[GitHub] thrift issue #1185: Thrift 3369 - Third try to merge SSL c_glib

[jeking3]

Github user jeking3 commented on the issue:

    https://github.com/apache/thrift/pull/1185
  
    @nsuke I am using the ubuntu docker image with python 2.7.6 in it and I 
changed the ssl server code in python to use SSLv23 unconditionally as a test 
and ran make cross, and everything passes:
    
    ```
    diff --git a/lib/py/src/transport/TSSLSocket.py 
b/lib/py/src/transport/TSSLSocket.py
    index 0f7d45e9..86968081 100644
    --- a/lib/py/src/transport/TSSLSocket.py
    +++ b/lib/py/src/transport/TSSLSocket.py
    @@ -40,13 +40,8 @@ class TSSLBase(object):
         # ciphers argument is not available for Python < 2.7.0
         _has_ciphers = sys.hexversion >= 0x020700F0
     
    -    # For pythoon >= 2.7.9, use latest TLS that both client and server
    -    # supports.
    -    # SSL 2.0 and 3.0 are disabled via ssl.OP_NO_SSLv2 and ssl.OP_NO_SSLv3.
    -    # For pythoon < 2.7.9, use TLS 1.0 since TLSv1_X nor OP_NO_SSLvX is
    -    # unavailable.
    -    _default_protocol = ssl.PROTOCOL_SSLv23 if _has_ssl_context else \
    -        ssl.PROTOCOL_TLSv1
    +    # SSL 2.0 and 3.0 are disabled via ssl.OP_NO_SSLv2 and ssl.OP_NO_SSLv3
    +    _default_protocol = ssl.PROTOCOL_SSLv23
     
         def _init_context(self, ssl_version):
             if self._has_ssl_context:
    ```
    
    By specifying PROTOCOL_TLSv1 it breaks compatibility with the universal 
SSLv3 hello handshake from which SSL determines the best protocol.  This is the 
reason why the csharp and d servers are not compatible with all the other 
clients right now.  PROTOCOL_SSLv23 is the best choice.  The python doesn't 
break saying the OP_NO_SSLv* are not defined.
    
    I looked at the .NET documentation for the csharp SslProtocol enumeration.  
I don't see one that allows for the SSLv23 handshake AND disables negotiation 
of SSLv2 or SSLv3.
    
    There is a story in the backlog I originated to push every SSL 
implementation by default to negotiate only at TLSv1_2 by default, and the 
consuming application can then decide if it wants to relax that.  This would 
make consumption of thrift safer.  When we do that story, this SSLv23 hello 
handshake issue will no longer be an issue for the CI build / make cross.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---