Skip to content
/ sslproto37 Public

A simple backport of the SSLProtocol from Python 3.7 to work on Python 3.5 and 3.6 adding SSL handshake timeout capabilities

License

Unlicense license
4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

vltr/sslproto37

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
ci
ci
 
 
examples
examples
 
 
sslproto37
sslproto37
 
 
tests
tests
 
 
.coveragerc
.coveragerc
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
appveyor.yml
appveyor.yml
 
 
pyproject.toml
pyproject.toml
 
 
setup.cfg
setup.cfg
 
 
setup.py
setup.py
 
 
tox.ini
tox.ini
 
 

Repository files navigation

sslproto37

Build Status Build Status Coverage Status

ATTENTION: this is not a PyPI package and it is not intended to be used as one (IMHO).

This is a simple backport of the SSLProtocol from Python 3.7 that adds a SSL handshake timeout feature, that does not exists in Python 3.5 and Python 3.6.

Who needs this backport

Everyone that uses a SSL context to their asyncio servers under Python 3.5 or Python 3.6 with the default asyncio loop policy.

Who doesn't needs this backport

Anyone using Python 3.7 or an alternative asyncio event loop such as uvloop, which already implements a default SSL handshake timeout and works under Python 3.5 and 3.6.

The importance of this backport

Without the SSL handshake timeout, one can simple open a connection to your server (using telnet) and never perform a SSL handshake, exhausting your server available connections and leaving it non-responsive, which can lead to a DOS attack.

Using sslproto37

All you need to do is copy the source code to your own project and make it work there, such as:

import asyncio
import sys

if sys.version_info < (3, 7):  # test if you really need this backport
    from .sslproto37 import SSLProtocolBackportLoopPolicy

    asyncio.set_event_loop_policy(SSLProtocolBackportLoopPolicy())

In case you copy the test case as well, make sure it is not ran if the Python version is 3.7 (or above).

Configuring the SSL handshake timeout parameter

Since this is only a very simple backport, not all function calls and parameters came to light to avoid a complex code. So, the SSL handshake timeout time is set to 60 seconds as default inside the code, but it can be changed if you set the PYSSLPROTO37_HANDSHAKE_TIMEOUT system variable to another value that should be converted to float and above 0.0. The actual value you set is completely your choice and should take into consideration deployment best practices that I would not discuss in here.

Testing

You can check the test coverage of this protocol with the badge right at the beggining of this README. It is tested against Python 3.5, 3.6 and 3.7 (where a nice warning should be in place in case you forgot this is not intended to use with Python 3.7) and all tests can be run by tox. Note: some warnings and nested exceptions might occur while testing under Python 3.5. PRs are welcome to solve that issue but the goal was to make this work.

Many thanks to

For bringing us (the Sanic team) the attention for this matter.

About

A simple backport of the SSLProtocol from Python 3.7 to work on Python 3.5 and 3.6 adding SSL handshake timeout capabilities

Topics

python ssl asyncio backport dos-attack

Resources

Readme

License

Unlicense license
Activity

Stars

4 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages