Closed artyb55 closed 3 months ago
Answering this question for my own future reference:
pyftpdlib doesn't set any explicit defaults for TLS/SSL versions or ciphers and neither does PyOpenSSL, so you get whatever the default is in the OpenSSL build on your system.
You can override the SSL options by assigning something to the ssloptions property on the TLSHandler, which will get passed into the SSL context it is created. The options are the constants starting with OP here and they can be bitwise ORed together: https://www.pyopenssl.org/en/latest/api/ssl.html#
eg:
from OpenSSL import SSL
from pyftpdlib.handlers import TLS_FTPHandler
...
handler = TLS_FTPHandler
handler.certfile = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
handler.keyfile = '/etc/ssl/private/ssl-cert-snakeoil.key'
handler.ssl_options = SSL.OP_NO_TLSv1 | SSL.OP_NO_SSLv3
Edit: There's actually an ssl_protocol
property you can set too. See this comment from the code:
- (int) ssl_protocol:
the desired SSL protocol version to use. This defaults to
PROTOCOL_SSLv23 which will negotiate the highest protocol
that both the server and your installation of OpenSSL
support.
- (int) ssl_options:
specific OpenSSL options. These default to:
SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3| SSL.OP_NO_COMPRESSION
which are all considered insecure features.
Can be set to None in order to improve compatibility with
older (insecure) FTP clients.
The defaults seem sensible....
Defaults are defined here: https://github.com/giampaolo/pyftpdlib/blob/43948e0228604c4bf28e171a2144adc499512a01/pyftpdlib/handlers.py#L3696-L3703
We set SSLv23_METHOD
but we also explicitly disable SSLv2 and SSLv3, so at the moment the minimum supported SSL version offered by the server when client connects should be TLSv1.
Thanks for the reply. Unfortunately we had to find a different work-around to suit the timescale of the project.
Hi,
Could you clarify which TLS versions are supported, and how much longer they may be supported for? How can the TLS version be specified? Does it depend on another python component? We have some devices which only support TLS 1.1, which I know is bad, but hopefully better than plain FTP.
Thank you, A