[Twisted-Python] Block TLS 1.0 and TLS 1.1 support on windows
I'm using twisted 20.3 and python3.6.8 and Windows 10 I'm using endpoint_description with a tac file to start up a server. But I need to disable tls 1.0 and 1.1. I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to : Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD". If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B In the end I found _defaultMinimumTLSVersion in _sslverify.py. I set this to TLSVersion.TLSv1_2 and that seemed to do the trick. But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this. Anyone know where I should be looking. Thanks for any info -- *John Aherne* *www.rocs.co.uk <http://www.rocs.co.uk>* 020 7223 7567
Hi John, I think you want https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.Certific... <https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html>, specifically, you want to pass the "raiseMinimumTo" parameter, Hope this helps, L. Daniel Burr
On Aug 31, 2020, at 10:47 AM, John Aherne <johnaherne@rocs.co.uk> wrote:
I'm using twisted 20.3 and python3.6.8 and Windows 10
I'm using endpoint_description with a tac file to start up a server.
But I need to disable tls 1.0 and 1.1.
I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :
Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD".
If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B
In the end I found _defaultMinimumTLSVersion in _sslverify.py.
I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.
Anyone know where I should be looking.
Thanks for any info
-- John Aherne
www.rocs.co.uk <http://www.rocs.co.uk/> 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Thanks. That was quick. Just wondering how I can add that to my endpoint_description create serverfromstring. Or will I have to drop that. Let me take a look. Cheers John On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr <ldanielburr@me.com> wrote:
Hi John,
I think you want https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.Certific..., specifically, you want to pass the "raiseMinimumTo" parameter,
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 10:47 AM, John Aherne <johnaherne@rocs.co.uk> wrote:
I'm using twisted 20.3 and python3.6.8 and Windows 10
I'm using endpoint_description with a tac file to start up a server.
But I need to disable tls 1.0 and 1.1.
I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :
Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD". If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B In the end I found _defaultMinimumTLSVersion in _sslverify.py.
I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.
Anyone know where I should be looking.
Thanks for any info
-- *John Aherne*
*www.rocs.co.uk <http://www.rocs.co.uk/>* 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-- *John Aherne* *www.rocs.co.uk <http://www.rocs.co.uk>* 020 7223 7567
Hi John, I don't think you can accomplish it via a change to the description string, because serverFromString relies on the existing _parseSSL function is only passing the deprecated ssl method argument to CertificateOptions. I haven't tried this myself, but I think the solution is to provide your own plugin, implementing IPlugin and IStreamServerEndpointStringParser, e.g. "MyTLSParser" and use your own description string, e.g., "tls:443:raiseMinimumTo=...". Or maybe there's a ticket somewhere about updating the existing ssl description and parser to handle the new CertificateOptions arguments. That might be the right thing to implement. Hope this helps, L. Daniel Burr
On Aug 31, 2020, at 12:02 PM, John Aherne <johnaherne@rocs.co.uk> wrote:
Thanks. That was quick.
Just wondering how I can add that to my endpoint_description create serverfromstring.
Or will I have to drop that.
Let me take a look.
Cheers
John
On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr <ldanielburr@me.com <mailto:ldanielburr@me.com>> wrote: Hi John,
I think you want https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.Certific... <https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html>, specifically, you want to pass the "raiseMinimumTo" parameter,
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 10:47 AM, John Aherne <johnaherne@rocs.co.uk <mailto:johnaherne@rocs.co.uk>> wrote:
I'm using twisted 20.3 and python3.6.8 and Windows 10
I'm using endpoint_description with a tac file to start up a server.
But I need to disable tls 1.0 and 1.1.
I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :
Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD".
If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B
In the end I found _defaultMinimumTLSVersion in _sslverify.py.
I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.
Anyone know where I should be looking.
