ssl module - how can I accept SSLv3 and TLSv1 protocols only?

33 visualizzazioni
Passa al primo messaggio da leggere

Giampaolo Rodola'

da leggere,
6 gen 2009, 22:01:4806/01/09
I'm trying to add TLS/SSL support to pyftpdlib.
Since various defects have been found in the SSLv2 protocol many FTPS
servers (i.e. proftpd and vsftpd) decided to support SSLv3 and TLSv1
only and sistematically reject any client attempting to use SSLv2.
Is there a way to tell ssl.wrap_socket() to accept SSLv3 and TLSv1
connections only?
If that's not possible can I determine the encryption protocol being
used *after* that the SSL/TLS handshake took place?

I tried to use wrap_socket as follows:

self.socket = ssl.wrap_socket(self.socket, ,

ssl_version=ssl.PROTOCOL_SSLv3 | ssl.PROTOCOL_TLSv1) works if on the client side I use TLSv1 but not if I use SSLv3
("SSLError: [Errno 1] _ssl.c:480: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv 3 alert handshake failure" exception is

Thanks in advance for any help.

--- Giampaolo

Jean-Paul Calderone

da leggere,
7 gen 2009, 08:21:2107/01/09
a Giampaolo Rodola',

At the OpenSSL level, you do this by specifying SSLv23_METHOD and then
setting the SSL_OP_NO_SSLv2 flag. With pyOpenSSL, you do this by
creating a context with SSLv23_METHOD and then setting SSL_OP_NO_SSLv2 on
it, like so:

from OpenSSL.SSL import Context, SSLv23_METHOD, OP_NO_SSLv2
context = Context(SSLv23_METHOD)

It seems the ssl module does expose SSLv23_METHOD as PROTOCOL_SSLv23,
but I don't see SSL_OP_NO_SSLv2 anywhere, nor any way to specify any
extra flags.

Oring PROTOCOL_SSLv3 together with PROTOCOL_TLSv1 is almost certainly
not the right approach, anyway (as you saw with your tests).


Giampaolo Rodola'

da leggere,
7 gen 2009, 12:27:3707/01/09
> Jean-Paul- Nascondi testo citato
> - Mostra testo citato -

These are pretty bad news.
I'm going to open a request on the bug tracker hoping that this
situation could be solved soon.
Thanks for your reply anyway.


--- Giampaolo

Rispondi a tutti
Rispondi all'autore
0 nuovi messaggi