Further tighten tlsserver context setup to fit modern ssl#502
Merged
jonasbardino merged 5 commits intonextfrom Apr 14, 2026
Merged
Conversation
jonasbardino
force-pushed
the
fix/further-tighten-tlsserver-context-setup-to-fit-modern-ssl
branch
2 times, most recently
from
241947f to
bf99da5
Compare
…it tests from #491 to fit. Tighten default context to never allow TLSv1 but force at least TLSv1_1 if `allow_pre_tlsv12` is explicitly requested.
jonasbardino
force-pushed
the
fix/further-tighten-tlsserver-context-setup-to-fit-modern-ssl
branch
from
bf99da5 to
6d86183
Compare
available on site software stack.
…of the native ssl tests. pyOpenSSL does not implement a similar level of introspection so a few workarounds are required in order to test what has actually been set. Add DH params support for both wrappers and keep one test to check it still works without one. Eliminate the bogus OP_RENEGOTIATION attribute, which somehow made its way into the tests.
jonasbardino
deleted the
fix/further-tighten-tlsserver-context-setup-to-fit-modern-ssl
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to tighten the default
sslcontext with unit tests for thetlsservermodule in place (#491).Includes that PR and it should be rebased after merge.Enforces
minimum_versionand now prevents anything below TLSv1_1 even if theallow_pre_tlsv12is explicitly requested. The same is implemented for the pyOpenSSL version and the unit tests were adjusted to fit those changes.NOTE: the code was tested for each of the openid, webdavs, ftps and sftp services in actual deployment. None of them regressed security-wise for the unchanged defaults allowing TLSv1.2+. It also works when toggling off the
allow_pre_tls13to drop TLSv1.2 and require at least TLSv1.3. Of course that limits support for old and outdated client platforms but we will probably want to do that sooner or later.