classification
Title: ftplib.FTP_TLS's default constructor does not work with TLSv1.1 or TLSv1.2
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.5, Python 3.4, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Arfrever, benjamin.peterson, giampaolo.rodola, pitrou, python-dev, varde
Priority: normal Keywords:

Created on 2014-12-24 21:45 by varde, last changed 2015-01-04 16:20 by python-dev. This issue is now closed.

Messages (9)
msg233087 - (view) Author: (varde) Date: 2014-12-24 21:45
When trying to connect to a server which only supports TLS version 1.1 or 1.2, the following error is raised:
ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:598)
For some reason, the SSL version is set to ssl.PROTOCOL_TLSv1 before initialisation and an SSL context is created in __init__, making any subsequent change to ssl_version useless.
The only way to establish a successful connection is to pass a custom SSL context to the constructor.
I think ssl_version should be settable at construction time before the context is created.
I'm not sure exposing ssl_version is useful either, the documentation mentions it but it has no use after initialisation.

The following lines should also be changed:
if self.ssl_version == ssl.PROTOCOL_TLSv1:
    resp = self.voidcmd('AUTH TLS')
msg233118 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-12-26 21:38
> The only way to establish a successful connection is to pass a custom SSL context to the constructor.

Why don't you do just that?
msg233155 - (view) Author: (varde) Date: 2014-12-28 22:01
Well, because the ssl_version parameter should have a purpose. If it doesn't, the least we could do is remove it from the docs.
msg233214 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2014-12-30 18:12
ssl_version is a class attribute so you can simply set that before instantiating FTP_TLS class:

>>> import ftplib
>>> ftplib.FTP_TLS.ssl_version = ...
>>> client = ftplib.FTP_TLS(...)
>>> ...
msg233217 - (view) Author: (varde) Date: 2014-12-30 19:34
I know that, but it seems pretty unusual. And I would never had guessed from the documentation, I had to read the source.
My point is that it should be easier to just connect to a TLSv1.2 server: the documentation should mention the fact that ssl_version is a class attribute or it should be set to something more compatible like ssl.PROTOCOL_SSLv23.
I'm not sure about the implications of the latter.
I'm not saying that this is a serious bug, but I'm used to Python providing us with something that works (more or less) out of the box.
msg233221 - (view) Author: Roundup Robot (python-dev) Date: 2014-12-30 21:16
New changeset 414c450e8406 by Benjamin Peterson in branch '3.4':
make PROTOCOL_SSLv23 the default protocol version for ftplib (closes #23111)
https://hg.python.org/cpython/rev/414c450e8406

New changeset 33603f7949c5 by Benjamin Peterson in branch 'default':
merge 3.4 (#23111)
https://hg.python.org/cpython/rev/33603f7949c5
msg233222 - (view) Author: Roundup Robot (python-dev) Date: 2014-12-30 21:17
New changeset 29689050ec78 by Benjamin Peterson in branch '3.4':
update docs for #23111
https://hg.python.org/cpython/rev/29689050ec78
msg233421 - (view) Author: Arfrever Frehtes Taifersar Arahesis (Arfrever) * Date: 2015-01-04 16:13
I think that this fix should be applied also in 2.7 branch.
msg233423 - (view) Author: Roundup Robot (python-dev) Date: 2015-01-04 16:20
New changeset 98ee845a139a by Benjamin Peterson in branch '2.7':
make SSLv23 the default version in ftplib (closes #23111)
https://hg.python.org/cpython/rev/98ee845a139a
History
Date User Action Args
2015-01-04 16:20:32python-devsetstatus: open -> closed
resolution: fixed
messages: + msg233423

stage: resolved
2015-01-04 16:13:41Arfreversetstatus: closed -> open

versions: + Python 2.7, Python 3.4
nosy: + Arfrever, benjamin.peterson

messages: + msg233421
resolution: fixed -> (no value)
stage: resolved -> (no value)
2014-12-30 21:17:23python-devsetmessages: + msg233222
2014-12-30 21:16:33python-devsetstatus: open -> closed

nosy: + python-dev
messages: + msg233221

resolution: fixed
stage: resolved
2014-12-30 19:34:53vardesetmessages: + msg233217
2014-12-30 18:12:18giampaolo.rodolasetmessages: + msg233214
2014-12-28 22:01:25vardesetmessages: + msg233155
2014-12-26 21:38:40pitrousetnosy: + giampaolo.rodola, pitrou

messages: + msg233118
versions: + Python 3.5, - Python 2.7, Python 3.2, Python 3.3, Python 3.4
2014-12-24 21:45:07vardecreate