Add SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_version bindings #985
Conversation
mhils
force-pushed
the
set_proto_version
branch
3 times, most recently
from
21c68dc to
25ac2b6
Compare
|
This should generally be ready for review, but depends on a new cryptography release (and then a bump of the minimum version here). 😃 |
mhils
force-pushed
the
set_proto_version
branch
from
25ac2b6 to
0e54053
Compare
|
Tests for 3.6 and above are passing now. 😃 2.7 and 3.5 are failing because they are not supported by the latest cryptography release anymore. I presume you want to drop them for pyOpenSSL as well soon-ish? :) |
|
We'll try to keep 2.7 support in pyOpenSSL until the minimum version has to be bumped to support new bindings. These bindings were recently added, but were they in the 3.3 release? |
|
I could have scrolled up in this PR. I guess we didn't, which means this requires 3.4? 🤣 |
One could ship a 3.3 release with hardcoded constants if it needs to be, but bumping to 3.4 would be cleaner. Also - having just taken a quick look at the cryptography tracker - thank you all for the fantastic work! ❤️ All of my projects happily accepted 3.4, everything worked out of the box, and I can't wait to see more memory-safe code being used. :) |
|
Given pyOpenSSL's common use in more legacy environments I think we probably should just hardcode the constants (with comments that state when we move to 3.4+ of cryptography we can switch to getting them from cryptography) and allow the use of 3.3 still. I'd like to keep 2.7 support here another year if possible. And thanks for the kind words -- it's going to be a rough couple weeks 😄 |
mhils
force-pushed
the
set_proto_version
branch
from
94d2eac to
51a8da6
Compare
|
We dropped py3.5 in 3.3 so you'll need to update the CI config to remove the py35 configs. Sorry about that! |
|
No worries, I was just about to ask if you want me to do it. :) |
mhils
force-pushed
the
set_proto_version
branch
2 times, most recently
from
86e229b to
e982888
Compare
|
Also needs a changelog rebase |
mhils
force-pushed
the
set_proto_version
branch
2 times, most recently
from
cbe1843 to
345dbd2
Compare
mhils
force-pushed
the
set_proto_version
branch
3 times, most recently
from
0bf9a11 to
e0e7d4b
Compare
|
Turns out the culprit was that constants require single quotes, not double quotes. 🤷♂️ Any hints on the py27 job failing with "ERROR: InterpreterNotFound: python2.7"? |
|
Looks like https://github.com/pyca/infra/blob/main/runners/debian/Dockerfile#L20 isn't doing its job. Looking inside the container that's because |
|
Ok, removing Line 19 in d290855
Is there a particular (security) reason why cryptography is not installed as a wheel? If yes, what approach shall we take for the ubuntu-bionic container build? Without wheels, it errors building cryptography. |
|
I believe this was originally done so we could test alternate versions of OpenSSL against pyOpenSSL rather than just the ones our wheels ship. That seems like it's probably still worthwhile since we don't test that all of pyOpenSSL works on the set of OpenSSL versions cryptography tests against in its own matrix. So we should probably just make it so we can build the rust components in the bionic container. |
|
Alright, this was in fact very straightforward in the end! 😃 |
|
Thanks for working through this @mhils |
|
Always welcome, thanks y'all! 😊 |
This PR adds the SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_version protocol selection mechanisms along with TLS_method/TLS_client_method/TLS_server_method to pyOpenSSL.
depends on pyca/cryptography#5662, fixes #860