From 500286d51e63510e9765868cbc1f8cc01ff36bbb Mon Sep 17 00:00:00 2001
From: Drew Erny <drew.erny@docker.com>
Date: Thu, 18 Jan 2018 13:27:33 -0800
Subject: Change default TLS version

Detects if python has an up-to-date version of OpenSSL that supports
TLSv1.2. If it does, choose that as the default TLS version, instead of
TLSv1. The Docker Engine and the majority of other Docker API servers
should suppot TLSv1.2, and if they do not, the user can manually set a
different (lower) version.

Signed-off-by: Drew Erny <drew.erny@docker.com>
---
 docker/tls.py | 41 ++++++++++++++++++++++++++++++++++-------
 1 file changed, 34 insertions(+), 7 deletions(-)

diff --git a/docker/tls.py b/docker/tls.py
index 6488bbc..8fdf359 100644
--- a/docker/tls.py
+++ b/docker/tls.py
@@ -37,13 +37,40 @@ class TLSConfig(object):
         self.assert_hostname = assert_hostname
         self.assert_fingerprint = assert_fingerprint
 
-        # TLS v1.0 seems to be the safest default; SSLv23 fails in mysterious
-        # ways: https://github.com/docker/docker-py/issues/963
-
-        self.ssl_version = ssl_version or ssl.PROTOCOL_TLSv1
-
-        # "tls" and "tls_verify" must have both or neither cert/key files
-        # In either case, Alert the user when both are expected, but any are
+        # TODO(dperny): according to the python docs, PROTOCOL_TLSvWhatever is
+        # depcreated, and it's recommended to use OPT_NO_TLSvWhatever instead
+        # to exclude versions. But I think that might require a bigger
+        # architectural change, so I've opted not to pursue it at this time
+
+        # If the user provides an SSL version, we should use their preference
+        if ssl_version:
+            self.ssl_version = ssl_version
+        else:
+            # If the user provides no ssl version, we should default to
+            # TLSv1_2.  This option is the most secure, and will work for the
+            # majority of users with reasonably up-to-date software. However,
+            # before doing so, detect openssl version to ensure we can support
+            # it.
+
+            # ssl.OPENSSL_VERSION_INFO returns a tuple of 5 integers
+            # representing version info. We want any OpenSSL version greater
+            # than 1.0.1. Python compares tuples lexigraphically, which means
+            # this comparison will work.
+            if ssl.OPENSSL_VERSION_INFO > (1, 0, 1, 0, 0):
+                # If this version is high enough to support TLSv1_2, then we
+                # should use it.
+                self.ssl_version = ssl.PROTOCOL_TLSv1_2
+            else:
+                # If we can't, use a differnent default. Before the commit
+                # introducing this version detection, the comment read:
+                # >>> TLS v1.0 seems to be the safest default; SSLv23 fails in
+                # >>> mysterious ways:
+                # >>> https://github.com/docker/docker-py/issues/963
+                # Which is why we choose PROTOCOL_TLSv1
+                self.ssl_version = ssl.PROTOCOL_TLSv1
+
+        # "tls" and "tls_verify" must have both or neither cert/key files In
+        # either case, Alert the user when both are expected, but any are
         # missing.
 
         if client_cert:
-- 
cgit v1.2.1