[Twisted-Python] Block TLS 1.0 and TLS 1.1 support on windows

I'm using twisted 20.3 and python3.6.8 and Windows 10
I'm using endpoint_description with a tac file to start up a server.
But I need to disable tls 1.0 and 1.1.
I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :
Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD". If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B In the end I found _defaultMinimumTLSVersion in _sslverify.py.
I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.
Anyone know where I should be looking.
Thanks for any info

Hi John,
I think you want https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.Certific... https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html, specifically, you want to pass the "raiseMinimumTo" parameter,
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 10:47 AM, John Aherne johnaherne@rocs.co.uk wrote:
I'm using twisted 20.3 and python3.6.8 and Windows 10
I'm using endpoint_description with a tac file to start up a server.
But I need to disable tls 1.0 and 1.1.
I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :
Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD".
If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B
In the end I found _defaultMinimumTLSVersion in _sslverify.py.
I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.
Anyone know where I should be looking.
Thanks for any info
-- John Aherne
www.rocs.co.uk http://www.rocs.co.uk/ 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

Thanks. That was quick.
Just wondering how I can add that to my endpoint_description create serverfromstring.
Or will I have to drop that.
Let me take a look.
Cheers
John
On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr ldanielburr@me.com wrote:
Hi John,
I think you want https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.Certific..., specifically, you want to pass the "raiseMinimumTo" parameter,
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 10:47 AM, John Aherne johnaherne@rocs.co.uk wrote:
I'm using twisted 20.3 and python3.6.8 and Windows 10
I'm using endpoint_description with a tac file to start up a server.
But I need to disable tls 1.0 and 1.1.
I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :
Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD". If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B In the end I found _defaultMinimumTLSVersion in _sslverify.py.
I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.
Anyone know where I should be looking.
Thanks for any info
-- *John Aherne*
*www.rocs.co.uk http://www.rocs.co.uk/* 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

Hi John,
I don't think you can accomplish it via a change to the description string, because serverFromString relies on the existing _parseSSL function is only passing the deprecated ssl method argument to CertificateOptions.
I haven't tried this myself, but I think the solution is to provide your own plugin, implementing IPlugin and IStreamServerEndpointStringParser, e.g. "MyTLSParser" and use your own description string, e.g., "tls:443:raiseMinimumTo=...".
Or maybe there's a ticket somewhere about updating the existing ssl description and parser to handle the new CertificateOptions arguments. That might be the right thing to implement.
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 12:02 PM, John Aherne johnaherne@rocs.co.uk wrote:
Thanks. That was quick.
Just wondering how I can add that to my endpoint_description create serverfromstring.
Or will I have to drop that.
Let me take a look.
Cheers
John
On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr <ldanielburr@me.com mailto:ldanielburr@me.com> wrote: Hi John,
I think you want https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.Certific... https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html, specifically, you want to pass the "raiseMinimumTo" parameter,
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 10:47 AM, John Aherne <johnaherne@rocs.co.uk mailto:johnaherne@rocs.co.uk> wrote:
I'm using twisted 20.3 and python3.6.8 and Windows 10
I'm using endpoint_description with a tac file to start up a server.
But I need to disable tls 1.0 and 1.1.
I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :
Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD".
If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B
In the end I found _defaultMinimumTLSVersion in _sslverify.py.
I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.
Anyone know where I should be looking.
Thanks for any info
-- John Aherne
www.rocs.co.uk http://www.rocs.co.uk/ 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com mailto:Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Twisted-Python mailing list Twisted-Python@twistedmatrix.com mailto:Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-- John Aherne
www.rocs.co.uk http://www.rocs.co.uk/ 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

Thanks for looking all this up.
I'd already decided to drop the endpoint server from string.
So I'm using Hynek Schlaweck PEM package to build the certificate options.
That seems to be working. Anyway I'm getting an A from Qualys at the moment having reset the _defaultMinimumTLSVersion back to its default of tlsv1_0 and passing the raiseMinimumTo as TLSVersion.TLS1_2
Thanks for the pointers.
John
On Mon, Aug 31, 2020 at 7:26 PM L. Daniel Burr ldanielburr@me.com wrote:
Hi John,
I don't think you can accomplish it via a change to the description string, because serverFromString relies on the existing _parseSSL function is only passing the deprecated ssl method argument to CertificateOptions.
I haven't tried this myself, but I think the solution is to provide your own plugin, implementing IPlugin and IStreamServerEndpointStringParser, e.g. "MyTLSParser" and use your own description string, e.g., "tls:443:raiseMinimumTo=...".
Or maybe there's a ticket somewhere about updating the existing ssl description and parser to handle the new CertificateOptions arguments. That might be the right thing to implement.
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 12:02 PM, John Aherne johnaherne@rocs.co.uk wrote:
Thanks. That was quick.
Just wondering how I can add that to my endpoint_description create serverfromstring.
Or will I have to drop that.
Let me take a look.
Cheers
John
On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr ldanielburr@me.com wrote:
Hi John,
I think you want https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.Certific..., specifically, you want to pass the "raiseMinimumTo" parameter,
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 10:47 AM, John Aherne johnaherne@rocs.co.uk wrote:
I'm using twisted 20.3 and python3.6.8 and Windows 10
I'm using endpoint_description with a tac file to start up a server.
But I need to disable tls 1.0 and 1.1.
I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :
Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD". If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B In the end I found _defaultMinimumTLSVersion in _sslverify.py.
I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.
Anyone know where I should be looking.
Thanks for any info
-- *John Aherne*
*www.rocs.co.uk http://www.rocs.co.uk/* 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-- *John Aherne*
*www.rocs.co.uk http://www.rocs.co.uk/* 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

