Any Python driver that supports TLSv1.3

Manpreet

unread,

Dec 3, 2021, 4:23:33 PM12/3/21

to DataStax Python Driver for Apache Cassandra User Mailing List

Hi,

Did anyone know Cassandra python driver that supports TLSv1.3 ? Please help me with Thai.

Madhavan Sridharan

unread,

Dec 4, 2021, 5:10:22 PM12/4/21

to DataStax Python Driver for Apache Cassandra User Mailing List, Manpreet

Hello Manpreet, thanks for your question!

This is not a direct answer, but hopefully this helps.

First, we restrict force the DSE to leverage whatever the version of TLS protocol. For that, you could follow steps similar to this blog, https://support.datastax.com/s/article/FAQ-How-to-force-SSL-TLSv12-protocol-with-DSE

Next, based on the Cassandra's default protocol set, you could leverage that with the DataStax Python Driver. Additional references are below,

SSL Example: https://github.com/datastax/python-driver/blob/3.25.0/tests/integration/long/test_ssl.py
SSL Documentation: https://docs.datastax.com/en/developer/python-driver/latest/security/#ssl

Thanks!

Madhavan Sridharan

unread,

Dec 6, 2021, 9:09:01 AM12/6/21

to python-dr...@lists.datastax.com, Manpreet

Manpreet, I had forgotten to include this info that Cassandra doesn't support TLSv1.3 yet. Please see https://issues.apache.org/jira/browse/CASSANDRA-15048 ticket.

--
To unsubscribe from this topic, visit https://groups.google.com/a/lists.datastax.com/d/topic/python-driver-user/dSGZBM8QLg4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to python-driver-u...@lists.datastax.com.

Bret McGuire

unread,

Dec 6, 2021, 3:20:48 PM12/6/21

to DataStax Python Driver for Apache Cassandra User Mailing List, Madhavan Sridharan, Manpreet

Thanks for your question Manpreet! I believe the Python driver already has all the bits necessary to support TLS v1.3, but I want to emphasize that there's really no way around the Cassandra issue that Madhavan highlighted (hat tip to Madhavan). This is almost certainly all academic until CASSANDRA-15048 is resolved.

To use TLS v1.3 with the driver I believe you would need all of the following:

* A reasonably recent Python driver

* Python v3.7 or greater using openssl for it's TLS impl

* OpenSSL v1.1.1 or greater

Assuming all of these are in place you _should_ see TLS v1.3 attempts so long as you're using ssl.PROTOCOL_TLS when creating your SSLContext. This setting allows Python to use the highest supported TLS version (which should be TLS v1.3 if the requirements above are met). Note that we recently updated our documentation to indicate that this should be preferred to specifying a particular TLS version (see https://datastax-oss.atlassian.net/browse/PYTHON-1264 for more detail on this point).

With all of these components in play you should have client-side support for TLS v1.3, but again this won't help you much without CASSANDRA-15048.