Marc-Andre Lemburg added the comment: > STINNER Victor added the comment: > >> Any of the other options such as PROTOCOL_TLSv1 will fix the protocol >> version to that one protocol version, whereas PROTOCOL_SSLv23 means to use >> any protocol starting with SSLv2. In the context options you can then >> disable SSLv2 and SSLv3 to e.g. have the connection use TLS 1.0 or later. > > get_server_certificate() uses _create_unverified_context() (In Python > 2.7, 3.4 & 3.5) which explicitly disable SSLv2 and SSLv3. I still have > trouble to understand which protocol will be negociated. We use SSLv3 > and disable SSLv3, so the server can only use SSLv23. Am I right? > https://docs.python.org/dev/library/ssl.html#ssl.wrap_socket
I'm not sure what OpenSSL will do if you tell it to use protocol SSLv3 and then disable this via the options again. This sounds like it won't connect at all, since PROTOCOL_SSLv3 means: only support SSLv3 :-) The logic used for protocol selection in OpenSSL is, well, weird. You have the choice between fixing one single protocol version or selecting a range and then disabling certain protocol versions when configuring the context options. FWIW: The ssl_version parameter in _create_unverified_context() already uses the correct default; IMO, exposing the parameter in get_server_certificate() is fairly useless, unless you want to (ab)use the function to test supported protocol versions :-) ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue22935> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
