Message 377352 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ned.deily
Recipients	christian.heimes, ned.deily, paul.moore, ronaldoussoren, steve.dower, tim.golden, zach.ware
Date	2020-09-23.00:59:08
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1600822748.89.0.850484234677.issue41837@roundup.psfhosted.org>
In-reply-to

Content
"22-Sep-2020 OpenSSL 1.1.1h is now available, including bug fixes" Christian, any changes need in _ssl or any other reasons we should not upgrade? Changes between 1.1.1g and 1.1.1h [22 Sep 2020] ) Certificates with explicit curve parameters are now disallowed in verification chains if the X509_V_FLAG_X509_STRICT flag is used. [Tomas Mraz] ) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently ignore TLS protocol version bounds when configuring DTLS-based contexts, and conversely, silently ignore DTLS protocol version bounds when configuring TLS-based contexts. The commands can be repeated to set bounds of both types. The same applies with the corresponding "min_protocol" and "max_protocol" command-line switches, in case some application uses both TLS and DTLS. SSL_CTX instances that are created for a fixed protocol version (e.g. TLSv1_server_method()) also silently ignore version bounds. Previously attempts to apply bounds to these protocol versions would result in an error. Now only the "version-flexible" SSL_CTX instances are subject to limits in configuration files in command-line options. [Viktor Dukhovni] *) Handshake now fails if Extended Master Secret extension is dropped on renegotiation. [Tomas Mraz]

"22-Sep-2020  OpenSSL 1.1.1h is now available, including bug fixes"

Christian, any changes need in _ssl or any other reasons we should not upgrade?

Changes between 1.1.1g and 1.1.1h [22 Sep 2020]

  *) Certificates with explicit curve parameters are now disallowed in
     verification chains if the X509_V_FLAG_X509_STRICT flag is used.
     [Tomas Mraz]

  *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
     ignore TLS protocol version bounds when configuring DTLS-based contexts, and
     conversely, silently ignore DTLS protocol version bounds when configuring
     TLS-based contexts.  The commands can be repeated to set bounds of both
     types.  The same applies with the corresponding "min_protocol" and
     "max_protocol" command-line switches, in case some application uses both TLS
     and DTLS.
  
     SSL_CTX instances that are created for a fixed protocol version (e.g.
     TLSv1_server_method()) also silently ignore version bounds.  Previously
     attempts to apply bounds to these protocol versions would result in an
     error.  Now only the "version-flexible" SSL_CTX instances are subject to
     limits in configuration files in command-line options.
     [Viktor Dukhovni]

  *) Handshake now fails if Extended Master Secret extension is dropped
     on renegotiation.
     [Tomas Mraz]

History
Date	User	Action	Args
2020-09-23 00:59:08	ned.deily	set	recipients: + ned.deily, paul.moore, ronaldoussoren, christian.heimes, tim.golden, zach.ware, steve.dower
2020-09-23 00:59:08	ned.deily	set	messageid: <1600822748.89.0.850484234677.issue41837@roundup.psfhosted.org>
2020-09-23 00:59:08	ned.deily	link	issue41837 messages
2020-09-23 00:59:08	ned.deily	create