如何在python openssl客户端中阻止TLS协议的旧版本 [英] How to prevent older versions of the TLS protocl in python openssl client
问题描述
我需要我的python TLS客户端仅提供TLS 1.2版本(禁用TLS 1.0,TLS 1.1,SSLv3,SSLV2).
I need my python TLS client to offer only version TLS 1.2 (disable TLS 1.0, TLS 1.1, SSLv3, SSLV2).
我正在使用python 3.6.5和Windows 10下的openssl库.根据官方文档此处,这两行应阻止TLS 1.0和TLS 1.1:
I am using python 3.6.5 and the openssl library under Windows 10. According to the official documentation here, these two lines should prevent TLS 1.0 and TLS 1.1:
ssl.OP_NO_TLSv1
ssl.OP_NO_TLSv1
防止TLSv1连接.该选项仅与PROTOCOL_TLS结合使用.它阻止了同行选择 TLSv1作为协议版本.
Prevents a TLSv1 connection. This option is only applicable in conjunction with PROTOCOL_TLS. It prevents the peers from choosing TLSv1 as the protocol version.
3.2版中的新功能.
New in version 3.2.
ssl.OP_NO_TLSv1_1
ssl.OP_NO_TLSv1_1
防止TLSv1.1连接.此选项仅与PROTOCOL_TLS结合使用.它阻止了同行选择 TLSv1.1作为协议版本.仅适用于openssl版本 1.0.1 +.
Prevents a TLSv1.1 connection. This option is only applicable in conjunction with PROTOCOL_TLS. It prevents the peers from choosing TLSv1.1 as the protocol version. Available only with openssl version 1.0.1+.
3.4版中的新功能.
New in version 3.4.
上面的注释说明它们仅适用于新引入的产品:
And the above doucumentation says they are only applicable with the newly introduced:
PROTOCL_TLS
但是,在实践中,我尝试禁用TLS 1.0和TLS 1.1并测试连接到TLS 1.0(测试服务器仅支持版本),并且我的脚本仍然能够连接到它.
However, in practice, I tried to disable TLS 1.0 and TLS 1.1 and test connecting to a TLS 1.0 (ONLY version supported in the test server) and my script still able to connect to it.
我做错什么了吗?上面两行与PROTOCOL_TLS结合使用时的语法如何?
Am I doing something wrong? how the above two lines syntax in using them in conjunction with PROTOCOL_TLS?
这是我正在运行的脚本:
This is the script I'm running:
import socket, ssl
context = ssl.SSLContext()
context.protocol = ssl.PROTOCOL_TLS
context.protocol = ssl.OP_NO_TLSv1 # prevents TLS 1.0
context.protocol = ssl.OP_NO_TLSv1_1 # prevents TLS 1.1
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#note: the IP below is for private testing server not a public address
sslSocket = context.wrap_socket(s, server_hostname = '192.168.56.7')
sslSocket.connect((domain, 443))
print("connection succeeded")
sslSocket.close()
注意::要测试实时TLS 1.0服务器,可以通过搜索或使用此
NOTE: for testing a live TLS 1.0 server, you can find any TLS 1.0 server by searching or use this link but I think they are using a different port than 443.
注意::我没有添加:ssl.OP_NO_SSLv2或ssl.OP_NO_SSLv3,因为使用context.protocol = ssl.PROTOCOL_TLS
NOTE: I did not add: ssl.OP_NO_SSLv2 nor ssl.OP_NO_SSLv3because they are disabled by default when using context.protocol = ssl.PROTOCOL_TLS
推荐答案
SSLContext.protocol SSLContext.protocol 因此,使用此属性设置协议的任何尝试均将失败.相反,您需要修改 SSLContext.options : Thus, any attempts to set the protocol using this attribute will fail. Instead you need to modify the SSLContext.options: 这篇关于如何在python openssl客户端中阻止TLS协议的旧版本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
构造上下文时选择的协议版本.此属性为只读.
The protocol version chosen when constructing the context. This attribute is read-only.context.options |= ssl.OP_NO_TLSv1
context.options |= ssl.OP_NO_TLSv1_1
