kagulik
commented
6 years ago I've got the same. Any solutions?
Open inkhey opened 7 years ago
kagulik
commented
6 years ago I've got the same. Any solutions?
nathanjameshill
commented
6 years ago Getting the exact same issue.
kaymccormick
commented
5 years ago According to https://docs.python.org/3/library/ssl.html:
Changed in version 3.5: The default ssl_version is changed from PROTOCOL_SSLv3 to PROTOCOL_TLS for maximum compatibility with modern servers.
I was able to fix it with this command in the source tree:
for A in find . -type f | xargs grep -l PROTOCOL_SSLv3; do sed -i -e 's/PROTOCOL_SSLv3/PROTOCOL_TLS/g' $A;done
the backticks around the find aren't showing up so i dont know whats up with tat .. I'm sure there is a better compatible way to fix this. like adding ssl.PROTOCOL_SSLvr = ssl.PROTOCOL_TLS to the init.py of the module
tuckerrc
commented
5 years ago I was able to fix this issue by editing sleekxmpp/xmlstream/xmlstream.py
Essentially I removed every instance of ssl.PROTOCOL_SSLv3 and any code relating to it.
@@ -459,10 +459,6 @@ class XMLStream(object):
# Good, create_default_context() is supported, which consists
# recommended security settings by default.
ctx = ssl.create_default_context()
- if self.ssl_version == ssl.PROTOCOL_SSLv3:
- # But if the user specifies insecure SSLv3, do a favor.
- ctx.options &= ~ssl.OP_NO_SSLv3 # UNSET NO_SSLv3, or set SSLv3
- ctx.set_ciphers(_CIPHERS_SSL) # _CIPHERS_SSL is weaker
# XXX: certificate is not verified in most circumstances.
# FIXME: need to provide a new option that verifies against system CAs.
@@ -472,16 +468,6 @@ class XMLStream(object):
elif cert_policy == ssl.CERT_REQUIRED:
ctx.load_verify_locations(cafile=self.ca_certs)
else:
- # Oops, create_default_context() is not supported.
- if self.ssl_version == ssl.PROTOCOL_SSLv3:
- # First, if the user specifies insecure SSLv3, do a favor.
- ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
- ctx.set_ciphers(_CIPHERS_SSL)
- else:
- # Or, set the version to TLSv1 (later is not supported),
- # and set a list of good ciphers.
- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
- ctx.set_ciphers(_CIPHERS_TLS)
# And in both case, CRIME attack needs to be prevented.
if sys.version_info >= (3, 3):
ctx.options &= ssl.OP_NO_COMPRESSION
@@ -497,10 +483,6 @@ class XMLStream(object):
elif sys.version_info >= (2, 7, 9):
# Good, create_default_context() is supported, do the same as Python 3.4.
ctx = ssl.create_default_context()
- if self.ssl_version == ssl.PROTOCOL_SSLv3:
- # If the user specifies insecure SSLv3, do a favor.
- ctx.options &= ~ssl.OP_NO_SSLv3
- ctx.set_ciphers(_CIPHERS_SSL)
if cert_policy == ssl.CERT_NONE:
# XXX: certificate is not verified!
ctx.check_hostname = False
@@ -508,10 +490,7 @@ class XMLStream(object):
elif cert_policy == ssl.CERT_REQUIRED:
ctx.load_verify_locations(cafile=self.ca_certs)
else:
- if self.ssl_version == ssl.PROTOCOL_SSLv3:
- ssl_args['ssl_version'] = ssl.PROTOCOL_SSLv3
- else:
- ssl_args['ssl_version'] = ssl.PROTOCOL_TLSv1
+ ssl_args['ssl_version'] = ssl.PROTOCOL_SSLv23
ctx = None
if ctx:I don't know if this is the best way but it is working on Ubuntu 16.04.5 LTS using python 2.7.12
You can also change the last line ssl.PROTOCOL_SSLv23 to ssl.PROTOCOL_TLSv1_2
Neustradamus
commented
5 years ago @inkhey @potnii @nathanjameshill @kaymccormick @tuckerrc: There is a PR:
The master is: https://github.com/fritzy/SleekXMPP/commits/develop
biergaizi
commented
5 years ago The correct patch is located at here:
https://github.com/fritzy/SleekXMPP/pull/470
I've submitted this patch years ago, but unfortunately, the project maintainer disappeared and it cannot be merged.
On debian Stretch, support for PROTOCOL_SSLv3 is disabled and Sleekxmpp failed.