Enable unsafe legacy renegotiation #5790
Conversation
| import OpenSSL._util as pyOpenSSLutil | ||
|
|
||
| from scrapy.utils.python import to_unicode | ||
|
|
||
|
|
||
| # The OpenSSL symbol is present since 1.1.1 but it's not currently supported in any version of pyOpenSSL. | ||
| # Using the binding directly, as this code does, requires cryptography 2.4. | ||
| SSL_OP_NO_TLSv1_3 = getattr(pyOpenSSLutil.lib, 'SSL_OP_NO_TLSv1_3', 0) |
There was a problem hiding this comment.
We can't deprecate this without some magic (probably the least magic way is the module-level __getattr__).
If we decide to deprecate it, this line can be changed into SSL_OP_NO_TLSv1_3 = OpenSSL.SSL.OP_NO_TLSv1_3 and the deprecation will be done separately.
There was a problem hiding this comment.
No strong opinion either way from me.
Codecov Report
@@ Coverage Diff @@
## master #5790 +/- ##
==========================================
- Coverage 88.89% 88.75% -0.14%
==========================================
Files 162 162
Lines 10982 10981 -1
Branches 1797 1796 -1
==========================================
- Hits 9762 9746 -16
- Misses 940 954 +14
- Partials 280 281 +1
|
|
Yeah, I don't see which flags could I set on the mockserver SSL context so that it could reject normal OpenSSL 3 clients. |
Fixes #5491.
I don't know if we can have a test for it: it would require a server configured in a certain way, I need to check if it's even possible when using OpenSSL 3 on the server side. Locally I tested it on https://dorotheum.com/ with "pyOpenSSL 21.0.0 ('OpenSSL 1.1.1j 16 Feb 2021'), cryptography 3.4.6" (no error and website is accessible with and without the change) and "pyOpenSSL 23.0.0 ('OpenSSL 3.0.7 1 Nov 2022'), cryptography 39.0.0" (website is accessible only with the change).