ssl module - how can I accept SSLv3 and TLSv1 protocols only?
gnewsg at gmail.com
Wed Jan 7 18:27:37 CET 2009
On 7 Gen, 14:21, Jean-Paul Calderone <exar... at divmod.com> wrote:
> On Tue, 6 Jan 2009 19:01:48 -0800 (PST), Giampaolo Rodola' <gne... at gmail.com> wrote:
> >I'm trying to add TLS/SSL support to pyftpdlib.
> >Since various defects have been found in the SSLv2 protocol many FTPS
> >servers (i.e. proftpd and vsftpd) decided to support SSLv3 and TLSv1
> >only and sistematically reject any client attempting to use SSLv2.
> >Is there a way to tell ssl.wrap_socket() to accept SSLv3 and TLSv1
> >connections only?
> >If that's not possible can I determine the encryption protocol being
> >used *after* that the SSL/TLS handshake took place?
> >I tried to use wrap_socket as follows:
> >self.socket = ssl.wrap_socket(self.socket, ,
> > certfile=CERTFILE,
> > server_side=True,
> >ssl_version=ssl.PROTOCOL_SSLv3 | ssl.PROTOCOL_TLSv1)
> >...it works if on the client side I use TLSv1 but not if I use SSLv3
> >("SSLError: [Errno 1] _ssl.c:480: error:14094410:SSL
> >routines:SSL3_READ_BYTES:sslv 3 alert handshake failure" exception is
> At the OpenSSL level, you do this by specifying SSLv23_METHOD and then
> setting the SSL_OP_NO_SSLv2 flag. With pyOpenSSL, you do this by
> creating a context with SSLv23_METHOD and then setting SSL_OP_NO_SSLv2 on
> it, like so:
> from OpenSSL.SSL import Context, SSLv23_METHOD, OP_NO_SSLv2
> context = Context(SSLv23_METHOD)
> It seems the ssl module does expose SSLv23_METHOD as PROTOCOL_SSLv23,
> but I don't see SSL_OP_NO_SSLv2 anywhere, nor any way to specify any
> extra flags.
> Oring PROTOCOL_SSLv3 together with PROTOCOL_TLSv1 is almost certainly
> not the right approach, anyway (as you saw with your tests).
> Jean-Paul- Nascondi testo citato
> - Mostra testo citato -
These are pretty bad news.
I'm going to open a request on the bug tracker hoping that this
situation could be solved soon.
Thanks for your reply anyway.
More information about the Python-list