Details
-
Task
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
None
-
Operability
-
Normal
-
All
-
Security
-
Description
According to https://docs.python.org/3/library/ssl.html use of explicit TLS versions v1, v1_1 and v1_2 has been deprecated in Python 3.6+ in favor of auto-negotiation of the highest protocol version that both the client and server support.
- ssl.PROTOCOL_TLSv1
- ssl.PROTOCOL_TLSv1_1
- ssl.PROTOCOL_TLSv1_2
The above are deprecated since version 3.6: OpenSSL has deprecated all version specific protocols.
This affects cqlshlib/sslhandling.py and cqlshlib/test/test_sslhandling.py. And also config files test/config/
{sslhandling.config, sslhandling_invalid.config}
"NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 not be used"
https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF
The DataStax driver has addressed this in 3.25 with this update:
Update security documentation and examples to use PROTOCOL_TLS (PYTHON-1264)
https://datastax-oss.atlassian.net/browse/PYTHON-1264
https://github.com/datastax/python-driver/commit/8331eca6cc96d8bd3af2e37bc64693747515c2b6
This change will also remove the unit test class test_sslhandling.py which only tested version lookups and nothing else with ssl.