Full Disclosure mailing list archives
Re: Python ssl handling could be better...
From: dave b <db.pub.mail () gmail com>
Date: Mon, 15 Nov 2010 03:54:29 +1100
Just when you thought it couldn't get worse... http://bugs.python.org/issue3596 http://bugs.python.org/issue4870 So now the programmer still needs to say OH disable sslv2 (or doesn't select sslv2) but by default it will be enabled. The python doc says this: ssl.PROTOCOL_SSLv23 Selects SSL version 2 or 3 as the channel encryption protocol. This is a setting to use with servers for maximum compatibility with the other end of an SSL connection, but it may cause the specific ciphers chosen for the encryption to be of fairly low quality. and above this: ssl.PROTOCOL_SSLv2 Selects SSL version 2 as the channel encryption protocol. Warning SSL version 2 is insecure. Its use is highly discouraged. But the default is to use PROTOCOL_SSLv23. So if looking back at the mercurial source code we have in mercurial/url.py # avoid using deprecated/broken FakeSocket in python 2.6 import ssl _ssl_wrap_socket = ssl.wrap_socket CERT_REQUIRED = ssl.CERT_REQUIRED except ImportError: CERT_REQUIRED = 2 ... and then for some use... def connect(self): if has_https and self.realhostport: # use CONNECT proxy self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.sock.connect((self.host, self.port)) if _generic_proxytunnel(self): # we do not support client x509 certificates self.sock = _ssl_wrap_socket(self.sock, None, None) ssl.OP_NO_SSLv2 is now in python 3.2 but it isn't 'on' by default. "SSL version 2 is considered insecure and is therefore dangerous to use. If you want maximum compatibility between clients and servers, it is recommended to use PROTOCOL_SSLv23 as the protocol version and then disable SSLv2 explicitly using the SSLContext.options attribute:" http://svn.python.org/view/python/trunk/Lib/ssl.py?revision=80557&view=markup class SSLSocket(socket): """This class implements a subtype of socket.socket that wraps the underlying OS socket in an SSL context when necessary, and provides read and write methods over that channel.""" def __init__(self, sock, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, ssl_version=PROTOCOL_SSLv23, ca_certs=None, .... def wrap_socket(sock, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, ssl_version=PROTOCOL_SSLv23, ca_certs=None, ... def sslwrap_simple(sock, keyfile=None, certfile=None): """A replacement for the old socket.ssl function. Designed for compability with Python 2.5 and earlier. Will disappear in Python 3.0.""" if hasattr(sock, "_sock"): sock = sock._sock ssl_sock = _ssl.sslwrap(sock, 0, keyfile, certfile, CERT_NONE, PROTOCOL_SSLv23, None) -- There's small choice in rotten apples. -- William Shakespeare, "The Taming of the Shrew" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Python ssl handling could be better... dave b (Nov 14)