gh-137197: Add SSLContext.set_ciphersuites to set TLS 1.3 ciphers #137198
Conversation
| @@ -3595,12 +3595,27 @@ _ssl__SSLContext_set_ciphers_impl(PySSLContext *self, const char *cipherlist) | |||
| { | |||
| int ret = SSL_CTX_set_cipher_list(self->ctx, cipherlist); | |||
| if (ret == 0) { | |||
| /* Clearing the error queue is necessary on some OpenSSL versions, | |||
There was a problem hiding this comment.
We shouldn't remove this without understanding which OpenSSL versions it was referring to and whether they are still in use by CPython builds (1.1.x-ish API'd AWS-LC at a minimum, otherwise OpenSSL 3.0+).
There was a problem hiding this comment.
The clearing of the error queue is still happening here. I just took advantage of an existing helper function setSSLError to take care of this:
static PyObject *
_setSSLError (_sslmodulestate *state, const char *errstr, int errcode, const char *filename, int lineno)
{
if (errstr == NULL)
errcode = ERR_peek_last_error();
else
errcode = 0;
fill_and_set_sslerror(state, NULL, state->PySSLErrorObject, errcode, errstr, lineno, errcode);
ERR_clear_error();
return NULL;
}
Doc/library/ssl.rst
Outdated
| Set the allowed ciphers for sockets created with this context when | ||
| connecting using TLS 1.2 and earlier. It should be a string in the `OpenSSL | ||
| cipher list format <https://docs.openssl.org/master/man1/ciphers/>`_. | ||
| To set allowed TLS 1.3 ciphers, use :meth:`SSHContext.set_ciphersuites`. |
There was a problem hiding this comment.
| To set allowed TLS 1.3 ciphers, use :meth:`SSHContext.set_ciphersuites`. | |
| To set allowed TLS 1.3 ciphers, use :meth:`SSLContext.set_ciphersuites`. |
There was a problem hiding this comment.
Fixed - thanks for catching this.
| ciphers and updated the documentation on :meth:`ssl.SSLContext.set_ciphers` | ||
| to mention that it only applies to TLS 1.2 and earlier and that this new | ||
| method must be used to set TLS 1.3 cipher suites. | ||
| (Contributed by Ron Frederick in :gh:`137197`) |
There was a problem hiding this comment.
| (Contributed by Ron Frederick in :gh:`137197`) | |
| (Contributed by Ron Frederick in :gh:`137197`) | |
| * Added new method :meth:`ssl.SSLContext.set_ciphersuites` for setting TLS 1.3 | ||
| ciphers and updated the documentation on :meth:`ssl.SSLContext.set_ciphers` | ||
| to mention that it only applies to TLS 1.2 and earlier and that this new | ||
| method must be used to set TLS 1.3 cipher suites. |
There was a problem hiding this comment.
| * Added new method :meth:`ssl.SSLContext.set_ciphersuites` for setting TLS 1.3 | |
| ciphers and updated the documentation on :meth:`ssl.SSLContext.set_ciphers` | |
| to mention that it only applies to TLS 1.2 and earlier and that this new | |
| method must be used to set TLS 1.3 cipher suites. | |
| * Added new method :meth:`ssl.SSLContext.set_ciphersuites` for setting TLS 1.3 | |
| ciphers. For TLS 1.2 or earlier, use :meth:`ssl.SSLContext.set_ciphers` instead. |
There was a problem hiding this comment.
What do you think about changing the text here to something like:
* Added new method :meth:`ssl.SSLContext.set_ciphersuites` for setting TLS 1.3
ciphers. For TLS 1.2 or earlier, :meth:`ssl.SSLContext.set_ciphers` should
continue to be used. Both calls can be made on the same context and the
selected cipher suite will depend on the TLS version negotiated when a
connection is made.
I wanted to somehow capture that these calls aren't mutually exclusive if you don't know in advance what version of TLS will end up being used. The existing call only affects cipher suites chosen when TLS 1.2 or earlier is negotiated, and the new call only affects cipher suites chosen when TLS 1.3 is negotiated.
This commit adds a new method SSLContext.set_ciphersuites which can be used to set TLS 1.3 cipher suites. It also updates the documentation, unit tests, and "what's new" text. A NEWS blurb will be added shortly.
📚 Documentation preview 📚: https://cpython-previews--137198.org.readthedocs.build/