| msg150963 - (view) |
Author: Ben Darnell (Ben.Darnell) * |
Date: 2012-01-09 19:10 |
| The ssl module docs claim that the default ssl_version for client-side operation is SSLv3, but it is actually SSLv23. The exact behavior depends on the version of openssl: starting in 1.0 the connection is limited by default to SSLv3 or TLSv1 (as documented in the note below the compatibility table), but in older versions of openssl SSLv2 is allowed by default. This is just a documentation error if you've got a recent version of openssl, but it's also a security problem with older versions, since people may have been unknowingly using the weaker SSLv2 protocol. (I don't know how widespread pre-1.0 versions of openssl are these days, but OSX Lion still ships with 0.9.8) It would be nice if the default mode were SSLv23 with SSL_OP_NO_SSLv2 set so the defaults would be safe even with older versions of openssl (there's no way to set this configuration from python code before py3.2) Also, the compatibility table claims that an SSLv3 client can talk to an SSLv2 server, which is incorrect. SSLv23 clients can talk to SSLv3 and TLSv1 servers if openssl is at least version 1.0 and SSLv2 ciphers are not explicitly enabled. |
|
|
| msg150976 - (view) |
Author: Roundup Robot (python-dev)  |
Date: 2012-01-09 20:44 |
| New changeset 3db0abf3058b by Antoine Pitrou in branch '2.7': Issue #13747: fix documentation error about the default SSL version. http://hg.python.org/cpython/rev/3db0abf3058b New changeset 4f14c249f3de by Antoine Pitrou in branch '2.7': Issue #13747: fix SSL compatibility table. http://hg.python.org/cpython/rev/4f14c249f3de |
|
|
| msg150977 - (view) |
Author: Roundup Robot (python-dev) |
Date: 2012-01-09 20:47 |
| New changeset 7ae0f71862f9 by Antoine Pitrou in branch '3.2': Issue #13747: fix documentation error about the default SSL version. http://hg.python.org/cpython/rev/7ae0f71862f9 New changeset b4194af97948 by Antoine Pitrou in branch '3.2': Issue #13747: fix SSL compatibility table. http://hg.python.org/cpython/rev/b4194af97948 New changeset d2a47650031a by Antoine Pitrou in branch 'default': Merge SSL doc fixes (issue #13747). http://hg.python.org/cpython/rev/d2a47650031a |
|
|
| msg150980 - (view) |
Author: Antoine Pitrou (pitrou) *  |
Date: 2012-01-09 21:03 |
| Thanks for noticing. I've now fixed the docs. > It would be nice if the default mode were SSLv23 with SSL_OP_NO_SSLv2 > set so the defaults would be safe even with older versions of openssl Mmmh, perhaps, although wouldn't someone deploying a new version of Python also deploy a new version of OpenSSL? |
|
|
| msg150995 - (view) |
Author: Ben Darnell (Ben.Darnell) * |
Date: 2012-01-10 01:38 |
| Not necessarily. If I want to run python 2.7 or 3.x on an older linux distribution (e.g. Ubuntu 10.04 LTS, which has python 2.6 and openssl 0.9.8), I need to build from source, but I wouldn't think to update/rebuild all the dependencies from the ground up. |
|
|
| msg183730 - (view) |
Author: Florian Weimer (fweimer) |
Date: 2013-03-08 09:26 |
| OpenSSL cross-version updates are sometimes difficult because they invalidate certifications. Updating Python to SSLv23 with SSL_OP_NO_SSLv2 is comparatively easy and also much less riskier. Shall I submit a patch which changes the default? I would also like to restrict the cipher suites to strong ones plus RC4, so that Python code isn't forced to set cipher preferences. |
|
|
| msg183733 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2013-03-08 10:23 |
| Florian this was already handled in issue #13636 (changeset f9122975fd80). |
|
|