Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssl module is missing SSL_OP_NO_SSLv2 #49120

Closed
giampaolo opened this issue Jan 7, 2009 · 12 comments
Closed

ssl module is missing SSL_OP_NO_SSLv2 #49120

giampaolo opened this issue Jan 7, 2009 · 12 comments
Labels
stdlib Python modules in the Lib dir type-security A security issue

Comments

@giampaolo
Copy link
Contributor

BPO 4870
Nosy @pitrou, @giampaolo
Files
  • issue4870.diff: Patch for Python 2.x trunk
  • sslopts.patch
  • sslopts2.patch
  • sslopts3.patch
  • sslopts4.patch
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
    closed_at = <Date 2010-05-21.09:57:16.729>
    created_at = <Date 2009-01-07.18:11:43.874>
    labels = ['type-security', 'library']
    title = 'ssl module is missing SSL_OP_NO_SSLv2'
    updated_at = <Date 2010-05-21.09:57:16.727>
    user = 'https://github.com/giampaolo'

    bugs.python.org fields:

    activity = <Date 2010-05-21.09:57:16.727>
    actor = 'pitrou'
    assignee = 'janssen'
    closed = True
    closed_date = <Date 2010-05-21.09:57:16.729>
    closer = 'pitrou'
    components = ['Library (Lib)']
    creation = <Date 2009-01-07.18:11:43.874>
    creator = 'giampaolo.rodola'
    dependencies = []
    files = ['15849', '17016', '17112', '17375', '17377']
    hgrepos = []
    issue_num = 4870
    keywords = ['patch']
    message_count = 12.0
    messages = ['79357', '79362', '79364', '97679', '103792', '104363', '105884', '105887', '105889', '106185', '106197', '106222']
    nosy_count = 6.0
    nosy_names = ['exarkun', 'janssen', 'pitrou', 'giampaolo.rodola', 'heikki', 'jeremy.kloth']
    pr_nums = []
    priority = 'normal'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'security'
    url = 'https://bugs.python.org/issue4870'
    versions = ['Python 3.2']

    @giampaolo
    Copy link
    Contributor Author

    As came out here:
    http://groups.google.it/group/comp.lang.python/browse_thread/thread/7d5b96f9bacb03d3?hl=it#
    ...the ssl module does not provide any facility to disable SSL version
    2. This is very important when writing SSLv3/TLSv1 compatible servers.

    @giampaolo giampaolo added stdlib Python modules in the Lib dir type-security A security issue labels Jan 7, 2009
    @janssen
    Copy link
    Mannequin

    janssen mannequin commented Jan 7, 2009

    Actually, that's not quite true. Specifying TLSv1 or SSLv3 on the
    server side will disable SSLv2. However, there's currently no way to
    specify SSLv3 *or* TLSv1 *but not* SSLv2. This looks easy to fix; I'll
    add another entry to the list of protocol versions, which when selected
    will cause the server to use SSLv23, but will cause SSLv2 clients to be
    rejected.

    @janssen janssen mannequin self-assigned this Jan 7, 2009
    @giampaolo
    Copy link
    Contributor Author

    Actually, that's not quite true.
    Specifying TLSv1 or SSLv3 on the
    server side will disable SSLv2.

    There are use cases like FTPS where it is desirable that servers support
    SSLv3 *and* TLSv1.
    To do that by using OpenSSL SSLv23 protocol must be specified and SSLv2
    must be explicitly disabled afterward.
    As far as I've understood, using SSLv23 on the server sides means that
    when the client connects it could decide whether using SSLv2, SSLv3 or
    TLSv1.

    @jeremykloth
    Copy link
    Mannequin

    jeremykloth mannequin commented Jan 13, 2010

    I have developed a patch that adds the ability to disable SSLv2, SSlv3 and TLSv1 when using the SSLv23 method. It changes Modules/_ssl.c, Lib/ssl.py and Doc/library/ssl.rst.

    @pitrou
    Copy link
    Member

    pitrou commented Apr 20, 2010

    Here is an adapted patch for py3k. It also adds a couple of test cases.

    @pitrou
    Copy link
    Member

    pitrou commented Apr 27, 2010

    Here is an updated patch for py3k (the previous one didn't apply cleanly).

    @pitrou
    Copy link
    Member

    pitrou commented May 16, 2010

    Here is an updated patch, following checkin of the new SSL contexts. Options can be specified as an options property on SSL contexts.

    @pitrou
    Copy link
    Member

    pitrou commented May 16, 2010

    Updated patch adds a couple of words about SSLv2 in the "security considerations" paragraph. Reviewing is welcome.

    @pitrou
    Copy link
    Member

    pitrou commented May 16, 2010

    It turns out SSL_CTX_clear_options() is not available before OpenSSL 0.9.8m. I adapted my patch to raise a ValueError when trying to clear options on older versions of OpenSSL. Setting additional options still works, though.

    @pitrou
    Copy link
    Member

    pitrou commented May 20, 2010

    I would like to move forward on this. Does anyone have any comments or objections to the current proposal?

    @giampaolo
    Copy link
    Contributor Author

    I like the approach of providing this feature as a single attribute instead of two separate methods (set/get_options()).
    For what it's worth, I took a look at the patch without actually trying it, and it looks good overall, both tests and documentation which is particularly clear.

    @pitrou
    Copy link
    Member

    pitrou commented May 21, 2010

    This was committed in r81392.

    @pitrou pitrou closed this as completed May 21, 2010
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    stdlib Python modules in the Lib dir type-security A security issue
    Projects
    None yet
    Development

    No branches or pull requests

    2 participants