在 python ssl 中,可以配置 TLS 客户端的密码套件和版本。密码套件使用 context.set_ciphers(ciphers)
设置,版本使用 context.options
。
为了从设置中确保,可以使用 context.get_ciphers()
在客户端中获取密码(甚至在握手之前,这是为了设置客户端)。
我的问题:如何获得客户端支持的协议(protocol)。请注意,我没有使用默认版本。我通过使用 context.options
排除某些版本来更改它们。例如,此语句从我的客户端中排除了 TLS 1.1:
context.options |= ssl.OP_NO_TLSv1_1
我想确保以与使用 context.get_ciphers()
在密码中相同的方式形成我的客户端 TLS 版本。有什么办法可以做到吗?
最佳答案
您所追求的功能在 Python 3.6(及更新版本)中可用(至少部分可用)。检查[Python 3]: ssl - TLS/SSL wrapper for socket objects了解更多详情:
>>> import sys >>> import ssl >>> "Python {:s} on {:s}".format(sys.version, sys.platform) 'Python 3.6.5 (v3.6.5:f59c0932b4, Mar 28 2018, 17:00:18) [MSC v.1900 64 bit (AMD64)] on win32' >>> ctx0 = ssl.create_default_context() >>> ctx0.options <Options.OP_NO_SSLv3|OP_NO_SSLv2|OP_CIPHER_SERVER_PREFERENCE|OP_SINGLE_DH_USE|OP_SINGLE_ECDH_USE|OP_NO_COMPRESSION|OP_ALL: -2091252737>
对于旧版本,需要一些代码(也适用于新版本)。
代码.py:
#!/usr/bin/python3
import sys
import ssl
from pprint import pprint as pp
__PROTO_TAG = "PROTOCOL_"
__OP_NO_TAG = "OP_NO_"
__OP_NO_TAG_LEN = len(__OP_NO_TAG)
_PROTOS_DATA = list()
for item_name in dir(ssl):
if item_name.startswith(__OP_NO_TAG) and item_name[-1].isdigit(): # item_name[-1].isdigit() condition is required because protocol denial (OP_NO_*) constants end in digit(s) (version); therefore constants like OP_NO_TICKET are excluded
op_no_item = getattr(ssl, item_name)
if op_no_item:
proto_name = item_name[__OP_NO_TAG_LEN:]
_PROTOS_DATA.append((proto_name, getattr(ssl, __PROTO_TAG + proto_name, -1), op_no_item))
del __OP_NO_TAG_LEN
del __OP_NO_TAG
del __PROTO_TAG
def get_protocols(ctx):
supported_classes = (ssl.SSLContext,)
if not isinstance(ctx, supported_classes):
raise TypeError("Argument must be an instance of `{:}`".format(supported_classes[0] if len(supported_classes) == 1 else supported_classes))
protocols = list()
for proto_data in _PROTOS_DATA:
if ctx.options & proto_data[-1] != proto_data[-1]:
protocols.append(proto_data[:-1])
return protocols
def print_data(ctx):
print("Options: {:08X} ({!r})".format(ctx.options, ctx.options))
print("Protocols:")
for proto in get_protocols(ctx):
print(" {:s} - {:d}".format(*proto))
print()
def main():
print("{:s}\n".format(ssl.OPENSSL_VERSION))
ctx0 = ssl.create_default_context()
print_data(ctx0)
print("--- Removing TLSv1_1...")
ctx0.options |= ssl.OP_NO_TLSv1_1
print_data(ctx0)
print("--- Adding SSLv3...")
ctx0.options -= ssl.OP_NO_SSLv3 # !!! N.B.: Due to the fact that ssl.OP_NO_* flags only have one bit set, this works, but DON'T DO IT !!!
