Github user jeking3 commented on the issue: https://github.com/apache/thrift/pull/1185 @nsuke I am using the ubuntu docker image with python 2.7.6 in it and I changed the ssl server code in python to use SSLv23 unconditionally as a test and ran make cross, and everything passes: ``` diff --git a/lib/py/src/transport/TSSLSocket.py b/lib/py/src/transport/TSSLSocket.py index 0f7d45e9..86968081 100644 --- a/lib/py/src/transport/TSSLSocket.py +++ b/lib/py/src/transport/TSSLSocket.py @@ -40,13 +40,8 @@ class TSSLBase(object): # ciphers argument is not available for Python < 2.7.0 _has_ciphers = sys.hexversion >= 0x020700F0 - # For pythoon >= 2.7.9, use latest TLS that both client and server - # supports. - # SSL 2.0 and 3.0 are disabled via ssl.OP_NO_SSLv2 and ssl.OP_NO_SSLv3. - # For pythoon < 2.7.9, use TLS 1.0 since TLSv1_X nor OP_NO_SSLvX is - # unavailable. - _default_protocol = ssl.PROTOCOL_SSLv23 if _has_ssl_context else \ - ssl.PROTOCOL_TLSv1 + # SSL 2.0 and 3.0 are disabled via ssl.OP_NO_SSLv2 and ssl.OP_NO_SSLv3 + _default_protocol = ssl.PROTOCOL_SSLv23 def _init_context(self, ssl_version): if self._has_ssl_context: ``` By specifying PROTOCOL_TLSv1 it breaks compatibility with the universal SSLv3 hello handshake from which SSL determines the best protocol. This is the reason why the csharp and d servers are not compatible with all the other clients right now. PROTOCOL_SSLv23 is the best choice. The python doesn't break saying the OP_NO_SSLv* are not defined. I looked at the .NET documentation for the csharp SslProtocol enumeration. I don't see one that allows for the SSLv23 handshake AND disables negotiation of SSLv2 or SSLv3. There is a story in the backlog I originated to push every SSL implementation by default to negotiate only at TLSv1_2 by default, and the consuming application can then decide if it wants to relax that. This would make consumption of thrift safer. When we do that story, this SSLv23 hello handshake issue will no longer be an issue for the CI build / make cross.
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---