[Twisted-Python] Block TLS 1.0 and TLS 1.1 support on windows

John Aherne johnaherne at rocs.co.uk
Tue Sep 1 03:08:23 MDT 2020


Yes. I could see _parseSSL wasn't checking for all the options. So I
decided to drop the endpoints for now.

Thanks

John


On Tue, Sep 1, 2020 at 5:48 AM Glyph <glyph at twistedmatrix.com> wrote:

> Super glad you got this working!
>
> However, what L. Daniel Burr suggested is correct - whether there's an
> existing ticket or not, the string endpoint should support all of these
> features.
>
> (However, using pem is fine, too.)
>
> -g
>
> On Aug 31, 2020, at 1:16 PM, John Aherne <johnaherne at rocs.co.uk> wrote:
>
> Thanks for looking all this up.
>
> I'd already decided to drop the endpoint server from string.
>
> So I'm using Hynek Schlaweck PEM package to build the certificate options.
>
> That seems to be working. Anyway I'm getting an A from Qualys at the
> moment having reset the _defaultMinimumTLSVersion back to its default of
> tlsv1_0 and passing the raiseMinimumTo as TLSVersion.TLS1_2
>
> Thanks for the pointers.
>
> John
>
>
>
> On Mon, Aug 31, 2020 at 7:26 PM L. Daniel Burr <ldanielburr at me.com> wrote:
>
>> Hi John,
>>
>> I don't think you can accomplish it via a change to the description
>> string, because serverFromString relies on the existing _parseSSL function
>> is only passing the deprecated ssl method argument to CertificateOptions.
>>
>> I haven't tried this myself, but I think the solution is to provide your
>> own plugin, implementing IPlugin and IStreamServerEndpointStringParser,
>> e.g. "MyTLSParser" and use your own description string, e.g.,
>> "tls:443:raiseMinimumTo=...".
>>
>> Or maybe there's a ticket somewhere about updating the existing ssl
>> description and parser to handle the new CertificateOptions arguments.
>> That might be the right thing to implement.
>>
>> Hope this helps,
>>
>> L. Daniel Burr
>>
>> On Aug 31, 2020, at 12:02 PM, John Aherne <johnaherne at rocs.co.uk> wrote:
>>
>> Thanks. That was quick.
>>
>> Just wondering how I can add that to my endpoint_description create
>> serverfromstring.
>>
>> Or will I have to drop that.
>>
>> Let me  take a look.
>>
>> Cheers
>>
>> John
>>
>> On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr <ldanielburr at me.com>
>> wrote:
>>
>>> Hi John,
>>>
>>> I think you want
>>> https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html,
>>> specifically, you want to pass the "raiseMinimumTo" parameter,
>>>
>>> Hope this helps,
>>>
>>> L. Daniel Burr
>>>
>>> On Aug 31, 2020, at 10:47 AM, John Aherne <johnaherne at rocs.co.uk> wrote:
>>>
>>>  I'm using twisted 20.3 and python3.6.8 and Windows 10
>>>
>>> I'm using endpoint_description with a tac file to start up a server.
>>>
>>> But I need to disable tls 1.0 and 1.1.
>>>
>>> I was hoping to find a parameter I could pass in to make the system only
>>> recognise 1.2 and 1.3. But could not find anything that would do that. I
>>> thought sslmethod would be what I wanted but that is limited to :
>>>
>>> Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD",
>>> "TLSv1_METHOD". If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled
>>> and QUALYS complains and downgrades the rating to B
>>> In the end I found _defaultMinimumTLSVersion in _sslverify.py.
>>>
>>> I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
>>>
>>> But I don't think I should be doing that. I think I've missed some
>>> obvious place where I can pass in a value to change this.
>>>
>>> Anyone  know where I should be looking.
>>>
>>> Thanks for any info
>>>
>>> --
>>> *John Aherne*
>>>
>>>
>>>
>>>
>>> *www.rocs.co.uk <http://www.rocs.co.uk/>*
>>> 020 7223 7567
>>> _______________________________________________
>>> Twisted-Python mailing list
>>> Twisted-Python at twistedmatrix.com
>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>>
>>>
>>> _______________________________________________
>>> Twisted-Python mailing list
>>> Twisted-Python at twistedmatrix.com
>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>>
>>
>>
>> --
>> *John Aherne*
>>
>>
>>
>>
>> *www.rocs.co.uk <http://www.rocs.co.uk/>*
>> 020 7223 7567
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>
>>
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>
>
>
> --
> *John Aherne*
>
>
>
>
> *www.rocs.co.uk <http://www.rocs.co.uk/>*
> 020 7223 7567
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>


-- 
*John Aherne*




*www.rocs.co.uk <http://www.rocs.co.uk>*
020 7223 7567
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20200901/8c96b758/attachment-0001.htm>


More information about the Twisted-Python mailing list