问题
I need my python TLS client to offer only version TLS 1.2 (disable TLS 1.0, TLS 1.1, SSLv3, SSLV2).
I am using python 3.6.5 and the openssl library under Windows 10. According to the official documentation here, these two lines should prevent TLS 1.0 and TLS 1.1:
ssl.OP_NO_TLSv1
Prevents a TLSv1 connection. This option is only applicable in conjunction with PROTOCOL_TLS. It prevents the peers from choosing TLSv1 as the protocol version.
New in version 3.2.
ssl.OP_NO_TLSv1_1
Prevents a TLSv1.1 connection. This option is only applicable in conjunction with PROTOCOL_TLS. It prevents the peers from choosing TLSv1.1 as the protocol version. Available only with openssl version 1.0.1+.
New in version 3.4.
And the above doucumentation says they are only applicable with the newly introduced:
PROTOCL_TLS
However, in practice, I tried to disable TLS 1.0 and TLS 1.1 and test connecting to a TLS 1.0 (ONLY version supported in the test server) and my script still able to connect to it.
Am I doing something wrong? how the above two lines syntax in using them in conjunction with PROTOCOL_TLS?
This is the script I'm running:
import socket, ssl
context = ssl.SSLContext()
context.protocol = ssl.PROTOCOL_TLS
context.protocol = ssl.OP_NO_TLSv1 # prevents TLS 1.0
context.protocol = ssl.OP_NO_TLSv1_1 # prevents TLS 1.1
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#note: the IP below is for private testing server not a public address
sslSocket = context.wrap_socket(s, server_hostname = '192.168.56.7')
sslSocket.connect((domain, 443))
print("connection succeeded")
sslSocket.close()
NOTE: for testing a live TLS 1.0 server, you can find any TLS 1.0 server by searching or use this link but I think they are using a different port than 443.
NOTE: I did not add: ssl.OP_NO_SSLv2 nor ssl.OP_NO_SSLv3because they are disabled by default when using context.protocol = ssl.PROTOCOL_TLS
回答1:
The documentation for SSLContext clearly states:
SSLContext.protocol
The protocol version chosen when constructing the context. This attribute is read-only.
Thus, any attempts to set the protocol using this attribute will fail. Instead you need to modify the SSLContext.options:
context.options |= ssl.OP_NO_TLSv1
context.options |= ssl.OP_NO_TLSv1_1
来源:https://stackoverflow.com/questions/49765098/how-to-prevent-older-versions-of-the-tls-protocl-in-python-openssl-client