classification
Title: ssl module is missing SSL_OP_NO_SSLv2
Type: security Stage: committed/rejected
Components: Library (Lib) Versions: Python 3.2
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: janssen Nosy List: exarkun, giampaolo.rodola, heikki, janssen, jeremy.kloth, pitrou
Priority: normal Keywords: patch

Created on 2009-01-07 18:11 by giampaolo.rodola, last changed 2010-05-21 09:57 by pitrou. This issue is now closed.

Files
File name Uploaded Description Edit
issue4870.diff jeremy.kloth, 2010-01-13 01:49 Patch for Python 2.x trunk
sslopts.patch pitrou, 2010-04-20 23:28
sslopts2.patch pitrou, 2010-04-27 21:08
sslopts3.patch pitrou, 2010-05-16 22:39
sslopts4.patch pitrou, 2010-05-16 23:28
Messages (12)
msg79357 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2009-01-07 18:11
As came out here:
http://groups.google.it/group/comp.lang.python/browse_thread/thread/7d5b96f9bacb03d3?hl=it#
...the ssl module does not provide any facility to disable SSL version
2. This is very important when writing SSLv3/TLSv1 compatible servers.
msg79362 - (view) Author: Bill Janssen (janssen) * (Python committer) Date: 2009-01-07 19:06
Actually, that's not quite true.  Specifying TLSv1 or SSLv3 on the
server side will disable SSLv2.  However, there's currently no way to
specify SSLv3 *or* TLSv1 *but not* SSLv2.  This looks easy to fix; I'll
add another entry to the list of protocol versions, which when selected
will cause the server to use SSLv23, but will cause SSLv2 clients to be
rejected.
msg79364 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2009-01-07 19:15
> Actually, that's not quite true.  
> Specifying TLSv1 or SSLv3 on the
> server side will disable SSLv2.

There are use cases like FTPS where it is desirable that servers support
SSLv3 *and* TLSv1.
To do that by using OpenSSL SSLv23 protocol must be specified and SSLv2
must be explicitly disabled afterward.
As far as I've understood, using SSLv23 on the server sides means that
when the client connects it could decide whether using SSLv2, SSLv3 or
TLSv1.
msg97679 - (view) Author: Jeremy Kloth (jeremy.kloth) Date: 2010-01-13 01:49
I have developed a patch that adds the ability to disable SSLv2, SSlv3 and TLSv1 when using the SSLv23 method. It changes Modules/_ssl.c, Lib/ssl.py and Doc/library/ssl.rst.
msg103792 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-04-20 23:28
Here is an adapted patch for py3k. It also adds a couple of test cases.
msg104363 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-04-27 21:08
Here is an updated patch for py3k (the previous one didn't apply cleanly).
msg105884 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-05-16 22:09
Here is an updated patch, following checkin of the new SSL contexts. Options can be specified as an `options` property on SSL contexts.
msg105887 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-05-16 22:39
Updated patch adds a couple of words about SSLv2 in the "security considerations" paragraph. Reviewing is welcome.
msg105889 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-05-16 23:28
It turns out SSL_CTX_clear_options() is not available before OpenSSL 0.9.8m. I adapted my patch to raise a ValueError when trying to clear options on older versions of OpenSSL. Setting additional options still works, though.
msg106185 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-05-20 20:05
I would like to move forward on this. Does anyone have any comments or objections to the current proposal?
msg106197 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2010-05-20 22:10
I like the approach of providing this feature as a single attribute instead of two separate methods (set/get_options()).
For what it's worth, I took a look at the patch without actually trying it, and it looks good overall, both tests and documentation which is particularly clear.
msg106222 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-05-21 09:57
This was committed in r81392.
History
Date User Action Args
2010-05-21 09:57:16pitrousetstatus: open -> closed
resolution: fixed
messages: + msg106222

stage: patch review -> committed/rejected
2010-05-20 22:10:50giampaolo.rodolasetmessages: + msg106197
2010-05-20 20:05:13pitrousetmessages: + msg106185
2010-05-16 23:28:07pitrousetfiles: + sslopts4.patch

messages: + msg105889
2010-05-16 22:39:49pitrousetfiles: - sslopts3.patch
2010-05-16 22:39:43pitrousetfiles: + sslopts3.patch

messages: + msg105887
2010-05-16 22:20:38pitrousetfiles: + sslopts3.patch
2010-05-16 22:20:28pitrousetfiles: - sslopts3.patch
2010-05-16 22:09:18pitrousetfiles: + sslopts3.patch
nosy: + exarkun, heikki
messages: + msg105884

2010-04-27 21:16:03pitroulinkissue3596 superseder
2010-04-27 21:08:59pitrousetfiles: + sslopts2.patch

messages: + msg104363
2010-04-20 23:28:10pitrousetfiles: + sslopts.patch
nosy: + pitrou
messages: + msg103792

2010-04-20 20:52:20pitrousetresolution: accepted -> (no value)
versions: + Python 3.2, - Python 2.6, Python 3.0, Python 3.1, Python 2.7
2010-01-13 01:56:20brian.curtinsetpriority: normal
stage: needs patch -> patch review
2010-01-13 01:49:37jeremy.klothsetfiles: + issue4870.diff

nosy: + jeremy.kloth
messages: + msg97679

keywords: + patch
2009-01-07 19:15:23giampaolo.rodolasetmessages: + msg79364
2009-01-07 19:07:01janssensetassignee: janssen
resolution: accepted
messages: + msg79362
stage: needs patch
2009-01-07 18:11:43giampaolo.rodolacreate