Deprecated SSL protocol in CertValidatingHTTPSConnection
jpeak5 opened this issue · 5 comments
tl;dr: Line 72 of duo_client/https_wrapper.py hard-codes a deprecated (since Python 3.6) SSL protocol.
The only similar issue I found in this queue is #31, but it's pretty historic (2016) and only slightly related.
We've just upgraded Python (to 3.10.5) and found that at least one of our scripts using duo_client_python is emitting a new-to-us deprecation warning:
/path/to/python3.10/site-packages/duo_client/https_wrapper.py:72: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
Line 72, referenced in the warning above is
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
ssl.PROTOCOL_SSLv23 is deprecated since Python 3.6 (docs.python.org). The replacement, ssl.PROTOCOL_TLS, which was introduced in Python 3.6 is itself deprecated, now, under Python 3.10:
Deprecated since version 3.10: TLS clients and servers require different default settings for secure communication. The generic TLS protocol constant is deprecated in favor of PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER.
ssl.PROTOCOL_TLS_CLIENT:
Auto-negotiate the highest protocol version that both the client and server support, and configure the context client-side connections. The protocol enables CERT_REQUIRED and check_hostname by default.
This is probably left over from our Python 2 and 3.5 support - I'll see if we can remove it.
I'll see if we can remove it.
@AaronAtDuo any movement?
I see that back in June (before this report), there was an unrelated deprecation fix (dea8d14) in the same module. Would be nice to be able to turn warnings back on (-Wall).
Thanks for the ping! This fell off our radar but should be a quick fix. I've posted #190 to at least move off the deprecated PROTOCOL_SSLv23. Going all the way to PROTOCOL_TLS_CLIENT actually broke some tests, so I need to look into that; but the intermediate step to PROTOCOL_TLS seems safe.
Ok #191 is up to go all the way to TLS_PROTOCOL_CLIENT, but that changes the default behavior of the client, so needs a bit more discussion.