[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS
Adrian Vollmer added the comment: I have a workaround for now: versions = [ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, ] firstbytes = s.recv(16, socket.MSG_PEEK) ss = ssl.wrap_socket( s, server_side=True, certfile="server.pem", keyfile="server.pem", # ssl_version=versions[ord(firstbytes[10])-1] # python2 ssl_version=versions[firstbytes[10]-1] ) How much of an ugly hack is this? :) -- versions: -Python 3.6, Python 3.7 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31453> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2
Adrian Vollmer added the comment: Okay, thanks for your time! -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31453> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2
Adrian Vollmer added the comment: Doesn't seem to do anything: >>> ctx.options 2181170175L >>> ctx.options & ~(ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1) 2181170175L -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31453> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2
Adrian Vollmer added the comment: I read about that, but I don't understand. If I use openssl s_server -port , I can connect using either one of the three protocols. Even if that's the new default, is there no way now to get python on Buster/Sid to use OpenSSL in a non-default mode and have it offer all three versions? -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31453> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2
Adrian Vollmer added the comment: Debian buster/sid -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31453> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2
New submission from Adrian Vollmer:
According to the documentation
(https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_TLS), using
ssl_version = ssl.PROTOCOL_TLS in a server socket should offer all TLS/SSL
versions. However, it only offers TLSv1_2.
I attached a proof of concept.
$ python3 poc.py
3.5.4 (default, Aug 12 2017, 14:08:14)
[GCC 7.1.0]
OpenSSL 1.1.0f 25 May 2017
[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:719)
[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:719)
b'test\n'
$ python2 poc.py
2.7.13 (default, Jan 19 2017, 14:48:08)
[GCC 6.3.0 20170118]
OpenSSL 1.1.0f 25 May 2017
[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661)
[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661)
test
To connect with s_client:
$ for i in {tls1,tls1_1,tls1_2} ; do echo test | openssl s_client -connect
localhost: -CAfile server.pem -quiet -$i ; done
140164347663616:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert
protocol version:../ssl/record/rec_layer_s3.c:1399:SSL alert number 70
139926441944320:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert
protocol version:../ssl/record/rec_layer_s3.c:1399:SSL alert number 70
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
read:errno=0
--
assignee: christian.heimes
components: SSL
files: poc.py
messages: 302081
nosy: adrianv, christian.heimes
priority: normal
severity: normal
status: open
title: ssl.PROTOCOL_TLS only select TLSv1.2
type: behavior
versions: Python 2.7, Python 3.5
Added file: https://bugs.python.org/file47139/poc.py
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31453>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
