[pyOpenSSL] Problems with openssl-0.9.8j
Jean-Paul Calderone
exarkun at divmod.com
Sun Jan 18 04:01:41 CET 2009
On Sun, 18 Jan 2009 00:45:43 +0100, Christian Scharkus <mail.sensenmann at googlemail.com> wrote:
>Hi folks :)
>
>I use Arch Linux i686 with pyopenssl-0.8 and openssl-0.9.8j and have got
>some problems with connecting to kekz.net:23002.
>
>http://codepad.org/2aad1eAI
>
>$ python
>Python 2.6.1 (r261:67515, Dec 7 2008, 08:27:41)
>[GCC 4.3.2] on linux2
>Type "help", "copyright", "credits" or "license" for more information.
>>>> import socket
>>>> from OpenSSL.SSL import SSLv3_METHOD, Connection, Context
>>>> s = socket.socket()
>>>> conn = Connection(Context(SSLv3_METHOD), s)
>>>> conn.connect(('kekz.net',23002))
>>>> conn.do_handshake()
>Traceback (most recent call last):
>
> File "<stdin>", line 1, in <module>
>OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_RECORD', 'wrong version number')]
This seems to be due to the change in OpenSSL 0.9.8j to sending a TLS
extension section by default. A correct SSL server will ignore this
section, but it seems there are a few SSL libraries which freak out
when they encounter this.
The next version of pyOpenSSL will include a way to work around this
by exposing a constant to explicitly disable sending this TLS extension
section.
This is done with a Context option, so if your example code above were
changed to set up the connection like this:
from OpenSSL.SSL import OP_NO_TICKET
ctx = Context(SSLv3_METHOD)
ctx.set_options(OP_NO_TICKET)
conn = Connection(ctx, s)
Then it would work (I've tested this against trunk at HEAD of pyOpenSSL and
OpenSSL 0.9.8j and it fixed the connection problem for me).
You can probably also just use the value of OP_NO_TICKET with older versions
of pyOpenSSL. It will have the same effect on OpenSSL 0.9.8j and no effect
at all on older versions.
Jean-Paul
More information about the pyopenssl-users
mailing list