Message 232551 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	lemburg
Recipients	alex, benjamin.peterson, christian.heimes, doko, dstufft, giampaolo.rodola, janssen, kroeckx, lemburg, ned.deily, pitrou, python-dev, vstinner
Date	2014-12-12.14:48:02
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<548B001A.9060407@egenix.com>
In-reply-to	<CAMpsgwYfg88Ew95SUx5j_TqG8pc0EfqXChZbceGUMuLi6ta-hg@mail.gmail.com>

Content
> STINNER Victor added the comment: > >> Any of the other options such as PROTOCOL_TLSv1 will fix the protocol version to that one protocol version, whereas PROTOCOL_SSLv23 means to use any protocol starting with SSLv2. In the context options you can then disable SSLv2 and SSLv3 to e.g. have the connection use TLS 1.0 or later. > > get_server_certificate() uses _create_unverified_context() (In Python > 2.7, 3.4 & 3.5) which explicitly disable SSLv2 and SSLv3. I still have > trouble to understand which protocol will be negociated. We use SSLv3 > and disable SSLv3, so the server can only use SSLv23. Am I right? > https://docs.python.org/dev/library/ssl.html#ssl.wrap_socket I'm not sure what OpenSSL will do if you tell it to use protocol SSLv3 and then disable this via the options again. This sounds like it won't connect at all, since PROTOCOL_SSLv3 means: only support SSLv3 :-) The logic used for protocol selection in OpenSSL is, well, weird. You have the choice between fixing one single protocol version or selecting a range and then disabling certain protocol versions when configuring the context options. FWIW: The ssl_version parameter in _create_unverified_context() already uses the correct default; IMO, exposing the parameter in get_server_certificate() is fairly useless, unless you want to (ab)use the function to test supported protocol versions :-)

> STINNER Victor added the comment:
> 
>> Any of the other options such as PROTOCOL_TLSv1 will fix the protocol version to that one protocol version, whereas PROTOCOL_SSLv23 means to use any protocol starting with SSLv2. In the context options you can then disable SSLv2 and SSLv3 to e.g. have the connection use TLS 1.0 or later.
> 
> get_server_certificate() uses _create_unverified_context() (In Python
> 2.7, 3.4 & 3.5) which explicitly disable SSLv2 and SSLv3. I still have
> trouble to understand which protocol will be negociated. We use SSLv3
> and disable SSLv3, so the server can only use SSLv23. Am I right?
> https://docs.python.org/dev/library/ssl.html#ssl.wrap_socket

I'm not sure what OpenSSL will do if you tell it to use protocol
SSLv3 and then disable this via the options again. This sounds like
it won't connect at all, since PROTOCOL_SSLv3 means: only support
SSLv3 :-)

The logic used for protocol selection in OpenSSL is, well, weird.
You have the choice between fixing one single protocol version or
selecting a range and then disabling certain protocol versions
when configuring the context options.

FWIW: The ssl_version parameter in _create_unverified_context()
already uses the correct default; IMO, exposing the parameter
in get_server_certificate() is fairly useless, unless you want
to (ab)use the function to test supported protocol versions :-)

History
Date	User	Action	Args
2014-12-12 14:48:03	lemburg	set	recipients: + lemburg, doko, janssen, pitrou, vstinner, giampaolo.rodola, christian.heimes, benjamin.peterson, ned.deily, alex, python-dev, dstufft, kroeckx
2014-12-12 14:48:03	lemburg	link	issue22935 messages
2014-12-12 14:48:02	lemburg	create