Skip to content
This repository has been archived by the owner on Feb 19, 2020. It is now read-only.

xmltream.py: avoid using SSLv3 on unsupported systems. #470

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

xmltream.py: avoid using SSLv3 on unsupported systems. #470

wants to merge 1 commit into from

Conversation

biergaizi
Copy link
Contributor

For many modern systems, SSLv3 have been completely removed by
upstream providers. In this case, the system openssl doesn't
support SSLv3, hence ssl.PROTOCOL_SSLv3 is no longer a valid
attribute anymore.

This commit checks whether the system supports SSLv3, avoid
trying to call "ssl.PROTOCOL_SSLv3" if unsupported. A user-friendly
notice is also written to the log, the documentation have been
updated as well.

Signed-off-by: Yifeng Li tomli@tomli.me

@biergaizi
xmltream.py: avoid using SSLv3 on unsupported systems.
0b29d8e 
For many modern	systems, SSLv3 have been completely removed by
upstream providers. In this case, the system openssl doesn't
support	SSLv3, hence ssl.PROTOCOL_SSLv3	is no longer a valid
attribute anymore.

This commit checks whether the system supports SSLv3, avoid
trying to call "ssl.PROTOCOL_SSLv3" if unsupported. A user-friendly
notice is also written to the log, the documentation have been
updated as well.

Signed-off-by: Yifeng Li <tomli@tomli.me>
@biergaizi
Copy link
Contributor Author

This should be included into stable versions as well.

thusser added a commit to thusser/SleekXMPP that referenced this pull request Nov 10, 2017
@thusser
upstream pull request fritzy#470 (fritzy#470): avoid using SSLv3 on u…
95f8cbe 
…nsupported systems
@ammgws
Copy link

ammgws commented Jan 31, 2019
edited
Loading

Also Python 3.6 and above have deprecated ssl.PROTOCOL_SSLv3 etc and now there's only ssl.PROTOCOL_TLS (though it looks like PROTOCOL_SSLv23 remains and is aliased to PROTOCOL_TLS).

Should adding that case to the logic around line 470 also be implemented in this PR?

Other than that I think this should be merged as soon as possible since this package is broken on up to date machines and it has been over a year since it was proposed.

@biergaizi
Copy link
Contributor Author

biergaizi commented Feb 4, 2019
edited
Loading

I've clarified in the comments.

    #: Default ssl_version is ``PROTOCOL_SSLv23``, but despite the name,
    #: ``PROTOCOL_SSLv23`` means to enable all possible SSL/TLS versions.
    #: In addition, SSLv2 & SSLv3 is insecure, we have explictly disabled
    #: them during the connections, which is considered as the best practice.
    #: Thus, ironically, ``PROTOCOL_SSLv23`` enables everything except SSLv2/3.

So I think it can still be kept as-is.

@ammgws
Copy link

ammgws commented Feb 4, 2019
edited
Loading

So you don't get an attribute error with Python 3.6? As far as I can tell if openSSL is compiled without SSLv3 support then the attribute ssl.PROTOCOL_SSLv3 won't exist and it will fail there. (Refer to std library docs for ssl module post Python 3.4)

@biergaizi
Copy link
Contributor Author

No, ssl.PROTOCOL_SSLv3 won't exist, this is what the pull request is fixing. But ssl.PROTOCOL_SSLv23 does exist.

@ammgws
Copy link

ammgws commented Feb 4, 2019

Ah sorry, I think I had also commented on the PR before this one and ended up confusing them. All good then.

@ammgws
Copy link

ammgws commented Mar 28, 2019

@bear Could you please have a look at this?

@Neustradamus
Copy link

Linked to: #500

@biergaizi biergaizi mentioned this pull request Apr 10, 2019
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@biergaizi @ammgws @Neustradamus