Issue 23111: ftplib.FTP_TLS's default constructor does not work with TLSv1.1 or TLSv1.2 (original) (raw)

Created on 2014-12-24 21:45 by varde, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (9)
msg233087 - (view)	Author: (varde)	Date: 2014-12-24 21:45
When trying to connect to a server which only supports TLS version 1.1 or 1.2, the following error is raised: ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:598) For some reason, the SSL version is set to ssl.PROTOCOL_TLSv1 before initialisation and an SSL context is created in __init__, making any subsequent change to ssl_version useless. The only way to establish a successful connection is to pass a custom SSL context to the constructor. I think ssl_version should be settable at construction time before the context is created. I'm not sure exposing ssl_version is useful either, the documentation mentions it but it has no use after initialisation. The following lines should also be changed: if self.ssl_version == ssl.PROTOCOL_TLSv1: resp = self.voidcmd('AUTH TLS')
msg233118 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2014-12-26 21:38
> The only way to establish a successful connection is to pass a custom SSL context to the constructor. Why don't you do just that?
msg233155 - (view)	Author: (varde)	Date: 2014-12-28 22:01
Well, because the ssl_version parameter should have a purpose. If it doesn't, the least we could do is remove it from the docs.
msg233214 - (view)	Author: Giampaolo Rodola' (giampaolo.rodola) *	Date: 2014-12-30 18:12
ssl_version is a class attribute so you can simply set that before instantiating FTP_TLS class: >>> import ftplib >>> ftplib.FTP_TLS.ssl_version = ... >>> client = ftplib.FTP_TLS(...) >>> ...
msg233217 - (view)	Author: (varde)	Date: 2014-12-30 19:34
I know that, but it seems pretty unusual. And I would never had guessed from the documentation, I had to read the source. My point is that it should be easier to just connect to a TLSv1.2 server: the documentation should mention the fact that ssl_version is a class attribute or it should be set to something more compatible like ssl.PROTOCOL_SSLv23. I'm not sure about the implications of the latter. I'm not saying that this is a serious bug, but I'm used to Python providing us with something that works (more or less) out of the box.
msg233221 - (view)	Author: Roundup Robot (python-dev)	Date: 2014-12-30 21:16
New changeset 414c450e8406 by Benjamin Peterson in branch '3.4': make PROTOCOL_SSLv23 the default protocol version for ftplib (closes #23111) https://hg.python.org/cpython/rev/414c450e8406 New changeset 33603f7949c5 by Benjamin Peterson in branch 'default': merge 3.4 (#23111) https://hg.python.org/cpython/rev/33603f7949c5
msg233222 - (view)	Author: Roundup Robot (python-dev)	Date: 2014-12-30 21:17
New changeset 29689050ec78 by Benjamin Peterson in branch '3.4': update docs for #23111 https://hg.python.org/cpython/rev/29689050ec78
msg233421 - (view)	Author: Arfrever Frehtes Taifersar Arahesis (Arfrever) *	Date: 2015-01-04 16:13
I think that this fix should be applied also in 2.7 branch.
msg233423 - (view)	Author: Roundup Robot (python-dev)	Date: 2015-01-04 16:20
New changeset 98ee845a139a by Benjamin Peterson in branch '2.7': make SSLv23 the default version in ftplib (closes #23111) https://hg.python.org/cpython/rev/98ee845a139a