ssl module - how can I accept SSLv3 and TLSv1 protocols only?

Giampaolo Rodola' gnewsg at gmail.com
Wed Jan 7 12:27:37 EST 2009 

On 7 Gen, 14:21, Jean-Paul Calderone <exar... at divmod.com> wrote:
> On Tue, 6 Jan 2009 19:01:48 -0800 (PST), Giampaolo Rodola' <gne... at gmail.com> wrote:
> >Hi,
> >I'm trying to add TLS/SSL support to pyftpdlib.
> >Since various defects have been found in the SSLv2 protocol many FTPS
> >servers (i.e. proftpd and vsftpd) decided to support SSLv3 and TLSv1
> >only and sistematically reject any client attempting to use SSLv2.
> >Is there a way to tell ssl.wrap_socket() to accept SSLv3 and TLSv1
> >connections only?
> >If that's not possible can I determine the encryption protocol being
> >used *after* that the SSL/TLS handshake took place?
>
> >I tried to use wrap_socket as follows:
>
> >self.socket = ssl.wrap_socket(self.socket, ,
> >                                            certfile=CERTFILE,
> >                                            server_side=True,
>
> >ssl_version=ssl.PROTOCOL_SSLv3 | ssl.PROTOCOL_TLSv1)
>
> >...it works if on the client side I use TLSv1 but not if I use SSLv3
> >("SSLError: [Errno 1] _ssl.c:480: error:14094410:SSL
> >routines:SSL3_READ_BYTES:sslv 3 alert handshake failure" exception is
> >raised)
>
> At the OpenSSL level, you do this by specifying SSLv23_METHOD and then
> setting the SSL_OP_NO_SSLv2 flag.  With pyOpenSSL, you do this by
> creating a context with SSLv23_METHOD and then setting SSL_OP_NO_SSLv2 on
> it, like so:
>
>     from OpenSSL.SSL import Context, SSLv23_METHOD, OP_NO_SSLv2
>     context = Context(SSLv23_METHOD)
>     context.set_options(OP_NO_SSLv2)
>
> It seems the ssl module does expose SSLv23_METHOD as PROTOCOL_SSLv23,
> but I don't see SSL_OP_NO_SSLv2 anywhere, nor any way to specify any
> extra flags.
>
> Oring PROTOCOL_SSLv3 together with PROTOCOL_TLSv1 is almost certainly
> not the right approach, anyway (as you saw with your tests).
>
> Jean-Paul- Nascondi testo citato
>
> - Mostra testo citato -

These are pretty bad news.
I'm going to open a request on the bug tracker hoping that this
situation could be solved soon.
Thanks for your reply anyway.


Sincerely

--- Giampaolo
http://code.google.com/p/pyftpdlib

More information about the Python-list mailing list