Upgrade TLS version

[samdickerman]

I'm trying to connect with a remote server and I am getting the following error from Komodo edit (9.2.0):

_[JavaScript Application] Error: 'ssl.c:504: EOF occurred in violation of protocol'

My server admin says: "It appears that this is due to the version of TLS that your FTP client is using TLS 1.0. Try changing the TLS version to 1.1 or 1.2"

I asked on the forum how to change to a newer version and nathanr of Komodo wrote:

Unfortunately there's no way to switch TLS versions, assuming that is indeed the problem. Please consider filing an enhancement request: https://github.com/Komodo/KomodoEdit/issues

Thanks

[Naatan]

Thanks! We'll have a look and see if we are indeed using an older TLS version. @mitchell-as think this is something you can look into?

[mitchell-as]

@Naatan This looks like a configurable Mozilla property: http://kb.mozillazine.org/Security.tls.version.*

How would you like to proceed updating it?

[Naatan]

Those settings already appear to be set to the proper min/max values. I kinda doubt that's used for FTP connections though, are you certain?

[mitchell-as]

No I am not certain, that was just an educated guess I made with my rudimentary Mozilla knowledge :)

[mitchell-as]

Upon further investigation, we're using Python (via Paramiko) to facilitate our remote connections, including SFTP. Unfortunately, Python 2.7 (which is what Komodo uses) does not support TLS 1.1 or TLS 1.2. Python 3 supports later TLS versions, but nothing was backported to Python 2.7 since 2.7 is bugfix only (https://bugs.python.org/issue16692).

There are two ways to workaround this:

1. Use a 3rd party SSL library for Python 2.7 that explicitly supports TLS 1.1+ and rewrite our remotefilelib.p.py and potentially koSFTP.py and friends to use this library.
2. Rewrite the components mentioned in (1) to use Mozilla's socket transport XPCOM component (https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsISocketTransportService). However, I am not convinced we'd get TLS 1.1+ support. Perhaps the Mozilla setting mentioned above might do the trick, but there's no guarantee.

Neither option is trivial and would require a good investment of time.

[Naatan]

Basically what this means is Komodo will not support TLS versions higher than version 1.0 until we address this?

[mitchell-as]

That's right.

[th3coop]

Why haven't more people hit this? Are no servers updating to require TLS 1.x?

[mitchell-as]

Likely because lots of things would break (perhaps even existing SFTP clients). I don't think TLS 1.0 is going away anytime soon, whatever the current recommended version is.

[Naatan]

Shouldn't this be something Paramiko solves though? I mean if it's feasible to use a third party dependency, wouldn't they have done it?

[th3coop]

From what I can tell Paramiko only covers SSH (SFTP) connections and we need something for SSL (FTPS) connections.

[Naatan]

ahh ok.

I think for now we'll leave this in the backlog then, as it does not affect many users and as @mitchell-as said the solution is not trivial.

[mitchell-as]

We use Python 2.7's SSL module to create a socket and then feed it to Paramiko. Paramiko doesn't create the socket for us. The socket we create needs to be able to have TLS 1.1+ connections.