Re: ssl module - how can I accept SSLv3 and TLSv1 protocols only?

Discussion in 'Python' started by Jean-Paul Calderone, Jan 7, 2009.

  1. On Tue, 6 Jan 2009 19:01:48 -0800 (PST), Giampaolo Rodola' <> wrote:
    >Hi,
    >I'm trying to add TLS/SSL support to pyftpdlib.
    >Since various defects have been found in the SSLv2 protocol many FTPS
    >servers (i.e. proftpd and vsftpd) decided to support SSLv3 and TLSv1
    >only and sistematically reject any client attempting to use SSLv2.
    >Is there a way to tell ssl.wrap_socket() to accept SSLv3 and TLSv1
    >connections only?
    >If that's not possible can I determine the encryption protocol being
    >used *after* that the SSL/TLS handshake took place?
    >
    >
    >I tried to use wrap_socket as follows:
    >
    >self.socket = ssl.wrap_socket(self.socket, ,
    > certfile=CERTFILE,
    > server_side=True,
    >
    >ssl_version=ssl.PROTOCOL_SSLv3 | ssl.PROTOCOL_TLSv1)
    >
    >...it works if on the client side I use TLSv1 but not if I use SSLv3
    >("SSLError: [Errno 1] _ssl.c:480: error:14094410:SSL
    >routines:SSL3_READ_BYTES:sslv 3 alert handshake failure" exception is
    >raised)
    >


    At the OpenSSL level, you do this by specifying SSLv23_METHOD and then
    setting the SSL_OP_NO_SSLv2 flag. With pyOpenSSL, you do this by
    creating a context with SSLv23_METHOD and then setting SSL_OP_NO_SSLv2 on
    it, like so:

    from OpenSSL.SSL import Context, SSLv23_METHOD, OP_NO_SSLv2
    context = Context(SSLv23_METHOD)
    context.set_options(OP_NO_SSLv2)

    It seems the ssl module does expose SSLv23_METHOD as PROTOCOL_SSLv23,
    but I don't see SSL_OP_NO_SSLv2 anywhere, nor any way to specify any
    extra flags.

    Oring PROTOCOL_SSLv3 together with PROTOCOL_TLSv1 is almost certainly
    not the right approach, anyway (as you saw with your tests).

    Jean-Paul
     
    Jean-Paul Calderone, Jan 7, 2009
    #1
    1. Advertising

  2. On 7 Gen, 14:21, Jean-Paul Calderone <> wrote:
    > On Tue, 6 Jan 2009 19:01:48 -0800 (PST), Giampaolo Rodola' <> wrote:
    > >Hi,
    > >I'm trying to add TLS/SSL support to pyftpdlib.
    > >Since various defects have been found in the SSLv2 protocol many FTPS
    > >servers (i.e. proftpd and vsftpd) decided to support SSLv3 and TLSv1
    > >only and sistematically reject any client attempting to use SSLv2.
    > >Is there a way to tell ssl.wrap_socket() to accept SSLv3 and TLSv1
    > >connections only?
    > >If that's not possible can I determine the encryption protocol being
    > >used *after* that the SSL/TLS handshake took place?

    >
    > >I tried to use wrap_socket as follows:

    >
    > >self.socket = ssl.wrap_socket(self.socket, ,
    > >                                            certfile=CERTFILE,
    > >                                            server_side=True,

    >
    > >ssl_version=ssl.PROTOCOL_SSLv3 | ssl.PROTOCOL_TLSv1)

    >
    > >...it works if on the client side I use TLSv1 but not if I use SSLv3
    > >("SSLError: [Errno 1] _ssl.c:480: error:14094410:SSL
    > >routines:SSL3_READ_BYTES:sslv 3 alert handshake failure" exception is
    > >raised)

    >
    > At the OpenSSL level, you do this by specifying SSLv23_METHOD and then
    > setting the SSL_OP_NO_SSLv2 flag.  With pyOpenSSL, you do this by
    > creating a context with SSLv23_METHOD and then setting SSL_OP_NO_SSLv2 on
    > it, like so:
    >
    >     from OpenSSL.SSL import Context, SSLv23_METHOD, OP_NO_SSLv2
    >     context = Context(SSLv23_METHOD)
    >     context.set_options(OP_NO_SSLv2)
    >
    > It seems the ssl module does expose SSLv23_METHOD as PROTOCOL_SSLv23,
    > but I don't see SSL_OP_NO_SSLv2 anywhere, nor any way to specify any
    > extra flags.
    >
    > Oring PROTOCOL_SSLv3 together with PROTOCOL_TLSv1 is almost certainly
    > not the right approach, anyway (as you saw with your tests).
    >
    > Jean-Paul- Nascondi testo citato
    >
    > - Mostra testo citato -


    These are pretty bad news.
    I'm going to open a request on the bug tracker hoping that this
    situation could be solved soon.
    Thanks for your reply anyway.


    Sincerely

    --- Giampaolo
    http://code.google.com/p/pyftpdlib
     
    Giampaolo Rodola', Jan 7, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin MacRobert
    Replies:
    2
    Views:
    467
    Terje Slettebø
    Aug 2, 2004
  2. yamadora1999
    Replies:
    2
    Views:
    508
    yamadora1999
    May 25, 2005
  3. yamadora1999
    Replies:
    1
    Views:
    437
    alex23
    May 24, 2005
  4. Giampaolo Rodola'
    Replies:
    0
    Views:
    277
    Giampaolo Rodola'
    Jan 7, 2009
  5. Mirco Kaffsach

    Accept all SSL Certificates...

    Mirco Kaffsach, Sep 9, 2003, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    134
    Mirco Kaffsach
    Sep 9, 2003
Loading...

Share This Page