On 2015-09-28, Landry Breuil <[email protected]> wrote: > On Sun, Sep 27, 2015 at 05:17:54PM -0700, Doug Hogan wrote: >> On Sun, Sep 27, 2015 at 09:11:22PM +0200, Landry Breuil wrote: >> > On Sat, Sep 26, 2015 at 03:34:53PM +0200, Jona Joachim wrote: >> > > Hi, >> > > weboob has a runtime dependency for SSLv3. The attached diff replaces >> > > SSLv3 usage with SSLv23. >> > > >> > > 2015-09-26 15:02:52,557:ERROR:weboob:1.0:ouiboube.py:450:load_backends >> > > Unable to load module "cic": 'module' object has no attribute >> > > 'PROTOCOL_SSLv3' >> > > >> > > This is already fixed in the upstream git repo. >> > >> > I dont see this in >> > https://github.com/laurentb/weboob/blob/master/weboob/deprecated/browser/browser.py#L783 >> >> PROTOCOL_SSLv3 was replaced with PROTOCOL_SSLv23 in commit: c42f4b61d83b >> However, I think that change and the previous code was a mistake. >> Despite the name, they should only be using SSLv23. >> >> > > +- _PROTOCOLS = [ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3] >> > > ++ _PROTOCOLS = [ssl.PROTOCOL_SSLv23] >> > >> > Im not sure removing TLSv1 makes sense... dont we want to deprecate >> > SSLv2 and SSLv3 here ? What upstream commit are you reffering to ? >> >> OpenSSL has an unfortunately named 'SSLv23_*' method that really means >> highest supported protocol (SSL or TLS). You can optionally disable >> protocols by settings options SSL_OP_NO_*. We gutted SSLv2 and SSLv3 >> support in LibreSSL so 'SSLv23' means TLS v1.0 or higher for us by >> default. >> >> Upstream weboob changed the above line in git to: >> >> _PROTOCOLS = [ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23] >> >> It looks like their intention is to try TLS and if that fails, fall >> back on SSL. The way they are doing this has unintended consequences >> and it's not necessary to have multiple tries. >> >> 'TLSv1' is another unfortunate name that means TLS v1.0 only and not >> v1.*. The _PROTOCOLS above will try TLS v1.0 specifically and if that >> fails, fall back on what SSLv23 allows. In practice, 'TLSv1' will >> select TLS v1.0 even if TLS v1.0 through v1.2 are supported by the >> server. If 'SSLv23' was used, it will select the highest supported >> protocol in common between the client and the server (but subject to >> SSL_OP_NO_*). >> >> Upstream should remove _PROTOCOLS and always use SSLv23. It already >> does what they want. > > Oh $DEITY so much nonsense in there... anyway, commited the fix.
Yes, this is completely counterintuitive. Anyway it is documented here: http://www.libressl.org/patches.html and here: https://docs.python.org/2/library/ssl.html#socket-creation I saw that you also removed TLSv1 upstream which is great.
