Closed emillon closed 5 years ago
On Sat, Jul 04, 2015 at 07:31:00AM -0700, Etienne Millon wrote:
As reported in https://bugs.debian.org/781315, SSLv3 is now disabled in Python3.
It looks like it's still there in Python 3.5 [1,2], although it's discouraged 1. Maybe it's just been patched out on Debian? The current default is SSLv23 2, whose compatibility range changed (with OpenSSL v1.0.0?) 3. But instead of coding in a hard default, I think folks that don't care about their SSL version would be best served by using “whatever Python thinks is best” so we don't have to figure that out here ;). Python currently recommends 4 create_default_context (new in 3.4 5). For 3.2, we can't configure the protocol (see the current code). That leaves 3.3, where (assuming a modern OpenSSL), the best choice seems to be SSLv23 2. And also:
$ python3.4
import ssl context = ssl.create_default_context() context.protocol == ssl.PROTOCOL_SSLv23 True
TLSv1 seems like a poor choice, because it is incompatible with TLSv1.2 (the current tip). And SMTP_SSL supports a context argument since Python 3.3 6, so we can drop the “when not using 'smtp-ssl'” caveat. So how about a config setting like:
('smtp-ssl-protocol', ''), # TLS/SSL version to use for SSL connections
and code like:
if ssl or smtp_auth: protocol_name = config.get(section, 'smtp-ssl-protocol') if protocol_name: protocol = getattr(ssl, 'PROTOCOL{}'.format(protocol_name)) context = _ssl.SSLContext(protocol=protocol) else: try: context = _ssl.create_default_context() except AttributeError: # Python 3.3 or earlier context = _ssl.SSLContext(protocol=_ssl.PROTOCOL_SSLv23) if ssl: try: smtp = _smtplib.SMTP_SSL(context=context) except TypeError: # Python 3.2 or earlier smtp = _smtplib.SMTP_SSL() … if config.getboolean(section, 'smtp-auth'): … try: smtp.starttls(context=context) except TypeError:
smtp.starttls()
Yes, please use SSLv23
as the default, not TLSv1
.
SSLv23
, contrary to what the name suggests, selects the highest protocol version that both client and server support.
OTOH, TLSv1
selects TLSv1.0 only, which happens to be the lowest protocol version that Debian's OpenSSL currently supports.
OK, leaving that to Python is definitely the good thing to do.
I agree with the code snippet you posted. But I'm wondering about providing an upgrade path for users that have SSLv3 in their config on a system where it's unavailable (as in Debian). It think it'd be nicer for such users to fallback to the else
case with a warning message.
How would you feel about this change?
@emillon I think this change has been superseded by @Yannik's 5a6e3809c6de8e4c55d3b94bd2fe53cde0714c6a and deb8007e8b7c8e45a435d12811f258c147fd9718, which have been merged in https://github.com/rss2email/rss2email/ (new home of rss2email following maintainership changes), feel free to close this PR :)
nice, thanks! I agree that it's better handled by the library itself.
As reported in https://bugs.debian.org/781315, SSLv3 is now disabled in Python3. It is thus necessary to perform the following changes: