asantoni
commented
1 year ago Answering this question for my own future reference:
pyftpdlib doesn't set any explicit defaults for TLS/SSL versions or ciphers and neither does PyOpenSSL, so you get whatever the default is in the OpenSSL build on your system.
You can override the SSL options by assigning something to the ssloptions property on the TLSHandler, which will get passed into the SSL context it is created. The options are the constants starting with OP here and they can be bitwise ORed together: https://www.pyopenssl.org/en/latest/api/ssl.html#
eg:
from OpenSSL import SSL
from pyftpdlib.handlers import TLS_FTPHandler
...
handler = TLS_FTPHandler
handler.certfile = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
handler.keyfile = '/etc/ssl/private/ssl-cert-snakeoil.key'
handler.ssl_options = SSL.OP_NO_TLSv1 | SSL.OP_NO_SSLv3Edit: There's actually an ssl_protocol property you can set too. See this comment from the code:
- (int) ssl_protocol:
the desired SSL protocol version to use. This defaults to
PROTOCOL_SSLv23 which will negotiate the highest protocol
that both the server and your installation of OpenSSL
support.
- (int) ssl_options:
specific OpenSSL options. These default to:
SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3| SSL.OP_NO_COMPRESSION
which are all considered insecure features.
Can be set to None in order to improve compatibility with
older (insecure) FTP clients.The defaults seem sensible....
giampaolo
artyb55
Hi,
Could you clarify which TLS versions are supported, and how much longer they may be supported for? How can the TLS version be specified? Does it depend on another python component? We have some devices which only support TLS 1.1, which I know is bad, but hopefully better than plain FTP.
Thank you, A