Skip to content

Drop unused TLSv1.1 support completely in tlsserver module#519

Merged
jonasbardino merged 5 commits into
nextfrom
adjust/drop-tlsv1.1-support-and-require-python3.7-or-later-in-ssl-context-hardening
May 13, 2026
Merged

Drop unused TLSv1.1 support completely in tlsserver module#519
jonasbardino merged 5 commits into
nextfrom
adjust/drop-tlsv1.1-support-and-require-python3.7-or-later-in-ssl-context-hardening

Conversation

@jonasbardino
Copy link
Copy Markdown
Contributor

@jonasbardino jonasbardino commented Apr 15, 2026
edited
Loading

Drop unused TLSv1.1 support completely in tlsserver module and align enable_SVC_legacy_tls conf options across services to only enable older compatibility ciphers over the same TLSv1.2+ protocols. Adjust unit tests accordingly.
Should make it clear even for code scans that we always enforce TLSv1.2+ everywhere.

Tested on one of our dev/test deployments in:

  1. default configuration (all enable_SVC_legacy_tls = False)
  2. with all legacy ciphers (all enable_SVC_legacy_tls = True)
  3. with TLSv1.3 only (allow_pre_tlsv13 manually toggled off in tlsserver.py)

and the scan results with testssl.sh look sane for all three.

NOTE: this PR incorporates the pending #504 so it should be rebased after that one is reviewed and merged.

@jonasbardino jonasbardino self-assigned this Apr 15, 2026
@jonasbardino jonasbardino added the enhancement New feature or request label Apr 15, 2026
@jonasbardino jonasbardino force-pushed the adjust/drop-tlsv1.1-support-and-require-python3.7-or-later-in-ssl-context-hardening branch from 44336da to 82dcde0 Compare April 15, 2026 12:27
@jonasbardino jonasbardino marked this pull request as ready for review April 15, 2026 12:31
@jonasbardino jonasbardino requested a review from a team April 15, 2026 15:14
@jonasbardino jonasbardino added the stale check errors Linting/CI errors are stale old issues not caused by this PR and will be fixed elsewhere. label Apr 18, 2026
@jonasbardino
Copy link
Copy Markdown
Contributor Author

jonasbardino commented Apr 18, 2026

The lint issue is old and a duplicate of the one from #338 .

@jonasbardino jonasbardino added the battle-tested Code was tested to be fully functional in line with project code guidelines. label Apr 21, 2026
@jonasbardino jonasbardino force-pushed the adjust/drop-tlsv1.1-support-and-require-python3.7-or-later-in-ssl-context-hardening branch 2 times, most recently from cc6dd09 to b43d97b Compare April 24, 2026 08:31
@jonasbardino jonasbardino force-pushed the adjust/drop-tlsv1.1-support-and-require-python3.7-or-later-in-ssl-context-hardening branch 2 times, most recently from 819d1b1 to d2267b7 Compare May 12, 2026 13:35
@jonasbardino
Drop unused TLSv1.1 support completely in tlsserver module. Adjust un…
583ec83 
…it tests

accordingly. Should make it clear even for code scans that we always enforce
TLSv1.2+ everywhere.
@jonasbardino
Switch ssl version to use SSLContext with PROTOCOL_TLS_SERVER arg…
8bc3ca9 
…ument in

symmetry with pyOpenSSL version and to avoid any client/server confusion caused
by the use of `create_default_context`.
@jonasbardino
Rework legacy_tls handling to be consistent across our services. All …
adee6f6 
…of them

now default to TLSv1.2+ and only adjust ciphers offered if the service-specific
`enable_SVC_legacy_tls` conf option is set.
Drop the outdated client comments and disable ftps tls_legacy now that modern
pyOpenSSL is available on every supported platform.
Add `enable_openid_legacy_tls` conf option and implement the same cipher
handling in the built-in OpenID service.
@jonasbardino jonasbardino force-pushed the adjust/drop-tlsv1.1-support-and-require-python3.7-or-later-in-ssl-context-hardening branch from d2267b7 to adee6f6 Compare May 12, 2026 13:39
rasmunk
rasmunk reviewed May 13, 2026
View reviewed changes
Comment thread mig/server/grid_ftps.py Outdated
rasmunk
rasmunk reviewed May 13, 2026
View reviewed changes
Comment thread tests/test_mig_shared_tlsserver.py
@rasmunk
Copy link
Copy Markdown
Contributor

rasmunk commented May 13, 2026

Other than the two comments, it looks good and should be ready for approval

@rasmunk rasmunk self-requested a review May 13, 2026 09:12
rasmunk
rasmunk approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@rasmunk rasmunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@jonasbardino
Copy link
Copy Markdown
Contributor Author

jonasbardino commented May 13, 2026

Other than the two comments, it looks good and should be ready for approval

Thanks, updated and tested the daemons to still fundamentally work on a test deployment site once again.

@jonasbardino jonasbardino merged commit adc14ee into next May 13, 2026
12 of 14 checks passed
@jonasbardino jonasbardino deleted the adjust/drop-tlsv1.1-support-and-require-python3.7-or-later-in-ssl-context-hardening branch May 13, 2026 09:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rasmunk rasmunk rasmunk approved these changes

Assignees

@jonasbardino jonasbardino

Labels

battle-tested Code was tested to be fully functional in line with project code guidelines. enhancement New feature or request stale check errors Linting/CI errors are stale old issues not caused by this PR and will be fixed elsewhere.

Projects

None yet

Milestone

Eliminate legacy python2 code and ref...

Development

Successfully merging this pull request may close these issues.

2 participants

@jonasbardino @rasmunk