Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecated SSL protocol in CertValidatingHTTPSConnection #178

Open
jpeak5 opened this issue Aug 22, 2022 · 4 comments
Open

Deprecated SSL protocol in CertValidatingHTTPSConnection #178

jpeak5 opened this issue Aug 22, 2022 · 4 comments

Comments

@jpeak5
Copy link

jpeak5 commented Aug 22, 2022

tl;dr: Line 72 of duo_client/https_wrapper.py hard-codes a deprecated (since Python 3.6) SSL protocol.

The only similar issue I found in this queue is #31, but it's pretty historic (2016) and only slightly related.

We've just upgraded Python (to 3.10.5) and found that at least one of our scripts using duo_client_python is emitting a new-to-us deprecation warning:

/path/to/python3.10/site-packages/duo_client/https_wrapper.py:72: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
  context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

Line 72, referenced in the warning above is

context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

ssl.PROTOCOL_SSLv23 is deprecated since Python 3.6 (docs.python.org). The replacement, ssl.PROTOCOL_TLS, which was introduced in Python 3.6 is itself deprecated, now, under Python 3.10:

Deprecated since version 3.10: TLS clients and servers require different default settings for secure communication. The generic TLS protocol constant is deprecated in favor of PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER.

(docs.python.org)

ssl.PROTOCOL_TLS_CLIENT:

Auto-negotiate the highest protocol version that both the client and server support, and configure the context client-side connections. The protocol enables CERT_REQUIRED and check_hostname by default.

(docs.python.org)
@AaronAtDuo
Copy link
Contributor

This is probably left over from our Python 2 and 3.5 support - I'll see if we can remove it.

@jpeak5
Copy link
Author

jpeak5 commented Jan 24, 2023

I'll see if we can remove it.

@AaronAtDuo any movement?

I see that back in June (before this report), there was an unrelated deprecation fix (dea8d14) in the same module. Would be nice to be able to turn warnings back on (-Wall).

@AaronAtDuo
Copy link
Contributor

Thanks for the ping! This fell off our radar but should be a quick fix. I've posted #190 to at least move off the deprecated PROTOCOL_SSLv23. Going all the way to PROTOCOL_TLS_CLIENT actually broke some tests, so I need to look into that; but the intermediate step to PROTOCOL_TLS seems safe.

@AaronAtDuo
Copy link
Contributor

Ok #191 is up to go all the way to TLS_PROTOCOL_CLIENT, but that changes the default behavior of the client, so needs a bit more discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jpeak5 @AaronAtDuo