XXX explain TLS vs SSL, maybe just refer to SSL to mean both
In an effort to provide consistent, good quality TLS support for `IMAPClient`_, regardless of the Python version, the project went through a `significant change`_ last year so that TLS support comes via `backports.ssl`_ (which in turn uses the fantastic `cryptography.io`_ and `pyOpenSSL`_). This works but means that IMAPClient now has a ton of extra dependencies, some of which are causing problems for IMAPClient's users, especially on Windows and OS X. There's also the issue of relying on less mature, less widely used libraries. There's just more bugs and rough edges.
Given the hassle for IMAPClient's users and the added support burden for me, I'm now considering changing IMAPClient back to using Python's built-in TLS/SSL support again, but in a more considered way. Because IMAPClient supports a wide variety of Python versions, I wanted to investigate what Python's built-in TLS support is like across these versions.
Python 2.6 through 2.7.8
The TLS story for these Python versions isn't great. Some specific issues:
- Weak ciphers used by default with better ciphers given incorrect priority.
- No cerificate host name verification.
- Only SSL and TLS 1.0 are supported. TLS 1.1 and 1.2 provide a number of cryptographic improvements and protection against certain classes of attacks.
- No SSLContext class meaning that there's little control over SSL/TLS features and it's awkward to pass around SSL/TLS configuration.
Python 3 Before 3.4
These versions weren't much better than the earlier Python 2 versions. There's still,
- Weak default ciphers
- No cerificate host name verification
- No support for TLS 1.1 or 1.2.
At least SSLContext exists in all Python 3 versions. It wasn't widely accepted by most packages in the standard library until Python 3.2 however, so wasn't all that useful in the early Python 3 releases.
Python 2.7.9+ and 3.4+
XXX things got a lot better thanks to the efforts of XXX
Supporting a Range of Python Versions
XXX no doubt omissions and errors - let me know