ssl module - how can I accept SSLv3 and TLSv1 protocols only?

Jean-Paul Calderone exarkun at divmod.com
Wed Jan 7 14:21:21 CET 2009


On Tue, 6 Jan 2009 19:01:48 -0800 (PST), Giampaolo Rodola' <gnewsg at gmail.com> wrote:
>Hi,
>I'm trying to add TLS/SSL support to pyftpdlib.
>Since various defects have been found in the SSLv2 protocol many FTPS
>servers (i.e. proftpd and vsftpd) decided to support SSLv3 and TLSv1
>only and sistematically reject any client attempting to use SSLv2.
>Is there a way to tell ssl.wrap_socket() to accept SSLv3 and TLSv1
>connections only?
>If that's not possible can I determine the encryption protocol being
>used *after* that the SSL/TLS handshake took place?
>
>
>I tried to use wrap_socket as follows:
>
>self.socket = ssl.wrap_socket(self.socket, ,
>                                            certfile=CERTFILE,
>                                            server_side=True,
>
>ssl_version=ssl.PROTOCOL_SSLv3 | ssl.PROTOCOL_TLSv1)
>
>...it works if on the client side I use TLSv1 but not if I use SSLv3
>("SSLError: [Errno 1] _ssl.c:480: error:14094410:SSL
>routines:SSL3_READ_BYTES:sslv 3 alert handshake failure" exception is
>raised)
>

At the OpenSSL level, you do this by specifying SSLv23_METHOD and then
setting the SSL_OP_NO_SSLv2 flag.  With pyOpenSSL, you do this by
creating a context with SSLv23_METHOD and then setting SSL_OP_NO_SSLv2 on
it, like so:

    from OpenSSL.SSL import Context, SSLv23_METHOD, OP_NO_SSLv2
    context = Context(SSLv23_METHOD)
    context.set_options(OP_NO_SSLv2)

It seems the ssl module does expose SSLv23_METHOD as PROTOCOL_SSLv23,
but I don't see SSL_OP_NO_SSLv2 anywhere, nor any way to specify any
extra flags.

Oring PROTOCOL_SSLv3 together with PROTOCOL_TLSv1 is almost certainly
not the right approach, anyway (as you saw with your tests).

Jean-Paul



More information about the Python-list mailing list