ssl module is missing SSL_OP_NO_SSLv2

[giampaolo]

BPO	4870
Nosy	@pitrou, @giampaolo
Files	issue4870.diff: Patch for Python 2.x trunk sslopts.patch sslopts2.patch sslopts3.patch sslopts4.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2010-05-21.09:57:16.729>
created_at = <Date 2009-01-07.18:11:43.874>
labels = ['type-security', 'library']
title = 'ssl module is missing SSL_OP_NO_SSLv2'
updated_at = <Date 2010-05-21.09:57:16.727>
user = 'https://github.com/giampaolo'

bugs.python.org fields:

activity = <Date 2010-05-21.09:57:16.727>
actor = 'pitrou'
assignee = 'janssen'
closed = True
closed_date = <Date 2010-05-21.09:57:16.729>
closer = 'pitrou'
components = ['Library (Lib)']
creation = <Date 2009-01-07.18:11:43.874>
creator = 'giampaolo.rodola'
dependencies = []
files = ['15849', '17016', '17112', '17375', '17377']
hgrepos = []
issue_num = 4870
keywords = ['patch']
message_count = 12.0
messages = ['79357', '79362', '79364', '97679', '103792', '104363', '105884', '105887', '105889', '106185', '106197', '106222']
nosy_count = 6.0
nosy_names = ['exarkun', 'janssen', 'pitrou', 'giampaolo.rodola', 'heikki', 'jeremy.kloth']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue4870'
versions = ['Python 3.2']

[giampaolo]

As came out here:
http://groups.google.it/group/comp.lang.python/browse_thread/thread/7d5b96f9bacb03d3?hl=it#
...the ssl module does not provide any facility to disable SSL version
2. This is very important when writing SSLv3/TLSv1 compatible servers.

[janssen]

Actually, that's not quite true. Specifying TLSv1 or SSLv3 on the
server side will disable SSLv2. However, there's currently no way to
specify SSLv3 *or* TLSv1 *but not* SSLv2. This looks easy to fix; I'll
add another entry to the list of protocol versions, which when selected
will cause the server to use SSLv23, but will cause SSLv2 clients to be
rejected.

[giampaolo]

Actually, that's not quite true.
Specifying TLSv1 or SSLv3 on the
server side will disable SSLv2.

There are use cases like FTPS where it is desirable that servers support
SSLv3 *and* TLSv1.
To do that by using OpenSSL SSLv23 protocol must be specified and SSLv2
must be explicitly disabled afterward.
As far as I've understood, using SSLv23 on the server sides means that
when the client connects it could decide whether using SSLv2, SSLv3 or
TLSv1.

[jeremykloth]

I have developed a patch that adds the ability to disable SSLv2, SSlv3 and TLSv1 when using the SSLv23 method. It changes Modules/_ssl.c, Lib/ssl.py and Doc/library/ssl.rst.

[pitrou]

Here is an adapted patch for py3k. It also adds a couple of test cases.

[pitrou]

Here is an updated patch for py3k (the previous one didn't apply cleanly).

[pitrou]

Here is an updated patch, following checkin of the new SSL contexts. Options can be specified as an options property on SSL contexts.

[pitrou]

Updated patch adds a couple of words about SSLv2 in the "security considerations" paragraph. Reviewing is welcome.

[pitrou]

It turns out SSL_CTX_clear_options() is not available before OpenSSL 0.9.8m. I adapted my patch to raise a ValueError when trying to clear options on older versions of OpenSSL. Setting additional options still works, though.

[pitrou]

I would like to move forward on this. Does anyone have any comments or objections to the current proposal?

[giampaolo]

I like the approach of providing this feature as a single attribute instead of two separate methods (set/get_options()).
For what it's worth, I took a look at the patch without actually trying it, and it looks good overall, both tests and documentation which is particularly clear.

[pitrou]

This was committed in r81392.