[issue31453] Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS
Adrian Vollmer added the comment: I have a workaround for now: versions = [ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, ] firstbytes = s.recv(16, socket.MSG_PEEK) ss = ssl.wrap_socket( s, server_side=True, certfile="server.pem", keyfile="server.pem", # ssl_version=versions[ord(firstbytes[10])-1] # python2 ssl_version=versions[firstbytes[10]-1] ) How much of an ugly hack is this? :) -- versions: -Python 3.6, Python 3.7 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31453> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2
Adrian Vollmer added the comment: Okay, thanks for your time! -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31453> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2
Adrian Vollmer added the comment: Doesn't seem to do anything: >>> ctx.options 2181170175L >>> ctx.options & ~(ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1) 2181170175L -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31453> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2
Adrian Vollmer added the comment: I read about that, but I don't understand. If I use openssl s_server -port , I can connect using either one of the three protocols. Even if that's the new default, is there no way now to get python on Buster/Sid to use OpenSSL in a non-default mode and have it offer all three versions? -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31453> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2
Adrian Vollmer added the comment: Debian buster/sid -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31453> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2
New submission from Adrian Vollmer: According to the documentation (https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_TLS), using ssl_version = ssl.PROTOCOL_TLS in a server socket should offer all TLS/SSL versions. However, it only offers TLSv1_2. I attached a proof of concept. $ python3 poc.py 3.5.4 (default, Aug 12 2017, 14:08:14) [GCC 7.1.0] OpenSSL 1.1.0f 25 May 2017 [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:719) [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:719) b'test\n' $ python2 poc.py 2.7.13 (default, Jan 19 2017, 14:48:08) [GCC 6.3.0 20170118] OpenSSL 1.1.0f 25 May 2017 [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661) [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661) test To connect with s_client: $ for i in {tls1,tls1_1,tls1_2} ; do echo test | openssl s_client -connect localhost: -CAfile server.pem -quiet -$i ; done 140164347663616:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1399:SSL alert number 70 139926441944320:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1399:SSL alert number 70 depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd verify return:1 read:errno=0 -- assignee: christian.heimes components: SSL files: poc.py messages: 302081 nosy: adrianv, christian.heimes priority: normal severity: normal status: open title: ssl.PROTOCOL_TLS only select TLSv1.2 type: behavior versions: Python 2.7, Python 3.5 Added file: https://bugs.python.org/file47139/poc.py ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31453> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com