Set default SSL protocol version to xmlrpc/ssl #404
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ecure version on modern distributions. xmlrpc/tls1 limits the communication to TLSv1, while xmlrpc/ssl uses ssl.PROTOCOL_SSLv23. This protocol flag indicates that SSLv2 and SSLv3 could be used, but they are usually disabled in current versions of OpenSSL and allow clients to use the highest supported TLS version.
|
@xschlef I think the main issue here is that for users on python 2.6 (which we still support), this will cause their connection to be insecure by default. https://docs.python.org/2.6/library/ssl.html#ssl.PROTOCOL_SSLv23 Perhaps we could have this be set to PROTOCOL_TLS for newer python and fallback to PROTOCOL_TLSv1 for older clients? According to the docs, it looks like SSLv23 is deprecated anyway. |
|
@solj users of such legacy systems that are using python 2.6 + openssl in an old enough version to still support SSLv2/3 should be aware that they have potential security problems in their infrastructure. So I think it is best to be more secure for current systems than keeping the old ones a little more secure. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the secure choice with modern distributions. xmlrpc/tls1 limits the communication to TLSv1, while xmlrpc/ssl uses ssl.PROTOCOL_SSLv23. This protocol flag indicates that SSLv2 and SSLv3 could be used, but they are usually disabled in current versions of OpenSSL and allow clients to use the highest supported TLS version.
The best way would be to disable SSLv2 / SSLv3 contexts for the socket entirely (which is done by default in python 3)
See:
https://docs.python.org/2/library/ssl.html#socket-creation
The protocol name ssl.PROTOCOL_SSLv23 is deprecated starting with python 3.6 and is renamed to ssl.PROTOCOL_TLS.