Thanks for any info
-- John Aherne
www.rocs.co.uk <http://www.rocs.co.uk/> 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
-- John Aherne
www.rocs.co.uk <http://www.rocs.co.uk/> 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Thanks for looking all this up. I'd already decided to drop the endpoint server from string. So I'm using Hynek Schlaweck PEM package to build the certificate options. That seems to be working. Anyway I'm getting an A from Qualys at the moment having reset the _defaultMinimumTLSVersion back to its default of tlsv1_0 and passing the raiseMinimumTo as TLSVersion.TLS1_2 Thanks for the pointers. John On Mon, Aug 31, 2020 at 7:26 PM L. Daniel Burr <ldanielburr@me.com> wrote:
Hi John,
I don't think you can accomplish it via a change to the description string, because serverFromString relies on the existing _parseSSL function is only passing the deprecated ssl method argument to CertificateOptions.
I haven't tried this myself, but I think the solution is to provide your own plugin, implementing IPlugin and IStreamServerEndpointStringParser, e.g. "MyTLSParser" and use your own description string, e.g., "tls:443:raiseMinimumTo=...".
Or maybe there's a ticket somewhere about updating the existing ssl description and parser to handle the new CertificateOptions arguments. That might be the right thing to implement.
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 12:02 PM, John Aherne <johnaherne@rocs.co.uk> wrote:
Thanks. That was quick.
Just wondering how I can add that to my endpoint_description create serverfromstring.
Or will I have to drop that.
Let me take a look.
Cheers
John
On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr <ldanielburr@me.com> wrote:
Hi John,
I think you want https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.Certific..., specifically, you want to pass the "raiseMinimumTo" parameter,
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 10:47 AM, John Aherne <johnaherne@rocs.co.uk> wrote:
I'm using twisted 20.3 and python3.6.8 and Windows 10
I'm using endpoint_description with a tac file to start up a server.
But I need to disable tls 1.0 and 1.1.
I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :
Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD". If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B In the end I found _defaultMinimumTLSVersion in _sslverify.py.
I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.
Anyone know where I should be looking.
Thanks for any info
-- *John Aherne*
*www.rocs.co.uk <http://www.rocs.co.uk/>* 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-- *John Aherne*
*www.rocs.co.uk <http://www.rocs.co.uk/>* 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-- *John Aherne* *www.rocs.co.uk <http://www.rocs.co.uk>* 020 7223 7567
Super glad you got this working! However, what L. Daniel Burr suggested is correct - whether there's an existing ticket or not, the string endpoint should support all of these features. (However, using pem is fine, too.) -g
On Aug 31, 2020, at 1:16 PM, John Aherne <johnaherne@rocs.co.uk> wrote:
Thanks for looking all this up.
I'd already decided to drop the endpoint server from string.
So I'm using Hynek Schlaweck PEM package to build the certificate options.
That seems to be working. Anyway I'm getting an A from Qualys at the moment having reset the _defaultMinimumTLSVersion back to its default of tlsv1_0 and passing the raiseMinimumTo as TLSVersion.TLS1_2
Thanks for the pointers.
John
On Mon, Aug 31, 2020 at 7:26 PM L. Daniel Burr <ldanielburr@me.com <mailto:ldanielburr@me.com>> wrote: Hi John,
I don't think you can accomplish it via a change to the description string, because serverFromString relies on the existing _parseSSL function is only passing the deprecated ssl method argument to CertificateOptions.
I haven't tried this myself, but I think the solution is to provide your own plugin, implementing IPlugin and IStreamServerEndpointStringParser, e.g. "MyTLSParser" and use your own description string, e.g., "tls:443:raiseMinimumTo=...".
Or maybe there's a ticket somewhere about updating the existing ssl description and parser to handle the new CertificateOptions arguments. That might be the right thing to implement.
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 12:02 PM, John Aherne <johnaherne@rocs.co.uk <mailto:johnaherne@rocs.co.uk>> wrote:
Thanks. That was quick.
Just wondering how I can add that to my endpoint_description create serverfromstring.
Or will I have to drop that.
Let me take a look.
Cheers
John
On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr <ldanielburr@me.com <mailto:ldanielburr@me.com>> wrote: Hi John,
I think you want https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.Certific... <https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html>, specifically, you want to pass the "raiseMinimumTo" parameter,
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 10:47 AM, John Aherne <johnaherne@rocs.co.uk <mailto:johnaherne@rocs.co.uk>> wrote:
I'm using twisted 20.3 and python3.6.8 and Windows 10
I'm using endpoint_description with a tac file to start up a server.
But I need to disable tls 1.0 and 1.1.
I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :
Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD".
If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B
In the end I found _defaultMinimumTLSVersion in _sslverify.py.
I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.
Anyone know where I should be looking.
Thanks for any info
-- John Aherne
www.rocs.co.uk <http://www.rocs.co.uk/> 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
-- John Aherne
www.rocs.co.uk <http://www.rocs.co.uk/> 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
-- John Aherne
www.rocs.co.uk <http://www.rocs.co.uk/> 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Yes. I could see _parseSSL wasn't checking for all the options. So I decided to drop the endpoints for now. Thanks John On Tue, Sep 1, 2020 at 5:48 AM Glyph <glyph@twistedmatrix.com> wrote:
Super glad you got this working!
However, what L. Daniel Burr suggested is correct - whether there's an existing ticket or not, the string endpoint should support all of these features.
(However, using pem is fine, too.)
-g
On Aug 31, 2020, at 1:16 PM, John Aherne <johnaherne@rocs.co.uk> wrote:
Thanks for looking all this up.
I'd already decided to drop the endpoint server from string.
So I'm using Hynek Schlaweck PEM package to build the certificate options.
That seems to be working. Anyway I'm getting an A from Qualys at the moment having reset the _defaultMinimumTLSVersion back to its default of tlsv1_0 and passing the raiseMinimumTo as TLSVersion.TLS1_2
Thanks for the pointers.
John
On Mon, Aug 31, 2020 at 7:26 PM L. Daniel Burr <ldanielburr@me.com> wrote:
Hi John,
I don't think you can accomplish it via a change to the description string, because serverFromString relies on the existing _parseSSL function is only passing the deprecated ssl method argument to CertificateOptions.
I haven't tried this myself, but I think the solution is to provide your own plugin, implementing IPlugin and IStreamServerEndpointStringParser, e.g. "MyTLSParser" and use your own description string, e.g., "tls:443:raiseMinimumTo=...".
Or maybe there's a ticket somewhere about updating the existing ssl description and parser to handle the new CertificateOptions arguments. That might be the right thing to implement.
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 12:02 PM, John Aherne <johnaherne@rocs.co.uk> wrote:
Thanks. That was quick.
Just wondering how I can add that to my endpoint_description create serverfromstring.
Or will I have to drop that.
Let me take a look.
Cheers
John
On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr <ldanielburr@me.com> wrote:
Hi John,
I think you want https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.Certific..., specifically, you want to pass the "raiseMinimumTo" parameter,
Hope this helps,
L. Daniel Burr
On Aug 31, 2020, at 10:47 AM, John Aherne <johnaherne@rocs.co.uk> wrote:
I'm using twisted 20.3 and python3.6.8 and Windows 10
I'm using endpoint_description with a tac file to start up a server.
But I need to disable tls 1.0 and 1.1.
I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :
Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD". If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B In the end I found _defaultMinimumTLSVersion in _sslverify.py.
I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.
Anyone know where I should be looking.
Thanks for any info
-- *John Aherne*
*www.rocs.co.uk <http://www.rocs.co.uk/>* 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-- *John Aherne*
*www.rocs.co.uk <http://www.rocs.co.uk/>* 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-- *John Aherne*
*www.rocs.co.uk <http://www.rocs.co.uk/>* 020 7223 7567 _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-- *John Aherne* *www.rocs.co.uk <http://www.rocs.co.uk>* 020 7223 7567
participants (3)
-
Glyph
-
John Aherne
-
L. Daniel Burr