On Sun, Sep 27, 2015 at 09:11:22PM +0200, Landry Breuil wrote: > On Sat, Sep 26, 2015 at 03:34:53PM +0200, Jona Joachim wrote: > > Hi, > > weboob has a runtime dependency for SSLv3. The attached diff replaces > > SSLv3 usage with SSLv23. > > > > 2015-09-26 15:02:52,557:ERROR:weboob:1.0:ouiboube.py:450:load_backends > > Unable to load module "cic": 'module' object has no attribute > > 'PROTOCOL_SSLv3' > > > > This is already fixed in the upstream git repo. > > I dont see this in > https://github.com/laurentb/weboob/blob/master/weboob/deprecated/browser/browser.py#L783
PROTOCOL_SSLv3 was replaced with PROTOCOL_SSLv23 in commit: c42f4b61d83b However, I think that change and the previous code was a mistake. Despite the name, they should only be using SSLv23. > > +- _PROTOCOLS = [ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3] > > ++ _PROTOCOLS = [ssl.PROTOCOL_SSLv23] > > Im not sure removing TLSv1 makes sense... dont we want to deprecate > SSLv2 and SSLv3 here ? What upstream commit are you reffering to ? OpenSSL has an unfortunately named 'SSLv23_*' method that really means highest supported protocol (SSL or TLS). You can optionally disable protocols by settings options SSL_OP_NO_*. We gutted SSLv2 and SSLv3 support in LibreSSL so 'SSLv23' means TLS v1.0 or higher for us by default. Upstream weboob changed the above line in git to: _PROTOCOLS = [ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23] It looks like their intention is to try TLS and if that fails, fall back on SSL. The way they are doing this has unintended consequences and it's not necessary to have multiple tries. 'TLSv1' is another unfortunate name that means TLS v1.0 only and not v1.*. The _PROTOCOLS above will try TLS v1.0 specifically and if that fails, fall back on what SSLv23 allows. In practice, 'TLSv1' will select TLS v1.0 even if TLS v1.0 through v1.2 are supported by the server. If 'SSLv23' was used, it will select the highest supported protocol in common between the client and the server (but subject to SSL_OP_NO_*). Upstream should remove _PROTOCOLS and always use SSLv23. It already does what they want.
