[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Christian Heimes 

Christian Heimes added the comment:

Ah, here we go: 
https://anonscm.debian.org/viewvc/pkg-openssl/openssl/branches/1.1.0/debian/patches/tls1_2_default.patch

Debian patched the default for SSL_CTX_set_min_proto_version(). The 
SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() API calls 
are OpenSSL 1.1.0-only and not available from Python. It is not possible to 
override the minimum version from Python.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Adrian Vollmer 

Adrian Vollmer added the comment:

Okay, thanks for your time!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Christian Heimes 

Christian Heimes added the comment:

Please report this issue to the Debian maintainers. I don't know how Debian has 
disabled TLS 1.0 and TLS 1.1 for the SSL_METHOD *TLS_method(void). It might not 
be possible to enable auto-negotiation for old protocols at all.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Adrian Vollmer 

Adrian Vollmer added the comment:

Doesn't seem to do anything:

>>> ctx.options
2181170175L
>>> ctx.options & ~(ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1)
2181170175L

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Christian Heimes 

Christian Heimes added the comment:

You have to enable the protocols by applying a reverse bitmask to 
SSLContext.options:

ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
ctx.load_cert_chain('server.pem')
ctx.options &= ~(ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1)

sslsock = ctx.wrap_socket(s, server_side=True)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Adrian Vollmer 

Adrian Vollmer added the comment:

I read about that, but I don't understand. If I use openssl s_server -port  
 , I can connect using either one of the three protocols.

Even if that's the new default, is there no way now to get python on Buster/Sid 
to use OpenSSL in a non-default mode and have it offer all three versions?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Christian Heimes 

Christian Heimes added the comment:

Debian Buster has patched OpenSSL to disable TLS 1.0 and 1.1 by default, 
https://lists.debian.org/debian-devel-announce/2017/08/msg4.html

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Adrian Vollmer 

Adrian Vollmer added the comment:

Debian buster/sid

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Adrian Vollmer 

New submission from Adrian Vollmer:

According to the documentation 
(https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_TLS), using 
ssl_version = ssl.PROTOCOL_TLS in a server socket should offer all TLS/SSL 
versions. However, it only offers TLSv1_2.

I attached a proof of concept.


$ python3 poc.py
3.5.4 (default, Aug 12 2017, 14:08:14)
[GCC 7.1.0]
OpenSSL 1.1.0f  25 May 2017
[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:719)
[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:719)
b'test\n'

$ python2 poc.py
2.7.13 (default, Jan 19 2017, 14:48:08)
[GCC 6.3.0 20170118]
OpenSSL 1.1.0f  25 May 2017
[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661)
[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661)
test


To connect with s_client:

 $ for i in {tls1,tls1_1,tls1_2} ; do echo test | openssl s_client -connect 
localhost: -CAfile server.pem -quiet -$i ; done
140164347663616:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert 
protocol version:../ssl/record/rec_layer_s3.c:1399:SSL alert number 70
139926441944320:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert 
protocol version:../ssl/record/rec_layer_s3.c:1399:SSL alert number 70
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
read:errno=0

--
assignee: christian.heimes
components: SSL
files: poc.py
messages: 302081
nosy: adrianv, christian.heimes
priority: normal
severity: normal
status: open
title: ssl.PROTOCOL_TLS only select TLSv1.2
type: behavior
versions: Python 2.7, Python 3.5
Added file: https://bugs.python.org/file47139/poc.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31453] ssl.PROTOCOL_TLS only select TLSv1.2

2017-09-13 Thread Alex Gaynor 

Alex Gaynor added the comment:

What operating system are you on?

--
nosy: +Alex Gaynor

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com