classification
Title: ssl_version documentation error
Type: Stage: resolved
Components: Versions: Python 2.7
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: Ben.Darnell, fweimer, pitrou, python-dev
Priority: normal Keywords:

Created on 2012-01-09 19:10 by Ben.Darnell, last changed 2013-03-08 10:23 by pitrou. This issue is now closed.

Messages (7)
msg150963 - (view) Author: Ben Darnell (Ben.Darnell) * Date: 2012-01-09 19:10
The ssl module docs claim that the default ssl_version for client-side operation is SSLv3, but it is actually SSLv23.  The exact behavior depends on the version of openssl:  starting in 1.0 the connection is limited by default to SSLv3 or TLSv1 (as documented in the note below the compatibility table), but in older versions of openssl SSLv2 is allowed by default. 

This is just a documentation error if you've got a recent version of openssl, but it's also a security problem with older versions, since people may have been unknowingly using the weaker SSLv2 protocol.  (I don't know how widespread pre-1.0 versions of openssl are these days, but OSX Lion still ships with 0.9.8)  It would be nice if the default mode were SSLv23 with SSL_OP_NO_SSLv2 set so the defaults would be safe even with older versions of openssl (there's no way to set this configuration from python code before py3.2)

Also, the compatibility table claims that an SSLv3 client can talk to an SSLv2 server, which is incorrect.  SSLv23 clients can talk to SSLv3 and TLSv1 servers if openssl is at least version 1.0 and SSLv2 ciphers are not explicitly enabled.
msg150976 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2012-01-09 20:44
New changeset 3db0abf3058b by Antoine Pitrou in branch '2.7':
Issue #13747: fix documentation error about the default SSL version.
http://hg.python.org/cpython/rev/3db0abf3058b

New changeset 4f14c249f3de by Antoine Pitrou in branch '2.7':
Issue #13747: fix SSL compatibility table.
http://hg.python.org/cpython/rev/4f14c249f3de
msg150977 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2012-01-09 20:47
New changeset 7ae0f71862f9 by Antoine Pitrou in branch '3.2':
Issue #13747: fix documentation error about the default SSL version.
http://hg.python.org/cpython/rev/7ae0f71862f9

New changeset b4194af97948 by Antoine Pitrou in branch '3.2':
Issue #13747: fix SSL compatibility table.
http://hg.python.org/cpython/rev/b4194af97948

New changeset d2a47650031a by Antoine Pitrou in branch 'default':
Merge SSL doc fixes (issue #13747).
http://hg.python.org/cpython/rev/d2a47650031a
msg150980 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2012-01-09 21:03
Thanks for noticing. I've now fixed the docs.

> It would be nice if the default mode were SSLv23 with SSL_OP_NO_SSLv2
> set so the defaults would be safe even with older versions of openssl

Mmmh, perhaps, although wouldn't someone deploying a new version of Python also deploy a new version of OpenSSL?
msg150995 - (view) Author: Ben Darnell (Ben.Darnell) * Date: 2012-01-10 01:38
Not necessarily.  If I want to run python 2.7 or 3.x on an older linux distribution (e.g. Ubuntu 10.04 LTS, which has python 2.6 and openssl 0.9.8), I need to build from source, but I wouldn't think to update/rebuild all the dependencies from the ground up.
msg183730 - (view) Author: Florian Weimer (fweimer) Date: 2013-03-08 09:26
OpenSSL cross-version updates are sometimes difficult because they invalidate certifications.  Updating Python to SSLv23 with SSL_OP_NO_SSLv2 is comparatively easy and also much less riskier.

Shall I submit a patch which changes the default?  I would also like to restrict the cipher suites to strong ones plus RC4, so that Python code isn't forced to set cipher preferences.
msg183733 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-03-08 10:23
Florian this was already handled in issue #13636 (changeset f9122975fd80).
History
Date User Action Args
2013-03-08 10:23:19pitrousetstatus: open -> closed
resolution: out of date
messages: + msg183733

stage: resolved
2013-03-08 09:26:08fweimersetmessages: + msg183730
2013-03-08 08:55:48fweimersetnosy: + fweimer
2012-01-10 01:38:36Ben.Darnellsetmessages: + msg150995
2012-01-09 21:03:16pitrousetnosy: + pitrou
messages: + msg150980
2012-01-09 20:47:38python-devsetmessages: + msg150977
2012-01-09 20:44:57python-devsetnosy: + python-dev
messages: + msg150976
2012-01-09 19:10:41Ben.Darnellcreate