Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl_version documentation error #57956

Closed
bdarnell mannequin opened this issue Jan 9, 2012 · 7 comments
Closed

ssl_version documentation error #57956

bdarnell mannequin opened this issue Jan 9, 2012 · 7 comments

Comments

@bdarnell
Copy link
Mannequin

bdarnell mannequin commented Jan 9, 2012

BPO 13747
Nosy @pitrou, @bdarnell

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2013-03-08.10:23:19.048>
created_at = <Date 2012-01-09.19:10:41.888>
labels = []
title = 'ssl_version documentation error'
updated_at = <Date 2013-03-08.10:23:19.046>
user = 'https://github.com/bdarnell'

bugs.python.org fields:

activity = <Date 2013-03-08.10:23:19.046>
actor = 'pitrou'
assignee = 'none'
closed = True
closed_date = <Date 2013-03-08.10:23:19.048>
closer = 'pitrou'
components = []
creation = <Date 2012-01-09.19:10:41.888>
creator = 'Ben.Darnell'
dependencies = []
files = []
hgrepos = []
issue_num = 13747
keywords = []
message_count = 7.0
messages = ['150963', '150976', '150977', '150980', '150995', '183730', '183733']
nosy_count = 4.0
nosy_names = ['pitrou', 'python-dev', 'Ben.Darnell', 'fweimer']
pr_nums = []
priority = 'normal'
resolution = 'out of date'
stage = 'resolved'
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue13747'
versions = ['Python 2.7']
@bdarnell
Copy link
Mannequin Author

bdarnell mannequin commented Jan 9, 2012

The ssl module docs claim that the default ssl_version for client-side operation is SSLv3, but it is actually SSLv23. The exact behavior depends on the version of openssl: starting in 1.0 the connection is limited by default to SSLv3 or TLSv1 (as documented in the note below the compatibility table), but in older versions of openssl SSLv2 is allowed by default.

This is just a documentation error if you've got a recent version of openssl, but it's also a security problem with older versions, since people may have been unknowingly using the weaker SSLv2 protocol. (I don't know how widespread pre-1.0 versions of openssl are these days, but OSX Lion still ships with 0.9.8) It would be nice if the default mode were SSLv23 with SSL_OP_NO_SSLv2 set so the defaults would be safe even with older versions of openssl (there's no way to set this configuration from python code before py3.2)

Also, the compatibility table claims that an SSLv3 client can talk to an SSLv2 server, which is incorrect. SSLv23 clients can talk to SSLv3 and TLSv1 servers if openssl is at least version 1.0 and SSLv2 ciphers are not explicitly enabled.

@python-dev
Copy link
Mannequin

python-dev mannequin commented Jan 9, 2012

New changeset 3db0abf3058b by Antoine Pitrou in branch '2.7':
Issue bpo-13747: fix documentation error about the default SSL version.
http://hg.python.org/cpython/rev/3db0abf3058b

New changeset 4f14c249f3de by Antoine Pitrou in branch '2.7':
Issue bpo-13747: fix SSL compatibility table.
http://hg.python.org/cpython/rev/4f14c249f3de

@python-dev
Copy link
Mannequin

python-dev mannequin commented Jan 9, 2012

New changeset 7ae0f71862f9 by Antoine Pitrou in branch '3.2':
Issue bpo-13747: fix documentation error about the default SSL version.
http://hg.python.org/cpython/rev/7ae0f71862f9

New changeset b4194af97948 by Antoine Pitrou in branch '3.2':
Issue bpo-13747: fix SSL compatibility table.
http://hg.python.org/cpython/rev/b4194af97948

New changeset d2a47650031a by Antoine Pitrou in branch 'default':
Merge SSL doc fixes (issue bpo-13747).
http://hg.python.org/cpython/rev/d2a47650031a

@pitrou
Copy link
Member

pitrou commented Jan 9, 2012

Thanks for noticing. I've now fixed the docs.

It would be nice if the default mode were SSLv23 with SSL_OP_NO_SSLv2
set so the defaults would be safe even with older versions of openssl

Mmmh, perhaps, although wouldn't someone deploying a new version of Python also deploy a new version of OpenSSL?

@bdarnell
Copy link
Mannequin Author

bdarnell mannequin commented Jan 10, 2012

Not necessarily. If I want to run python 2.7 or 3.x on an older linux distribution (e.g. Ubuntu 10.04 LTS, which has python 2.6 and openssl 0.9.8), I need to build from source, but I wouldn't think to update/rebuild all the dependencies from the ground up.

@fweimer
Copy link
Mannequin

fweimer mannequin commented Mar 8, 2013

OpenSSL cross-version updates are sometimes difficult because they invalidate certifications. Updating Python to SSLv23 with SSL_OP_NO_SSLv2 is comparatively easy and also much less riskier.

Shall I submit a patch which changes the default? I would also like to restrict the cipher suites to strong ones plus RC4, so that Python code isn't forced to set cipher preferences.

@pitrou
Copy link
Member

pitrou commented Mar 8, 2013

Florian this was already handled in issue bpo-13636 (changeset f9122975fd80).

@pitrou pitrou closed this as completed Mar 8, 2013
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pitrou