pyOpenSSL

Feature Request: Support for TLS 1.2

Bug #1020632 reported by Thom Nichols
46
This bug affects 9 people
Affects Status Importance Assigned to Milestone
pyOpenSSL
Fix Committed
Medium
Jean-Paul Calderone

Bug Description

When building against OpenSSL 1.0.1, it should be possible to take advantage of TLS 1.2 support. I believe this would require the addition of a OpenSSL.SSL.TLSv1_2_METHOD to signal the use of a TLS 1.2 handshake.

Also there is no TLS 1.1 method but it's unclear if that's covered by the OpenSSL.SSL.TLSv1_METHOD. There should be an explicit method for TLS v1.1 as well. Thanks!

Related branches

lp://staging/~exarkun/pyopenssl/tlsv1_1or2
Jean-Paul Calderone: Pending requested
Diff: 275 lines (+109/-29)
5 files modified
OpenSSL/ssl/context.c (+29/-5)
OpenSSL/ssl/context.h (+2/-0)
OpenSSL/ssl/ssl.c (+8/-0)
OpenSSL/test/test_ssl.py (+24/-11)
doc/api/ssl.rst (+46/-13)
Revision history for this message
Fedor Brunner (fedor-brunner) wrote :

This patch will add support for TLS v1.1 and TLS v1.2 . These protocols protect against SSL/TLS new attacks
https://en.wikipedia.org/wiki/Transport_Layer_Security#RC4_attacks
https://en.wikipedia.org/wiki/Transport_Layer_Security#CRIME_and_BREACH_attacks

Revision history for this message
Jean-Paul Calderone (exarkun) wrote :

This patch looks reasonable. However, please contribute future patches against *trunk* so that they don't need to be ported to trunk.

Jean-Paul Calderone (exarkun)
Changed in pyopenssl:
assignee: nobody → Jean-Paul Calderone (exarkun)
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
Andy Lutomirski (luto-mit) wrote :

After staring at the utter crap OpenSSL docs for a while, it turns out that, almost regardless of what you're trying to interoperate with, the correct method to use is SSL.SSLv23_METHOD. TLSv1_2_METHOD means TLS 1.2 *only*. Similarly, TLSv1_METHOD means TLS 1.0 *only* (in particular, TLSv1_METHOD disallows TLSv1.2).

If you use SSL.SSLv23_METHOD and set SSL.OP_NO_SSLv2 (and optionally SSL.OP_NO_SSLv3) then you get reasonable results, including the availability of GCM ciphers.

Jean-Paul Calderone (exarkun)
Changed in pyopenssl:
status: In Progress → Fix Committed
Revision history for this message
Thom Nichols (tmnichols) wrote :

FWIW, our use case requires enforcing TLS v.1.2 ONLY. However good to know how you would achieve support for any TLS 1.x versions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.