mirror of
https://github.com/python/cpython.git
synced 2025-08-04 08:59:19 +00:00
Issue #4870: Add an options attribute to SSL contexts, as well as
several ``OP_*`` constants to the `ssl` module. This allows to selectively disable protocol versions, when used in combination with `PROTOCOL_SSLv23`.
This commit is contained in:
Antoine Pitrou
parent
955d1b22e2
commit
b52187710e
5 changed files with 204 additions and 57 deletions
|
|
@ -257,6 +257,37 @@ Functions, Constants, and Exceptions
|
|||
modern version, and probably the best choice for maximum protection, if both
|
||||
sides can speak it.
|
||||
|
||||
.. data:: OP_ALL
|
||||
|
||||
Enables workarounds for various bugs present in other SSL implementations.
|
||||
This option is set by default.
|
||||
|
||||
.. versionadded:: 3.2
|
||||
|
||||
.. data:: OP_NO_SSLv2
|
||||
|
||||
Prevents an SSLv2 connection. This option is only applicable in
|
||||
conjunction with :const:`PROTOCOL_SSLv23`. It prevents the peers from
|
||||
choosing SSLv2 as the protocol version.
|
||||
|
||||
.. versionadded:: 3.2
|
||||
|
||||
.. data:: OP_NO_SSLv3
|
||||
|
||||
Prevents an SSLv3 connection. This option is only applicable in
|
||||
conjunction with :const:`PROTOCOL_SSLv23`. It prevents the peers from
|
||||
choosing SSLv3 as the protocol version.
|
||||
|
||||
.. versionadded:: 3.2
|
||||
|
||||
.. data:: OP_NO_TLSv1
|
||||
|
||||
Prevents a TLSv1 connection. This option is only applicable in
|
||||
conjunction with :const:`PROTOCOL_SSLv23`. It prevents the peers from
|
||||
choosing TLSv1 as the protocol version.
|
||||
|
||||
.. versionadded:: 3.2
|
||||
|
||||
.. data:: OPENSSL_VERSION
|
||||
|
||||
The version string of the OpenSSL library loaded by the interpreter::
|
||||
|
|
@ -440,6 +471,17 @@ SSL Contexts
|
|||
and *suppress_ragged_eofs* have the same meaning as in the top-level
|
||||
:func:`wrap_socket` function.
|
||||
|
||||
.. attribute:: SSLContext.options
|
||||
|
||||
An integer representing the set of SSL options enabled on this context.
|
||||
The default value is :data:`OP_ALL`, but you can specify other options
|
||||
such as :data:`OP_NO_SSLv2` by ORing them together.
|
||||
|
||||
.. note::
|
||||
With versions of OpenSSL older than 0.9.8m, it is only possible
|
||||
to set options, not to clear them. Attempting to clear an option
|
||||
(by resetting the corresponding bits) will raise a ``ValueError``.
|
||||
|
||||
.. attribute:: SSLContext.protocol
|
||||
|
||||
The protocol version chosen when constructing the context. This attribute
|
||||
|
|
@ -794,6 +836,20 @@ to specify :const:`CERT_REQUIRED` and similarly check the client certificate.
|
|||
equivalent unless anonymous ciphers are enabled (they are disabled
|
||||
by default).
|
||||
|
||||
Protocol versions
|
||||
^^^^^^^^^^^^^^^^^
|
||||
|
||||
SSL version 2 is considered insecure and is therefore dangerous to use. If
|
||||
you want maximum compatibility between clients and servers, it is recommended
|
||||
to use :const:`PROTOCOL_SSLv23` as the protocol version and then disable
|
||||
SSLv2 explicitly using the :data:`SSLContext.options` attribute::
|
||||
|
||||
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
|
||||
context.options |= ssl.OP_NO_SSLv2
|
||||
|
||||
The SSL context created above will allow SSLv3 and TLSv1 connections, but
|
||||
not SSLv2.
|
||||
|
||||
|
||||
.. seealso::
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue