525fb5a8fd9b96ab4021311a598c77588b918.tar.bz2 |
bpo-33618: Enable TLS 1.3 in tests (GH-7079)
TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS
client cert auth are now handled after the initialy handshake. Tests now
either send/recv data to trigger session and client certs. Or tests
ignore ConnectionResetError / BrokenPipeError on the server side to
handle clients that force-close the socket fd.
To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR
https://github.com/openssl/openssl/pull/6340) is required.
Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'Doc/whatsnew')
-rw-r--r-- | Doc/whatsnew/3.7.rst | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst index af2aad9..46015af 100644 --- a/Doc/whatsnew/3.7.rst +++ b/Doc/whatsnew/3.7.rst @@ -1244,8 +1244,8 @@ Host name validation can be customized with .. note:: The improved host name check requires a *libssl* implementation compatible with OpenSSL 1.0.2 or 1.1. Consequently, OpenSSL 0.9.8 and 1.0.1 are no - longer supported and LibreSSL is temporarily not supported until it gains - the necessary OpenSSL 1.0.2 APIs. + longer supported. The ssl module is mostly compatible with LibreSSL 2.7.2 + and newer. The ``ssl`` module no longer sends IP addresses in SNI TLS extension. (Contributed by Christian Heimes in :issue:`32185`.) @@ -1270,8 +1270,12 @@ rather than the U-label form (``"pythön.org"``). (Contributed by Nathaniel J. Smith and Christian Heimes in :issue:`28414`.) The ``ssl`` module has preliminary and experimental support for TLS 1.3 and -OpenSSL 1.1.1. (Contributed by Christian Heimes in :issue:`32947`, -:issue:`20995`, :issue:`29136`, and :issue:`30622`) +OpenSSL 1.1.1. At the time of Python 3.7.0 release, OpenSSL 1.1.1 is still +under development and TLS 1.3 hasn't been finalized yet. The TLS 1.3 +handshake and protocol behaves slightly differently than TLS 1.2 and earlier, +see :ref:`ssl-tlsv1_3`. +(Contributed by Christian Heimes in :issue:`32947`, :issue:`20995`, +:issue:`29136`, :issue:`30622` and :issue:`33618`) :class:`~ssl.SSLSocket` and :class:`~ssl.SSLObject` no longer have a public constructor. Direct instantiation was never a documented and supported |