Change default TLS version

Detects if python has an up-to-date version of OpenSSL that supports TLSv1.2. If it does, choose that as the default TLS version, instead of TLSv1. The Docker Engine and the majority of other Docker API servers should suppot TLSv1.2, and if they do not, the user can manually set a different (lower) version. Signed-off-by: Drew Erny <drew.erny@docker.com>
author: Drew Erny <drew.erny@docker.com> 2018-01-18 13:27:33 -0800
committer: Joffrey F <joffrey@docker.com> 2018-01-24 18:05:10 -0800
commit: 500286d51e63510e9765868cbc1f8cc01ff36bbb (patch)
tree: 6b039d7fad5f857c1cdfd18e6f2592eedc5f653a
parent: 766d89055850fc5f42c9937001b426172d6e8a88 (diff)
download: docker-py-500286d51e63510e9765868cbc1f8cc01ff36bbb.tar.gz
1 files changed, 34 insertions, 7 deletions
diff --git a/docker/tls.py b/docker/tls.py
index 6488bbc..8fdf359 100644
--- a/docker/tls.py
+++ b/docker/tls.py
@@ -37,13 +37,40 @@ class TLSConfig(object):
         self.assert_hostname = assert_hostname
         self.assert_fingerprint = assert_fingerprint
 
-        # TLS v1.0 seems to be the safest default; SSLv23 fails in mysterious
-        # ways: https://github.com/docker/docker-py/issues/963
-
-        self.ssl_version = ssl_version or ssl.PROTOCOL_TLSv1
-
-        # "tls" and "tls_verify" must have both or neither cert/key files
-        # In either case, Alert the user when both are expected, but any are
+        # TODO(dperny): according to the python docs, PROTOCOL_TLSvWhatever is
+        # depcreated, and it's recommended to use OPT_NO_TLSvWhatever instead
+        # to exclude versions. But I think that might require a bigger
+        # architectural change, so I've opted not to pursue it at this time
+
+        # If the user provides an SSL version, we should use their preference
+        if ssl_version:
+            self.ssl_version = ssl_version
+        else:
+            # If the user provides no ssl version, we should default to
+            # TLSv1_2.  This option is the most secure, and will work for the
+            # majority of users with reasonably up-to-date software. However,
+            # before doing so, detect openssl version to ensure we can support
+            # it.
+
+            # ssl.OPENSSL_VERSION_INFO returns a tuple of 5 integers
+            # representing version info. We want any OpenSSL version greater
+            # than 1.0.1. Python compares tuples lexigraphically, which means
+            # this comparison will work.
+            if ssl.OPENSSL_VERSION_INFO > (1, 0, 1, 0, 0):
+                # If this version is high enough to support TLSv1_2, then we
+                # should use it.
+                self.ssl_version = ssl.PROTOCOL_TLSv1_2
+            else:
+                # If we can't, use a differnent default. Before the commit
+                # introducing this version detection, the comment read:
+                # >>> TLS v1.0 seems to be the safest default; SSLv23 fails in
+                # >>> mysterious ways:
+                # >>> https://github.com/docker/docker-py/issues/963
+                # Which is why we choose PROTOCOL_TLSv1
+                self.ssl_version = ssl.PROTOCOL_TLSv1
+
+        # "tls" and "tls_verify" must have both or neither cert/key files In
+        # either case, Alert the user when both are expected, but any are
         # missing.
 
         if client_cert:
author	Drew Erny <drew.erny@docker.com>	2018-01-18 13:27:33 -0800
committer	Joffrey F <joffrey@docker.com>	2018-01-24 18:05:10 -0800
commit	500286d51e63510e9765868cbc1f8cc01ff36bbb (patch)
tree	6b039d7fad5f857c1cdfd18e6f2592eedc5f653a
parent	766d89055850fc5f42c9937001b426172d6e8a88 (diff)
download	docker-py-500286d51e63510e9765868cbc1f8cc01ff36bbb.tar.gz