StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>From a quick test, if you build <a href="https://pypi.python.org/pypi/pyOpenSSL" rel="nofollow"><code>pyOpenSSL</code></a> on top of OpenSSL 1.0.1, it looks like you get TLSv1.1 and 1.2 support. And it supports Python 2.6+/3.2+.</p> <p>The API is different from the stock <code>ssl</code> module, but the <a href="http://pythonhosted.org/pyOpenSSL/openssl-connection.html" rel="nofollow"><code>Connection</code></a> object is not that different from <code>ssl.SSLSocket</code>, so there's a good chance porting will just be a trivial search-and-replace.</p> <p>With the current released version 0.13.1, there is implicit TLS 1.1 and 1.2 support, but no way to explicitly request or require them. The best you can do from the client side is set <code>SSLv23_METHOD</code> add <code>OP_NO_SSLv2</code> and <code>OP_NO_SSLv3</code> options, which guarantees TLS 1.0, 1.1, or 1.2. I haven't tested what you can do from the server side.</p> <p>With the trunk code (the patch in <a href="https://bugs.launchpad.net/pyopenssl/+bug/1020632" rel="nofollow">#1020632</a> has been committed), there is explicit 1.1 and 1.2 support. From the client side, you can use <code>TLSv1_1_METHOD</code> to get TLSv1.1 only, <code>TLSv1_2_METHOD</code> to get TLSv1.2 only, and probably (I haven't tested) <code>SSLv23_METHOD</code> with <code>OP_NO_SSLv2</code>, <code>OP_NO_SSLv3</code>, and <code>OP_NO_TLSv1</code> to get 1.1 or 1.2. Again, I haven't tested what you can do from the server side.</p> <p>You should be able to <code>pip install bzr+lp:pyopenssl</code> to install the trunk; if not, check it out or download a current tarball and <code>pip install</code> that.</p> <hr> <p>My guess is that you can write code that always gets 1.2 when using properly-built pyOpenSSL 0.13.1 and OpenSSL 1.0.0 or later, but may silently use something worse if either the client or server environment is built in a way that doesn't meet those requirements, and have no way to detect the problem. If you want the connection to fail instead of fall back in that case (which you probably do), it looks like you'll need a newer pyOpenSSL.</p> <hr> <p>Here's my first test on a mostly-clean OS X 10.8.5 machine with Homebrew and <code>pip</code> installed:</p> <pre><code>$ brew install --universal openssl $ sudo LDFLAGS=-L/usr/local/opt/openssl/lib CPPFLAGS=-I/usr/local/opt/openssl/include pip-2.6 install pyOpenSSL $ python2.6 >>> import socket, OpenSSL >>> OpenSSL.SSL.SSLeay_version(OpenSSL.SSL.SSLEAY_VERSION) 'OpenSSL 1.0.1e 11 Feb 2013' >>> ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD) >>> sock = socket.socket() >>> ssock = OpenSSL.SSL.Connection(ctx, sock) >>> ssock.connect_ex(('www.ssllabs.com', 443)) 0 >>> ssock.send('GET /ssltest/viewMyClient.html HTTP/1.1\r\nHost: www.ssllabs.com\r\n\r\n') 66 >>> ssock.recv(16384) -- snipped headers for chunked reply >>> ssock.recv(16384) '2000\r\n' >>> d = ssock.recv(16384) >>> d.find('TLS 1.1') 2324 >>> d.find('TLS 1.0') 2432 >>> d[2324:2432] 'TLS 1.1</td>\r\n\t\t<td class="tableRight">Yes</td>\t\t\t\r\n\t</tr>\r\n\t<tr class="tableRow">\r\n\t\t<td class="tableLeft">' </code></pre> <p>This proves (assuming ssltest.org is correct) that we not only claim TLS 1.1 support, but also made a 1.2 or 1.1 connection.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload