[Python-Dev] which SSL client protocols work with which server protocols?

Matt Goodall matt at pollenation.net
Tue Sep 11 13:59:51 CEST 2007


Bill Janssen wrote:
> Here's the updated connection table:
> 
> 		SSL2	SSL3	SS23	TLS1
>     SSL2	yes	no	yes	no
>     SSL3	yes	yes	yes	no
>     SSL23	yes	no	yes	no
>     TLS1	no	no	yes	yes
> 
> Given this, I think the client-side default should be changed from
> SSLv23 to SSLv3, and the server-side default should be SSLv23.

I believe you are correct.

I did some experiments with this a while ago after hitting problems
connecting to some SSL servers although I can't remember the exact
results now.

More importantly, what you recommend is what Twisted does and I'd
believe them more than me any time ;-).

See Twisted's DefaultOpenSSLContextFactory [1] for the server side and
ClientContextFactory [2] for the client side.


Cheers, Matt


[1] DefaultOpenSSLContextFactory,
http://twistedmatrix.com/trac/browser/trunk/twisted/internet/ssl.py#L67

[2] ClientContextFactory,
http://twistedmatrix.com/trac/browser/trunk/twisted/internet/ssl.py#L102

-- 
Matt Goodall, Pollenation Internet Ltd
Technology House, 237 Lidgett Lane, Leeds LS17 6QR
Registered No 4382123
A member of the Brunswick MCL Group of Companies
w: http://www.pollenation.net/
e: matt at pollenation.net
t: +44 113 2252500


More information about the Python-Dev mailing list