This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2016年08月27日 10:30 by christian.heimes, last changed 2022年04月11日 14:58 by admin. This issue is now closed.
| Messages (3) | |||
|---|---|---|---|
| msg273772 - (view) | Author: Christian Heimes (christian.heimes) * (Python committer) | Date: 2016年08月27日 10:30 | |
OpenSSL 1.1 has deprecated all version specific TLS/SSL methods in favor of auto-negotiation (formerly known as SSLv23). It also introduced two macros to set the minimal and maximum TLS version with SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version(). The macros can be emulated for OpenSSL < 1.1 with reasonable effort. I suggest that ssl.SSLContext introduces set_version_range(minver, maxver=None) method. It's less awkward to use than fiddling with modes and OP_NO_SSLv3. |
|||
| msg284822 - (view) | Author: Christian Heimes (christian.heimes) * (Python committer) | Date: 2017年01月06日 14:31 | |
PoC implementation:
from enum import Enum
import ssl
OP_NO_TLSv1_3 = getattr(ssl, 'OP_NO_TLSv1_3', 0)
OP_NO_FLAGS = [
ssl.OP_NO_SSLv2,
ssl.OP_NO_SSLv3,
ssl.OP_NO_TLSv1,
ssl.OP_NO_TLSv1_1,
ssl.OP_NO_TLSv1_2,
OP_NO_TLSv1_3
]
OP_NO_MASK = sum(OP_NO_FLAGS)
class TLSVersions(Enum):
SSLv2 = 'SSL 2.0', 0x0200, 0
SSLv3 = 'SSL 3.0', 0x0300, 1
TLSv1 = 'TLS 1.0', 0x0301, 2
TLSv1_1 = 'TLS 1.1', 0x0302, 3
TLSv1_2 = 'TLS 1.2', 0x0303, 4
if OP_NO_TLSv1_3:
TLSv1_3 = 'TLS 1.3', 0x0304, 5
MAX = TLSv1_3
else:
MAX = TLSv1_2
MIN = TLSv1
def __init__(self, prettyname, wireprotocol, offset):
self.prettyname = prettyname
self.wireprotocol = wireprotocol
self.noflag = OP_NO_FLAGS[offset]
self.minflag = sum(OP_NO_FLAGS[:offset])
self.maxflag = sum(OP_NO_FLAGS[offset+1:])
def __repr__(self):
return ("<{0.__class__.__name__}.{0.name} "
"({0.prettyname}, 0x{0.wireprotocol:x})>").format(self)
__str__ = __repr__
class SSLContext(ssl.SSLContext):
def set_version(self, minver=TLSVersions.MIN, maxver=TLSVersions.MAX):
options = self.options & ~OP_NO_MASK
self.options = options | minver.minflag | maxver.maxflag
if __name__ == '__main__':
for name, member in TLSVersions.__members__.items():
print(name, member)
ctx = SSLContext(ssl.PROTOCOL_SSLv23)
print(ctx.options)
ctx.set_version(minver=TLSVersions.SSLv3, maxver=TLSVersions.TLSv1_1)
print(ctx.options)
|
|||
| msg312853 - (view) | Author: Christian Heimes (christian.heimes) * (Python committer) | Date: 2018年02月25日 20:25 | |
My issue #32609 provides a better implementation. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:58:35 | admin | set | github: 72063 |
| 2018年02月25日 20:25:37 | christian.heimes | set | status: open -> closed superseder: Add setter and getter for min/max protocol version messages: + msg312853 resolution: duplicate stage: resolved |
| 2017年01月06日 14:31:26 | christian.heimes | set | messages:
+ msg284822 versions: + Python 3.7, - Python 3.6 |
| 2016年09月15日 08:33:50 | giampaolo.rodola | set | nosy:
- giampaolo.rodola |
| 2016年09月15日 07:58:02 | christian.heimes | set | assignee: christian.heimes components: + SSL |
| 2016年08月27日 10:30:35 | christian.heimes | create | |