duo_client_python icon indicating copy to clipboard operation
duo_client_python copied to clipboard
verified publisher icon duosecurity

Move to TLS client protocol for http connections

Open AaronAtDuo opened this issue 3 years ago • 4 comments

Since TLS_PROTOCOL is itself deprecated, this is the suggested update. It does technically change the default behavior though: https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS_CLIENT

The protocol enables [CERT_REQUIRED](https://docs.python.org/3/library/ssl.html#ssl.CERT_REQUIRED) and [check_hostname](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.check_hostname) by default.
~``

AaronAtDuo avatar Jan 25 '23 19:01 AaronAtDuo

Also I need to rebase but we can start the discussion.

AaronAtDuo avatar Jan 25 '23 19:01 AaronAtDuo

This would change the default behavior to start enforcing hostname verification when certificates are in use. Is that a concern?

AaronAtDuo avatar Jan 25 '23 20:01 AaronAtDuo

yeah it is. We have a number of tests that disable cert validation

mbish avatar Jan 25 '23 20:01 mbish

yeah it is. We have a number of tests that disable cert validation

and those are exactly the tests that failed until I added the line about disabling hostname verification.

AaronAtDuo avatar Jan 25 '23 20:01 AaronAtDuo