Skip to content

Commit

Permalink
Backport SSL configuration from Python 3.10 (#5437)
Browse files Browse the repository at this point in the history 
Partial fix for #5294 (comment), #4627

Authored by: coletdjnz
  • Loading branch information
@coletdjnz
coletdjnz committed Nov 6, 2022
1 parent d715b0e commit 5b9f253
Showing 1 changed file with 15 additions and 2 deletions.
17 changes: 15 additions & 2 deletions yt_dlp/utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -985,6 +985,18 @@ def make_HTTPS_handler(params, **kwargs):
context.options |= 4 # SSL_OP_LEGACY_SERVER_CONNECT
# Allow use of weaker ciphers in Python 3.10+. See https://bugs.python.org/issue43998
context.set_ciphers('DEFAULT')
elif sys.version_info < (3, 10) and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1):
# Backport the default SSL ciphers and minimum TLS version settings from Python 3.10 [1].
# This is to ensure consistent behavior across Python versions, and help avoid fingerprinting
# in some situations [2][3].
# Python 3.10 only supports OpenSSL 1.1.1+ [4]. Because this change is likely
# untested on older versions, we only apply this to OpenSSL 1.1.1+ to be safe.
# 1. https://github.com/python/cpython/commit/e983252b516edb15d4338b0a47631b59ef1e2536
# 2. https://github.com/yt-dlp/yt-dlp/issues/4627
# 3. https://github.com/yt-dlp/yt-dlp/pull/5294
# 4. https://peps.python.org/pep-0644/
context.set_ciphers('@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM')
context.minimum_version = ssl.TLSVersion.TLSv1_2

context.verify_mode = ssl.CERT_REQUIRED if opts_check_certificate else ssl.CERT_NONE
if opts_check_certificate:
Expand Down Expand Up @@ -1982,12 +1994,13 @@ def system_identifier():
with contextlib.suppress(OSError): # We may not have access to the executable
libc_ver = platform.libc_ver()

return 'Python %s (%s %s) - %s %s' % (
return 'Python %s (%s %s) - %s (%s%s)' % (
platform.python_version(),
python_implementation,
platform.architecture()[0],
platform.platform(),
format_field(join_nonempty(*libc_ver, delim=' '), None, '(%s)'),
ssl.OPENSSL_VERSION,
format_field(join_nonempty(*libc_ver, delim=' '), None, ', %s'),
)


Expand Down

7 comments on commit 5b9f253

@rdamas
Copy link
Contributor

@rdamas rdamas commented on 5b9f253 Nov 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

this throws an error on MacOS

  File "/usr/local/bin/yt-dlp", line 33, in <module>
    sys.exit(load_entry_point('yt-dlp==2022.10.4', 'console_scripts', 'yt-dlp')())
  File "/Library/Python/3.9/site-packages/yt_dlp/__init__.py", line 968, in main
    _exit(*variadic(_real_main(argv)))
  File "/Library/Python/3.9/site-packages/yt_dlp/__init__.py", line 928, in _real_main
    with YoutubeDL(ydl_opts) as ydl:
  File "/Library/Python/3.9/site-packages/yt_dlp/YoutubeDL.py", line 722, in __init__
    self._setup_opener()
  File "/Library/Python/3.9/site-packages/yt_dlp/YoutubeDL.py", line 3816, in _setup_opener
    https_handler = make_HTTPS_handler(self.params, debuglevel=debuglevel)
  File "/Library/Python/3.9/site-packages/yt_dlp/utils.py", line 999, in make_HTTPS_handler
    context.set_ciphers('@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM')
ssl.SSLError: ('No cipher can be selected.',)

Python 3.9.6 (default, Sep 26 2022, 11:37:49) 
[Clang 14.0.0 (clang-1400.0.29.202)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OPENSSL_VERSION_INFO
(2, 0, 0, 0, 0)
>>>

@pukkandan
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coletdjnz

@coletdjnz
Copy link
Member Author

@coletdjnz coletdjnz commented on 5b9f253 Nov 6, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

whats the output of ssl.OPENSSL_VERSION? (it should be included in the debug header if that prints)

OPENSSL 2 doesn't exist 🤔

@rdamas
Copy link
Contributor

@rdamas rdamas commented on 5b9f253 Nov 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

>>> ssl.OPENSSL_VERSION
'LibreSSL 2.8.3'

@coletdjnz
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you don't mind testing if #5464 works that would be awesome

pip install git+https://github.com/coletdjnz/yt-dlp-dev.git@fix/libressl --force-reinstall

@rdamas
Copy link
Contributor

@rdamas rdamas commented on 5b9f253 Nov 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that one runs without errors again. Thanks!

@gothicserpent
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just wanted to confirm the latest commit is working for me too. Thanks!

Please sign in to comment.