Add support for querying the negotiated TLS version. The Quickening #244
Conversation
| @@ -598,6 +598,11 @@ Connection objects have the following methods: | |||
| but not it returns the entire list in one go. | |||
|
|
|||
|
|
|||
| .. py:method:: Connection.get_protocol_version() | |||
|
|
|||
| Retrieve the version of the SSL or TLS protocol used by the Connection | |||
There was a problem hiding this comment.
This should include an example of what the result looks like. Also should end with a . :-)
1 similar comment
1 similar comment
| giving the protocol version of the current connection. | ||
| """ | ||
| server, client = self._loopback() | ||
| server_protocol_version, client_protocol_version = \ |
There was a problem hiding this comment.
Please split this into two proper lines. The current version takes the same amount of lines and is less readable.
There was a problem hiding this comment.
Excellent point and done in 50d7d15.
|
When does Travis update the version of cryptography it tests against? Based on the way I read the .travis.yml, Travis is supposed to pull from cryptography's master branch? If that is the case why would the test fail? |
|
Good question. @reaperhulk any ideas? |
|
When we switched to using tox in travis we didn't change it over to using the master branch properly, so it's installing it and then not using it. |
|
Is that something we want to fix? If I understand .travis.yml#L71-83 properly the problem is that we aren't installing cryptography's master into the virtualenv? So when it installs pyOpenSSL into the virtualenv via setup.py it installs the latest released cryptography from PyPI? |
|
Yeah that needs to be fixed. Right now it installs it into a venv, but then invokes tox (which builds its own venv and doesn't use the master branch). |
|
Please rebase on master; this issue should be fixed now. |
|
Also, until cryptography 0.9 is out, we can bikeshed on the return type. My impression is, that pyOpenSSL is bytes only. If you’d like to argue for unicode I would like to ask you for precedents. pyOpenSSL is supposed to by a low-level layer around OpenSSL so I’m very apprehensive to introduce unicode-based APIs. We’ve just added a ton of warning if certain methods are called with unicode. |
|
@hynek have you had a chance to look at the original PR? Would you prefer that instead? |
|
Oi, that's where the incorrect doc string came from. :) That's not what I meant (I just want to get rid of the decode call) but we should definitely expose both ways. I'm on my phone for the next hours but I'll look into it when I'm back home. It'll be a different PR though. so don't worry about it here. |
|
So I might have some time to work on this during the coming weekend in. Just to be clear, when you say we should expose both ways you mean exposing both |
|
So I’m saying we should expose both but we start with the string-based version. And I’m also saying it should return bytes (not unicode) unless you can make a good case for unicode based on existing APIs. :) |
|
Can you rebase please? |
ihamburglar
force-pushed
the
session-tls-version
branch
from
6ac2e2a
to
6a9f27b
Compare
|
WIP
do I need to wrap the result that I'm returning in |
|
|
|
That is what I had in whatever 41ac0c4 was before the rebase. Are we saying that we just don't decode it to utf-8 when we return? |
ihamburglar
force-pushed
the
session-tls-version
branch
from
6a9f27b
to
15758b6
Compare
|
Tests should now pass. |
|
|
||
| Retrieve the version of the SSL or TLS protocol used by the Connection. | ||
| For example, it will return ``0x303`` for connections made over TLS | ||
| version 1.2, or ``Unknown`` for connections that were not successfully |
There was a problem hiding this comment.
