minimum_version mismatch

[RobBotic1]

Documentation

The documentation states "The SSL context created above will only allow TLSv1.2 and later..." However, the example code sets the minimum version to TLS 1.3 (not 1.2 as stated).

I believe this line should be changed to:
>>> client_context.minimum_version = ssl.TLSVersion.TLSv1_2

I am happy to create a pull request, if that is helpful.

Linked PRs

• gh-105090: Replace incorrect TLSv1.2 with TLSv1.3 #105404
• [3.11] gh-105090: Replace incorrect TLSv1.2 with TLSv1.3 (GH-105404) #107038
• [3.10] gh-105090: Replace incorrect TLSv1.2 with TLSv1.3 (GH-105404) #107039
• [3.12] gh-105090: Replace incorrect TLSv1.2 with TLSv1.3 (GH-105404) #107040
• gh-105090: Update ssl.rst to show a range of TLS versions supported by a context. #107273

[sunmy2019]

I believe this line should be changed to:
>>> client_context.minimum_version = ssl.TLSVersion.TLSv1_2

This part was changed in response to the deprecation of TLSv1_2. 2875c60

You should change the description text below instead.

cpython/Doc/library/ssl.rst

Line 2691 in c39500d

The SSL context created above will only allow TLSv1.2 and later (if

[RobBotic1]

I believe there are still issues here (and my apologies for dropping the ball and not weighing in earlier -- the closing of the issue sent me a notification prompting me to look again).

First, I do not think it matters whether or not TLS 1.2 is deprecated. The example is simply showing how to restrict the preferred version used.

Second, the text states "and later" but the example sets a maximum_version as well as a minimum_version.

Finally, I think a useful example would actually show a range and how both minimum_version and maximum_version could be used together to restrict to that range.

For example, a minimum_version of ssl.TLSVersion.TLSv1_2 and a maximum_version of ssl.TLSVersion.TLSv1_3 would restrict to a range of TLS 1.2 and TLS 1.3, even if there are later versions in the future.

To match the current text, "The SSL context created above will only allow TLSv1.3 and later (if supported by your system)," the maximum_version would need to be left out.

I have submitted the following PR to reflect my thoughts above: gh-105090: Update ssl.rst to show a range of TLS versions supported by a context.

[janbrasna]

I believe this line should be changed to:
>>> client_context.minimum_version = ssl.TLSVersion.TLSv1_2

This part was changed in response to the deprecation of TLSv1_2. 2875c60

I believe this was done mistakenly, as in reality there is no "deprecation of TLSv1.2", only some older features including how a connection is configured. Therefore:

• yes, ssl.PROTOCOL_TLSv1_2 was deprecated;
• but no, ssl.TLSVersion.TLSv1_2 is not deprecated and is completely fine to use.

That means there's no reason to not allow a TLSv1.2 connection as an example in the docs when connected using the current client_context, so the original wording was right.

What was also introduced in said change was a maximum_version that doesn't match the description, so it should have been either left out completely, or the description and configuration options rewritten entirely to demonstrate a different point than before with the OP flags.

[janbrasna]

The linked PR #105404 didn't resolve the mismatch as the example still doesn't match its description, so issues like #95816 remain open.

I think the best fix is reporter's proposed #107273 to show a range of TLSv1.2–v1.3 until someone rewrites the example completely to make a different point.