search

crustymonkey / py-sonic

A python library to wrap the Subsonic REST API
http://stuffivelearned.org/doku.php?id=programming:python:py-sonic
GNU General Public License v3.0
57 stars 26 forks source link

use TLSv1 by default and fallback to SSLv3 when needed #5

Closed ties closed 10 years ago

ties commented 10 years ago

The library used to fail to connect to a server which does not permit SSLv3. I re-enabled SSLv3 in order to use this library.

With the disclosure of CVE-2014-3566 this is unwanted behaviour.

With this patch, by default, TLSv1 is tried. If it's not available the library downgrades to SSLv3.

Even though this is unwanted behaviour, this patch should allows the client to be used with a server that does not allow SSLv3 while not breaking backwards compatibility.

(Since it's hard to make the client make arbitrary requests, I think this is reasonable behaviour).

crustymonkey commented 10 years ago

Thanks for the patch. I actually spent a little time and reorganized things to make the fix a bit cleaner in terms of having a fallback chain with preference based ordering.

ties commented 10 years ago

Hi,

Your solution is quite a bit cleaner than mine.

This stuff is quite fiddly – and hard to do right (for example: right now it does not validate certificates, and you need to switch the opener to configure that).

I would like to keep the comment about Python 2.7.9/Python 3 SSLContext in there, since imo that's the sensible way to configure this in the end.

Before this pull request, I wrote code that used SSLContext and fell back to manual configuration if that did not work. However, that caused some bloat. I'd make that switch when moving to Python 3/dropping 2.7 support.

crustymonkey commented 10 years ago

The SSLContext approach is definitely something to consider for the python 3 branch. However, I don't anticipate dropping support for 2.x anytime soon, if ever, as that is by far and away the largest userbase out there. On Oct 17, 2014 2:37 AM, "Ties de Kock" notifications@github.com wrote:

Hi,

Your solution is quite a bit cleaner than mine.

This stuff is quite fiddly – and hard to do right (for example: right now it does not validate certificates, and you need to switch the opener to configure that).

I would like to keep the comment about Python 2.7.9/Python 3 SSLContext in there, since imo that's the sensible way to configure this in the end.

Before this pull request, I wrote code that used SSLContext and fell back to manual configuration if that did not work. However, that caused some bloat. I'd make that switch when moving to Python 3/dropping 2.7 support.

— Reply to this email directly or view it on GitHub https://github.com/crustymonkey/py-sonic/pull/5#issuecomment-59489905.