| msg79357 - (view) |
Author: Giampaolo Rodola' (giampaolo.rodola) *  |
Date: 2009-01-07 18:11 |
| As came out here: http://groups.google.it/group/comp.lang.python/browse_thread/thread/7d5b96f9bacb03d3?hl=it# ...the ssl module does not provide any facility to disable SSL version 2. This is very important when writing SSLv3/TLSv1 compatible servers. |
|
|
| msg79362 - (view) |
Author: Bill Janssen (janssen) * |
Date: 2009-01-07 19:06 |
| Actually, that's not quite true. Specifying TLSv1 or SSLv3 on the server side will disable SSLv2. However, there's currently no way to specify SSLv3 *or* TLSv1 *but not* SSLv2. This looks easy to fix; I'll add another entry to the list of protocol versions, which when selected will cause the server to use SSLv23, but will cause SSLv2 clients to be rejected. |
|
|
| msg79364 - (view) |
Author: Giampaolo Rodola' (giampaolo.rodola) * |
Date: 2009-01-07 19:15 |
| > Actually, that's not quite true. > Specifying TLSv1 or SSLv3 on the > server side will disable SSLv2. There are use cases like FTPS where it is desirable that servers support SSLv3 *and* TLSv1. To do that by using OpenSSL SSLv23 protocol must be specified and SSLv2 must be explicitly disabled afterward. As far as I've understood, using SSLv23 on the server sides means that when the client connects it could decide whether using SSLv2, SSLv3 or TLSv1. |
|
|
| msg97679 - (view) |
Author: Jeremy Kloth (jeremy.kloth) |
Date: 2010-01-13 01:49 |
| I have developed a patch that adds the ability to disable SSLv2, SSlv3 and TLSv1 when using the SSLv23 method. It changes Modules/_ssl.c, Lib/ssl.py and Doc/library/ssl.rst. |
|
|
| msg103792 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2010-04-20 23:28 |
| Here is an adapted patch for py3k. It also adds a couple of test cases. |
|
|
| msg104363 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2010-04-27 21:08 |
| Here is an updated patch for py3k (the previous one didn't apply cleanly). |
|
|
| msg105884 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2010-05-16 22:09 |
| Here is an updated patch, following checkin of the new SSL contexts. Options can be specified as an `options` property on SSL contexts. |
|
|
| msg105887 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2010-05-16 22:39 |
| Updated patch adds a couple of words about SSLv2 in the "security considerations" paragraph. Reviewing is welcome. |
|
|
| msg105889 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2010-05-16 23:28 |
| It turns out SSL_CTX_clear_options() is not available before OpenSSL 0.9.8m. I adapted my patch to raise a ValueError when trying to clear options on older versions of OpenSSL. Setting additional options still works, though. |
|
|
| msg106185 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2010-05-20 20:05 |
| I would like to move forward on this. Does anyone have any comments or objections to the current proposal? |
|
|
| msg106197 - (view) |
Author: Giampaolo Rodola' (giampaolo.rodola) * |
Date: 2010-05-20 22:10 |
| I like the approach of providing this feature as a single attribute instead of two separate methods (set/get_options()). For what it's worth, I took a look at the patch without actually trying it, and it looks good overall, both tests and documentation which is particularly clear. |
|
|
| msg106222 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2010-05-21 09:57 |
| This was committed in r81392. |
|
|