Super glad you got this working!
However, what L. Daniel Burr suggested is correct - whether there's an existing ticket or not, the string endpoint should support all of these features.
(However, using pem is fine, too.)
-g
On Aug 31, 2020, at 1:16 PM, John Aherne johnaherne@rocs.co.uk wrote:
Thanks for looking all this up.
I'd already decided to drop the endpoint server from string.
So I'm using Hynek Schlaweck PEM package to build the certificate options.
That seems to be working. Anyway I'm getting an A from Qualys at the moment having reset the _defaultMinimumTLSVersion back to its default of tlsv1_0 and passing the raiseMinimumTo as TLSVersion.TLS1_2
Thanks for the pointers.
John
On Mon, Aug 31, 2020 at 7:26 PM L. Daniel Burr <ldanielburr@me.com mailto:ldanielburr@me.com> wrote: Hi John,
I don't think you can accomplish it via a change to the description string, because serverFromString relies on the existing _parseSSL function is only passing the deprecated ssl method argument to CertificateOptions.
I haven't tried this myself, but I think the solution is to provide your own plugin, implementing IPlugin and IStreamServerEndpointStringParser, e.g. "MyTLSParser" and use your own description string, e.g., "tls:443:raiseMinimumTo=...".
Or maybe there's a ticket somewhere about updating the existing ssl description and parser to handle the new CertificateOptions arguments. That might be the right thing to implement.
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 12:02 PM, John Aherne <johnaherne@rocs.co.uk mailto:johnaherne@rocs.co.uk> wrote:
Thanks. That was quick.
Just wondering how I can add that to my endpoint_description create serverfromstring.
Or will I have to drop that.
Let me take a look.
Cheers
John
On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr <ldanielburr@me.com mailto:ldanielburr@me.com> wrote: Hi John,
I think you want https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.Certific... https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html, specifically, you want to pass the "raiseMinimumTo" parameter,
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 10:47 AM, John Aherne <johnaherne@rocs.co.uk mailto:johnaherne@rocs.co.uk> wrote:
I'm using twisted 20.3 and python3.6.8 and Windows 10
I'm using endpoint_description with a tac file to start up a server.
But I need to disable tls 1.0 and 1.1.
I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :
Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD".
If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B
In the end I found _defaultMinimumTLSVersion in _sslverify.py.
I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.
Anyone know where I should be looking.
Thanks for any info
-- John Aherne
www.rocs.co.uk http://www.rocs.co.uk/ 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com mailto:Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Twisted-Python mailing list Twisted-Python@twistedmatrix.com mailto:Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-- John Aherne
www.rocs.co.uk http://www.rocs.co.uk/ 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com mailto:Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Twisted-Python mailing list Twisted-Python@twistedmatrix.com mailto:Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-- John Aherne
www.rocs.co.uk http://www.rocs.co.uk/ 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

Yes. I could see _parseSSL wasn't checking for all the options. So I decided to drop the endpoints for now.
Thanks
John
On Tue, Sep 1, 2020 at 5:48 AM Glyph glyph@twistedmatrix.com wrote:
Super glad you got this working!
However, what L. Daniel Burr suggested is correct - whether there's an existing ticket or not, the string endpoint should support all of these features.
(However, using pem is fine, too.)
-g
On Aug 31, 2020, at 1:16 PM, John Aherne johnaherne@rocs.co.uk wrote:
Thanks for looking all this up.
I'd already decided to drop the endpoint server from string.
So I'm using Hynek Schlaweck PEM package to build the certificate options.
That seems to be working. Anyway I'm getting an A from Qualys at the moment having reset the _defaultMinimumTLSVersion back to its default of tlsv1_0 and passing the raiseMinimumTo as TLSVersion.TLS1_2
Thanks for the pointers.
John
On Mon, Aug 31, 2020 at 7:26 PM L. Daniel Burr ldanielburr@me.com wrote:
Hi John,
I don't think you can accomplish it via a change to the description string, because serverFromString relies on the existing _parseSSL function is only passing the deprecated ssl method argument to CertificateOptions.
I haven't tried this myself, but I think the solution is to provide your own plugin, implementing IPlugin and IStreamServerEndpointStringParser, e.g. "MyTLSParser" and use your own description string, e.g., "tls:443:raiseMinimumTo=...".
Or maybe there's a ticket somewhere about updating the existing ssl description and parser to handle the new CertificateOptions arguments. That might be the right thing to implement.
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 12:02 PM, John Aherne johnaherne@rocs.co.uk wrote:
Thanks. That was quick.
Just wondering how I can add that to my endpoint_description create serverfromstring.
Or will I have to drop that.
Let me take a look.
Cheers
John
On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr ldanielburr@me.com wrote:
Hi John,
I think you want https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.Certific..., specifically, you want to pass the "raiseMinimumTo" parameter,
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 10:47 AM, John Aherne johnaherne@rocs.co.uk wrote:
I'm using twisted 20.3 and python3.6.8 and Windows 10
I'm using endpoint_description with a tac file to start up a server.
But I need to disable tls 1.0 and 1.1.
I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :
Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD". If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B In the end I found _defaultMinimumTLSVersion in _sslverify.py.
I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.
Anyone know where I should be looking.
Thanks for any info
-- *John Aherne*
*www.rocs.co.uk http://www.rocs.co.uk/* 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-- *John Aherne*
*www.rocs.co.uk http://www.rocs.co.uk/* 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-- *John Aherne*
*www.rocs.co.uk http://www.rocs.co.uk/* 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
participants (3)
-
Glyph
-
John Aherne
-
L. Daniel Burr