Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Interface: Require minimum TLS version 1.2 #2665

Draft
wants to merge 8 commits into
base: master
Choose a base branch
from
Draft

Interface: Require minimum TLS version 1.2 #2665

wants to merge 8 commits into from

Conversation

EchterAgo
Copy link

@EchterAgo EchterAgo commented Jul 19, 2023
edited

Python already refuses connecting to TLS 1.1 servers, which is a good thing. SSLContext.minimum_version should be used instead of setting the options, this requires Python 3.7.

EchterAgo and others added 8 commits July 19, 2023 21:34
@EchterAgo
Tests: Fix docker-compose bind mount of configuration files
af316ce 
`pytest-docker` switched from `docker-compose` to `docker compose` in
version 2.0.0:

https://github.com/avast/pytest-docker/releases/tag/v2.0.0

The new docker compose v2 works slightly different in some cases. In
this case the path for our bind mount must be relative to the
`docker-compose.yml` file.

If the build fails make sure you can run `docker compose`, if not your
docker installation is too old.
@EchterAgo
Setup: Replace imp module with importlib
f98c8b2 
Fixes Electron-Cash#2661

The imp module was removed in Python 3.12 so the old code does not work
anymore. Since we only support Python >= 3.6 we don't need to deal with
compatibility with older versions.
@EchterAgo
Tests: Add 3.12.0-beta.4 to Tox test matrix
acd9569 
Exclude Python 3.12.0-beta.4 on Windows because it crashes on startup.
@SomberNight @EchterAgo
plugins: when loading plugins, use newer importlib mechanism
d0ec22e 
fixes spesmilo#4842
@SomberNight @EchterAgo
plugins: on some systems plugins with relative imports failed to load
2089ec5 
this caused electrum to fail to start
potentially only older python 3.6.x are affected

fixes spesmilo#5421
@EchterAgo
Tests: Use assertEqual instead of assertEquals
e8d4128 
assertEqual is equivalent to assertEquals, which was removed in
Python 3.12.
@EchterAgo
Interface: Use check_hostname instead of match_hostname
7a880ff 
Since Python 3.7 the hostname verification is done in
`SSLSocket.do_handshake` if `SSLContext.check_hostname` is set, so we
don't need our own code to verify the certificate.

There is no compatibility code for Python < 3.7 so the minimum version
was increased.

This also removes the unused `_match_hostname` function and its tests.
@EchterAgo
Interface: Require minimum TLS version 1.2
607e6aa 
Python already refuses connecting to TLS 1.1 servers, which is a good
thing. `SSLContext.minimum_version` should be used instead of setting
the options, this requires Python 3.7.
@EchterAgo
Copy link
Author

Seems that the tests for this are a bit flaky:

https://github.com/Electron-Cash/Electron-Cash/actions/runs/5600574944/jobs/10243162299?pr=2662#step:5:278

>       self.assertEqual(cm.exception.reason, "UNSUPPORTED_PROTOCOL")
  E       AssertionError: 'SSLV3_ALERT_HANDSHAKE_FAILURE' != 'UNSUPPORTED_PROTOCOL'
  E       - SSLV3_ALERT_HANDSHAKE_FAILURE
  E       + UNSUPPORTED_PROTOCOL

The certificate checks seem to be much more reliable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@EchterAgo @SomberNight