Reputation: 2408
How to prevent older versions of the TLS protocl in python openssl client
I need my python TLS client to offer only version TLS 1.2 (disable TLS 1.0, TLS 1.1, SSLv3, SSLV2).
I am using python 3.6.5 and the openssl library under Windows 10. According to the official documentation here, these two lines should prevent TLS 1.0 and TLS 1.1:
ssl.OP_NO_TLSv1
Prevents a TLSv1 connection. This option is only applicable in conjunction with PROTOCOL_TLS. It prevents the peers from choosing TLSv1 as the protocol version.
New in version 3.2.
ssl.OP_NO_TLSv1_1
Prevents a TLSv1.1 connection. This option is only applicable in conjunction with PROTOCOL_TLS. It prevents the peers from choosing TLSv1.1 as the protocol version. Available only with openssl version 1.0.1+.
New in version 3.4.
And the above doucumentation says they are only applicable with the newly introduced:
PROTOCL_TLS
However, in practice, I tried to disable TLS 1.0 and TLS 1.1 and test connecting to a TLS 1.0 (ONLY version supported in the test server) and my script still able to connect to it.
Am I doing something wrong? how the above two lines syntax in using them in conjunction with PROTOCOL_TLS?
This is the script I'm running:
import socket, ssl
context = ssl.SSLContext()
context.protocol = ssl.PROTOCOL_TLS
context.protocol = ssl.OP_NO_TLSv1 # prevents TLS 1.0
context.protocol = ssl.OP_NO_TLSv1_1 # prevents TLS 1.1
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#note: the IP below is for private testing server not a public address
sslSocket = context.wrap_socket(s, server_hostname = '192.168.56.7')
sslSocket.connect((domain, 443))
print("connection succeeded")
sslSocket.close()
NOTE: for testing a live TLS 1.0 server, you can find any TLS 1.0 server by searching or use this link but I think they are using a different port than 443.
NOTE: I did not add: ssl.OP_NO_SSLv2 nor ssl.OP_NO_SSLv3because they are disabled by default when using context.protocol = ssl.PROTOCOL_TLS
Upvotes: 2
Views: 7723
Answers (1)
Reputation: 123541
The documentation for SSLContext clearly states:
SSLContext.protocol
The protocol version chosen when constructing the context. This attribute is read-only.
Thus, any attempts to set the protocol using this attribute will fail. Instead you need to modify the SSLContext.options:
context.options |= ssl.OP_NO_TLSv1
context.options |= ssl.OP_NO_TLSv1_1
Upvotes: 5
Related Questions
- Change TLS version used by Python
- How to get the TLS client supported TLS versions in python ssl
- Python TLS version matching
- Setting newer ssl version in python http.client.HTTPSConnection
- how to force TLSv1.2 in Python 3.7.4 and openssl 1.1.1?
- Python ssl unable to connect to TLS1.2 server with TLS1.2 client
- Python - SSL - wrong version number
- Prevent TLS version negotiation?
- Is it possible to use PROTOCOL_TLSv1_2 in python 3.2.5?
- Can I use TLS version 1.1 or 1.2 in python 2?