Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate PROTOCOL_SSLv23 #1400

Open
janbrasna opened this issue May 10, 2022 · 3 comments
Open

Deprecate PROTOCOL_SSLv23 #1400

janbrasna opened this issue May 10, 2022 · 3 comments
Labels
enhancement New feature or enhancement new Needs triage. Comments are welcome!

Comments

@janbrasna
Copy link
Contributor

janbrasna commented May 10, 2022
edited
Loading

Enhancement request

Move away from PROTOCOL_SSLv23 as it now defaults to PROTOCOL_TLS … and we should (probably?) use PROTOCOL_TLS_CLIENT explicitly.

Problem it solves

Deprecated since 3.6, might be needed for going ahead with features like #722 where a range of SSLContext.* is needed etc.

Additional information, screenshots, or code examples

The backstory is I was originally quite puzzled by the docs:
-ssl=ssl2.3

/docs/README.md#L1510

"This will default to SSL v2.3 which will negotiate the highest protocol"

like "WTF is this SSL v2.3 you speak of" as there's nothing like that in the world… until I figured out through the actual source this comes from Python's PROTOCOL_SSLv23 constant, that itself comes from OpenSSL value SSLv23 — which is nonetheless not meant as an arbitrary SSL version, but rather a "magic value" used by OpenSSL to mean “all supported versions”.
So there's really no "SSL v2.3", and it also means neither SSL2 nor SSL3 as in "SSL v2-3" as those are not available in Python today anymore yet this constant still enables current TLS versions.

That value has been luckily deprecated and is today the equivalent of PROTOCOL_TLS, and the https command defaults +params should reflect this.

So I propose the new default to be something more understandable like -ssl=tls for PROTOCOL_TLS or maybe even PROTOCOL_TLS_CLIENT i. e. "negotiate the highest protocol version for me ktxbye", for future compatibility.

Since this might be a breaking change not sure if that means a major version bump, or better getting away with backward compatibility by cheating like:

  • just keeping the old -ssl=ssl2.3 to keep resolving to PROTOCOL_SSLv23 therefore actually to PROTOCOL_TLS
  • adding new default -ssl=tls picking the new PROTOCOL_TLS_CLIENT
@janbrasna janbrasna added enhancement New feature or enhancement new Needs triage. Comments are welcome! labels May 10, 2022
@janbrasna janbrasna mentioned this issue May 10, 2022
Open
@janbrasna
Copy link
Contributor Author

What this might impact is things like verify:

https://github.com/httpie/httpie/blob/9241a093605cf6afbd6a52b42db4c946badea420/httpie/ssl_.py#L70-L82

as this comes with *_CLIENT constant etc.

@Ousret

This comment was marked as spam.

Sign in to view
@janbrasna
Copy link
Contributor Author

@Ousret Haven't checked the actual changes in parsing the constraints (e.g. re the "verify" above), but I've raised the change in the param values in review: #1531 (review)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or enhancement new Needs triage. Comments are welcome!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Replace psf/requests with an unofficial fork Ousret/httpie
2 participants
@janbrasna @Ousret