Menu
I read a document that says that Python 2 only has ssl.PROTOCOL_TLSv1 constant, and that ssl.PROTOCOL_TLSv1_1 and ssl.PROTOCOL_TLSv1_2 were added in Python 3.4. So how can I use TLS 1.1 and 1.2 in Python 2?
PS. I don't want to use TLS 1.0 because it has some security flaws. TLS 1.2 is the newest version now, so I want to make my program use TLS 1.2 only; if the server doesn't support TLS 1.2 then just make the connection failed.
611
PROTOCOL_TLS" will do the job for you like it should try to connect on all tls versions, so if your remote server only support TLSv1. 2 even if your python is compiled with TLSv1. 3 it will use TLSv1. 2 and will connect as expected (Downgrading to TLS1.
While TLS 1.0 is prohibited and TLS 1.1 is deprecated for government sites, NIST guidelines state that for compatibility with third-party services, government-controlled servers may implement TLS 1.0 and 1.1 when necessary.
python-libtls is a Python library which provides a high-level interface for secure network communication using the latest versions of Transport Layer Security (TLS).
On Python 3.6. 10 with pyopenssl installed requests should use the highest TLS available, 1.3 (from pyopenssl ), not 1.2 (from ssl ).
With my apologies for resurrecting an old question, it appears that support for TLS1.1 and TLS1.2 will be brought in for Python 2.7.9, scheduled for release around December 2014.
194
I recently had to terminate a TLSv1.2 connection with mutually authenticated SSL and this was no go on vanilla 2.7.8. I was about to begin painfully porting my network i/o intensive application to Python 3, changing every string to bytes and back for recv/send. It was going to suck.
Then I found PEP466. You can apply the patch from PEP466 (Google it) to 2.7.7 or 2.7.8 pretty easily to get TLS 1.1 and TLS 1.2 working.
The patch for PEP 466 is @ http://bugs.python.org/file36423/ssl-backport.diff
Also, you will need the following patch to fix a Unicode related bug that causes a segfault when constructing errors in the SSL code:
this patch is @ http://bugs.python.org/file36017/unicode_fromformat.patch
Also, once you apply the patch, you should technically do the following before configuring and compiling:
~/Python-2.7.8$ python3 ./Tools/ssl/make_ssl_data.py /usr/include/openssl/ _ssl_data.h
~/Python-2.7.8$ mv _ssl_data.h Modules/_ssl_data.h
You can then configure && make && make install and should be good to go w/TLSv1.1 and TLSv1.2.
~/Python-2.7.8$ ./configure --enable-unicode=ucs2 --prefix=/opt/Python-2.7.8/ --with-pth && make -j && sudo make install
TLS 1.2 is now working fine for me, so I don't have to port a gigantic app to Python 3.
Anyway, the wording on the PEP page is confusing, it makes it sound like 2.7.9 in December is supposed to have this support included (?) but I'm not sure if that is acccurate or if this is just a manual workaround until you port your code to Python 3. I suppose it doesn't really matter.
29
No there is no support planned for TLS 1.1 or 1.2 in Python 2, see:
http://bugs.python.org/issue16692
It states clearly that TLS > 1.0 won't be backported to Python 2.7, and Python maintainers stated several times that Python 2.8 is not going to happen.
Please note that few servers support TLS 1.2 for now. Hopefully it will change in the future.
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
