This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Add SSLContext.set_version_range(minver, maxver=None)
Type: enhancement Stage: resolved
Components: Extension Modules, SSL Versions: Python 3.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: Add setter and getter for min/max protocol version
View: 32609
Assigned To: christian.heimes Nosy List: alex, christian.heimes, dstufft, janssen
Priority: normal Keywords:

Created on 2016-08-27 10:30 by christian.heimes, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (3)
msg273772 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-08-27 10:30 
OpenSSL 1.1 has deprecated all version specific TLS/SSL methods in favor of auto-negotiation (formerly known as SSLv23). It also introduced two macros to set the minimal and maximum TLS version with SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version(). The macros can be emulated for OpenSSL < 1.1 with reasonable effort.

I suggest that ssl.SSLContext introduces set_version_range(minver, maxver=None) method. It's less awkward to use than fiddling with modes and OP_NO_SSLv3.
msg284822 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-01-06 14:31 
PoC implementation:

from enum import Enum
import ssl

OP_NO_TLSv1_3 = getattr(ssl, 'OP_NO_TLSv1_3', 0)

OP_NO_FLAGS = [
    ssl.OP_NO_SSLv2,
    ssl.OP_NO_SSLv3,
    ssl.OP_NO_TLSv1,
    ssl.OP_NO_TLSv1_1,
    ssl.OP_NO_TLSv1_2,
    OP_NO_TLSv1_3
]

OP_NO_MASK = sum(OP_NO_FLAGS)


class TLSVersions(Enum):
    SSLv2 = 'SSL 2.0', 0x0200, 0
    SSLv3 = 'SSL 3.0', 0x0300, 1
    TLSv1 = 'TLS 1.0', 0x0301, 2
    TLSv1_1 = 'TLS 1.1', 0x0302, 3
    TLSv1_2 = 'TLS 1.2', 0x0303, 4

    if OP_NO_TLSv1_3:
        TLSv1_3 = 'TLS 1.3', 0x0304, 5
        MAX = TLSv1_3
    else:
        MAX = TLSv1_2

    MIN = TLSv1

    def __init__(self, prettyname, wireprotocol, offset):
        self.prettyname = prettyname
        self.wireprotocol = wireprotocol
        self.noflag = OP_NO_FLAGS[offset]
        self.minflag = sum(OP_NO_FLAGS[:offset])
        self.maxflag = sum(OP_NO_FLAGS[offset+1:])

    def __repr__(self):
        return ("<{0.__class__.__name__}.{0.name} "
                "({0.prettyname}, 0x{0.wireprotocol:x})>").format(self)

    __str__ = __repr__


class SSLContext(ssl.SSLContext):
    def set_version(self, minver=TLSVersions.MIN, maxver=TLSVersions.MAX):
        options = self.options & ~OP_NO_MASK
        self.options = options | minver.minflag | maxver.maxflag


if __name__ == '__main__':
    for name, member in TLSVersions.__members__.items():
        print(name, member)

    ctx = SSLContext(ssl.PROTOCOL_SSLv23)
    print(ctx.options)
    ctx.set_version(minver=TLSVersions.SSLv3, maxver=TLSVersions.TLSv1_1)
    print(ctx.options)
msg312853 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-02-25 20:25 
My issue #32609 provides a better implementation.
History
Date User Action Args
2022-04-11 14:58:35adminsetgithub: 72063
2018-02-25 20:25:37christian.heimessetstatus: open -> closed
superseder: Add setter and getter for min/max protocol version
messages: + msg312853

resolution: duplicate
stage: resolved
2017-01-06 14:31:26christian.heimessetmessages: + msg284822
versions: + Python 3.7, - Python 3.6
2016-09-15 08:33:50giampaolo.rodolasetnosy: - giampaolo.rodola
2016-09-15 07:58:02christian.heimessetassignee: christian.heimes
components: + SSL
2016-08-27 10:30:35christian.heimescreate