removed unknown in 208438c
|
I didn’t have opinions as much as I’m trying to figure out what the correct way to do is. :) As far as I can see, bytes is the way to go but if anyone can show me similar APIs that take/return unicode, I’ll change my mind. |
|
I'm fine either way. There is some Cipher stuff that is returned in unicode for example. But if a discussion has happened around it and that is the direction we are taking additions I'm fine with that. |
|
Ugghhh, and those methods are actually pretty analogue to these ones. :-/ Same for Curve.name sigh Unicode it is then. Sorry. |
|
LOL! It is my own fault I should have pointed it out earlier. |
|
|
||
| :returns: The TLS version of the current connection, for example | ||
| the value for TLS 1.2 would be ``TLSv1.2``or ``Unknown`` | ||
| for connections that were not successfully. |
Add support for querying the negotiated TLS version
|
Thank you for your work and your patience! |
|
Thanks for your guidance! |
Changes: 16.0.0 (2016-03-19) ------------------- This is the first release under full stewardship of PyCA. We have made *many* changes to make local development more pleasing. The test suite now passes both on Linux and OS X with OpenSSL 0.9.8, 1.0.1, and 1.0.2. It has been moved to `py.test <https://pytest.org/>`_, all CI test runs are part of `tox <https://testrun.org/tox/>`_ and the source code has been made fully `flake8 <https://flake8.readthedocs.org/>`_ compliant. We hope to have lowered the barrier for contributions significantly but are open to hear about any remaining frustrations. Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - Python 3.2 support has been dropped. It never had significant real world usage and has been dropped by our main dependency ``cryptography``. Affected users should upgrade to Python 3.3 or later. Deprecations: ^^^^^^^^^^^^^ - The support for EGD has been removed. The only affected function ``OpenSSL.rand.egd()`` now uses ``os.urandom()`` to seed the internal PRNG instead. Please see `pyca/cryptography#1636 <https://github.com/pyca/cryptography/pull/1636>`_ for more background information on this decision. In accordance with our backward compatibility policy ``OpenSSL.rand.egd()`` will be *removed* no sooner than a year from the release of 16.0.0. Please note that you should `use urandom <http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/>`_ for all your secure random number needs. - Python 2.6 support has been deprecated. Our main dependency ``cryptography`` deprecated 2.6 in version 0.9 (2015-05-14) with no time table for actually dropping it. pyOpenSSL will drop Python 2.6 support once ``cryptography`` does. Changes: ^^^^^^^^ - Fixed ``OpenSSL.SSL.Context.set_session_id``, ``OpenSSL.SSL.Connection.renegotiate``, ``OpenSSL.SSL.Connection.renegotiate_pending``, and ``OpenSSL.SSL.Context.load_client_ca``. They were lacking an implementation since 0.14. `#422 <https://github.com/pyca/pyopenssl/pull/422>`_ - Fixed segmentation fault when using keys larger than 4096-bit to sign data. `#428 <https://github.com/pyca/pyopenssl/pull/428>`_ - Fixed ``AttributeError`` when ``OpenSSL.SSL.Connection.get_app_data()`` was called before setting any app data. `#304 <https://github.com/pyca/pyopenssl/pull/304>`_ - Added ``OpenSSL.crypto.dump_publickey()`` to dump ``OpenSSL.crypto.PKey`` objects that represent public keys, and ``OpenSSL.crypto.load_publickey()`` to load such objects from serialized representations. `#382 <https://github.com/pyca/pyopenssl/pull/382>`_ - Added ``OpenSSL.crypto.dump_crl()`` to dump a certificate revocation list out to a string buffer. `#368 <https://github.com/pyca/pyopenssl/pull/368>`_ - Added ``OpenSSL.SSL.Connection.get_state_string()`` using the OpenSSL binding ``state_string_long``. `#358 <https://github.com/pyca/pyopenssl/pull/358>`_ - Added support for the ``socket.MSG_PEEK`` flag to ``OpenSSL.SSL.Connection.recv()`` and ``OpenSSL.SSL.Connection.recv_into()``. `#294 <https://github.com/pyca/pyopenssl/pull/294>`_ - Added ``OpenSSL.SSL.Connection.get_protocol_version()`` and ``OpenSSL.SSL.Connection.get_protocol_version_name()``. `#244 <https://github.com/pyca/pyopenssl/pull/244>`_ - Switched to ``utf8string`` mask by default. OpenSSL formerly defaulted to a ``T61String`` if there were UTF-8 characters present. This was changed to default to ``UTF8String`` in the config around 2005, but the actual code didn't change it until late last year. This will default us to the setting that actually works. To revert this you can call ``OpenSSL.crypto._lib.ASN1_STRING_set_default_mask_asc(b"default")``. `#234 <https://github.com/pyca/pyopenssl/pull/234>`_
This PR hopefully finished up the work done by @richmoore in #184. Thanks to @alex for helping me figure out how to get SSL_get_version implemented. This PR requires the merge that happened in pyca/cryptography#1869, so do we wait until the next release of cryptography and then bump the required version number in setup.py?
I'm happy to hear feedback on whether the change to strings requires better/different testing?
Also the OpenSSL docs have been updated since the original PR in January, and this does actually support TLS1.1 and TLS1.2 :)