On Tue, 6 Jan 2009 19:01:48 -0800 (PST), Giampaolo Rodola' <[email protected]> wrote:
Hi, I'm trying to add TLS/SSL support to pyftpdlib. Since various defects have been found in the SSLv2 protocol many FTPS servers (i.e. proftpd and vsftpd) decided to support SSLv3 and TLSv1 only and sistematically reject any client attempting to use SSLv2. Is there a way to tell ssl.wrap_socket() to accept SSLv3 and TLSv1 connections only? If that's not possible can I determine the encryption protocol being used *after* that the SSL/TLS handshake took place?I tried to use wrap_socket as follows: self.socket = ssl.wrap_socket(self.socket, , certfile=CERTFILE, server_side=True, ssl_version=ssl.PROTOCOL_SSLv3 | ssl.PROTOCOL_TLSv1) ...it works if on the client side I use TLSv1 but not if I use SSLv3 ("SSLError: [Errno 1] _ssl.c:480: error:14094410:SSL routines:SSL3_READ_BYTES:sslv 3 alert handshake failure" exception is raised)
At the OpenSSL level, you do this by specifying SSLv23_METHOD and then setting the SSL_OP_NO_SSLv2 flag. With pyOpenSSL, you do this by creating a context with SSLv23_METHOD and then setting SSL_OP_NO_SSLv2 on it, like so: from OpenSSL.SSL import Context, SSLv23_METHOD, OP_NO_SSLv2 context = Context(SSLv23_METHOD) context.set_options(OP_NO_SSLv2) It seems the ssl module does expose SSLv23_METHOD as PROTOCOL_SSLv23, but I don't see SSL_OP_NO_SSLv2 anywhere, nor any way to specify any extra flags. Oring PROTOCOL_SSLv3 together with PROTOCOL_TLSv1 is almost certainly not the right approach, anyway (as you saw with your tests). Jean-Paul -- http://mail.python.org/mailman/listinfo/python-list
