New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Debian Unstable: "OpenSSL disables TLS 1.0 and 1.1" ... some effects related to SABnzbd #994
Comments
@sanderjo maybe you can investigate what is wrong with the supported protocol detection and why the connection test fails? I wish I had a good way to fix OpenSSL on macOS.. It's still stuck at TLSv1 only.. |
sabnzbd/utils/sslinfo.py does something like this:
So I tried:
On my Ubuntu, that gives:
On the Debian Unstable I get:
So
|
@sanderjo what version of ssl is loaded in python? dynamic/static linked? you could have multiple openssl installed.. and python is using an older version that still supports tls v1 for example on my windows box:
oh, and if you have pyOpenSSL: |
It's a Docker image, so all's clean. I tried this, hoping for an error (and thus discovering which protocols are not there), which did not happen. :-(
|
Docker container creation:
Then inside the container:
Info you requested:
So:
|
IMHO this is the situation:
|
that 'version' of openssl without the support.. doesnt appear to be what you have installed? as your openssl is from may.. also nothing about the version or disabling of tls1.0/1.1 here.. |
So ... how can SABnzbd see which TLS versions are supported by the OS? Just a few notes:
Conclusion: my lynx/OS supports TLS 1.2, 1.1, 1, and SSL 3 (ouch). Another, self-contained method: Start a minimal TLS1.2-webserver (with SAB-keys):
... and connect:
So my curl/OS does support TLS1.2 Within a Debian:Unstable, I cannot connect to a TLS1-only openssl-server:
So python/OS on Debian:Unstable cannot do TLS1. |
there is a bit of work that is needed in python dev to be able to support openssl 1.1.x (tls v1.3). so this probably is why in python 2.x you wont see much from the new openssl changes (1.1.x) I wonder if sander's issue is: python/cpython#2305 |
The changes are now merged for the 2.7 branch to, so probably there will be support in the next Python release. In general there is a discrepancy between what we report on the first Config page and what is actually used. For example it will list SSLv3, but because we use |
I agree. Maybe just change
to
|
Agreed! |
Let Python fix this! All we can do is report what we get from the |
There is no way to get the actually enabled SSL/TLS protcols on a system, let along from Python. It's not even possible from the `openssl` command line. See also #994 And: https://stackoverflow.com/questions/45924030/get-available-ssl-tls-protocols-in-python-2-7
@Cpuroast Seems TLSv1.3 support is coming to Python 2.7.14 after all: Not for the binaries I guess, but at least it should work on the systems that have compatible OpenSSL versions. |
From the changes to ssl.rst, it looks like TLS 1.3 is going to be in 2.7.15 as 2.7.14 is already in RC. |
per the cpython commit, yes its coming in 2.7.15:
|
Some remarks related to Debian Unstable. As it's Unstable, they are just a FYI / discussion.
Sources
https://www.cyberciti.biz/howto/debian-linux/openssl-drops-tls-1-01-1-support-for-debian-unstable/
https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html
tell:
So I tried with sabnzbdplus-2.2.0RC1 on Debian Unstable to connect to ssl-eu.astraweb.com (which is TLS1, not TLS1.2), and SAB says:
[Errno 111] [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661)
OK, good to know.
Then: SABnzbd stdout:
Hey, isn't that strange: 'TLS v1.1', 'TLS v1' ? Is that the difference between SSL and OpenSSL and/or libraries?
FWIW / I don't know if this is relevant:
For Google:
The text was updated successfully, but these errors were encountered: