smtplib and TLS

Paul Rubin http
Sat Jun 18 09:43:17 CEST 2005


"Matthias Kluwe" <mkluwe at gmail.com> writes:
> Hmm. I tried
> 
> server.sock.realsock.shutdown(2)
> before server.quit() with the result of

I don't think that's exactly what you want.  You need to send a
specific TLS message BEFORE shutting down the socket, to tell the
other end that the TLS connection is ending.  That tells the server
that it shouldn't accept a TLS session resumption later.  The close
notify message is required because if you don't send it, an attacker
could truncate one of your TLS messages by cutting your connection.

Basically the socket library's SSL implementation is pretty crude.
You might try http://trevp.net/tlslite for a pure-Python
implementation that's also still missing stuff, but is getting there.



More information about the Python-list mailing list