print_data(ctx0)
print("\nComputed protocols:")
pp([item[:-1] + (hex(item[-1]),) for item in _PROTOS_DATA])
if __name__ == "__main__":
print("Python {:s} on {:s}\n".format(sys.version, sys.platform))
main()
注意事项:
- 由于我在该领域广泛工作,我在各种操作系统上有很多 Python 版本,这些版本是针对各种 OpenSSL 版本构建的(如以下输出所示)
- 尽量让一切都通用
- 仅基于 (ssl) 模块属性编写代码;由于每个 Python 版本都是使用特定的 OpenSSL 版本构建的,使用自定义组合时可能会出现意外情况(我可以对 OP_NO_* 常量 - 在 OpenSSL 版本中保持一致,但不可扩展)
- 有 ssl 模块实现(特定于 Python 版本,它依赖于特定的 OpenSSL 版本 - 如上所述),以及实际用于构建 ssl 模块的 OpenSSL 版本(可能没有一些东西)。这就是为什么在各种组合上运行相同的代码会产生(略微)不同的结果(检查下面的输出)
- 在 Win 上事情更简单,因为(默认情况下)OpenSSL 在 _ssl.pyd 中静态链接(从 Python 3.7 开始,这不再适用,OpenSSL .dll 也作为 Python 的一部分提供),但在 Nix 上,加载了 OpenSSL 库(安装在系统上)在运行时
代码演练:
_PROTOS_DATA - 在模块导入时计算:它是一个协议(protocol)条目列表,基于 ssl 模块属性。每个条目有 3 个字段:
- 协议(protocol)名称
- ssl 模块中的协议(protocol)标识符(-1 如果不存在:例如 SSLv2)
- 用于禁用此协议(protocol)的OP_NO_常量
为清楚起见,它在每次运行结束时显示
- get_protocols - 确定
ssl.SSLContext
的“事件”支持协议(protocol)
- print_data - 辅助函数
输出:
Win 10 x64
e:\Work\Dev\StackOverflow\q049788677>"C:\Program Files (x86)\Microsoft Visual Studio\Shared\Python36_64\python.exe" code.py Python 3.6.5 (v3.6.5:f59c0932b4, Mar 28 2018, 17:00:18) [MSC v.1900 64 bit (AMD64)] on win32 OpenSSL 1.0.2k 26 Jan 2017 Options: -7CA5FC01 (<Options.OP_NO_SSLv3|OP_NO_SSLv2|OP_CIPHER_SERVER_PREFERENCE|OP_SINGLE_DH_USE|OP_SINGLE_ECDH_USE|OP_NO_COMPRESSION|OP_ALL: -2091252737>) Protocols: TLSv1 - 3 TLSv1_1 - 4 TLSv1_2 - 5 --- Removing TLSv1_1... Options: -6CA5FC01 (<Options.OP_NO_TLSv1_1|OP_NO_SSLv3|OP_NO_SSLv2|OP_CIPHER_SERVER_PREFERENCE|OP_SINGLE_DH_USE|OP_SINGLE_ECDH_USE|OP_NO_COMPRESSION|OP_ALL: -1822817281>) Protocols: TLSv1 - 3 TLSv1_2 - 5 --- Adding SSLv3... Options: -6EA5FC01 (<Options.OP_NO_TLSv1_1|OP_NO_SSLv2|OP_CIPHER_SERVER_PREFERENCE|OP_SINGLE_DH_USE|OP_SINGLE_ECDH_USE|OP_NO_COMPRESSION|OP_ALL: -1856371713>) Protocols: SSLv3 - 1 TLSv1 - 3 TLSv1_2 - 5 Computed protocols: [('SSLv2', -1, '0x1000000'), ('SSLv3', <_SSLMethod.PROTOCOL_SSLv3: 1>, '0x2000000'), ('TLSv1', <_SSLMethod.PROTOCOL_TLSv1: 3>, '0x4000000'), ('TLSv1_1', <_SSLMethod.PROTOCOL_TLSv1_1: 4>, '0x10000000'), ('TLSv1_2', <_SSLMethod.PROTOCOL_TLSv1_2: 5>, '0x8000000')] e:\Work\Dev\StackOverflow\q049788677>"e:\Work\Dev\VEnvs\py34x64_test\Scripts\python.exe" code.py Python 3.4.4 (v3.4.4:737efcadf5a6, Dec 20 2015, 20:20:57) [MSC v.1600 64 bit (AMD64)] on win32 OpenSSL 1.0.2d 9 Jul 2015 Options: -7CFDFC01 (-2097019905) Protocols: TLSv1 - 3 TLSv1_1 - 4 TLSv1_2 - 5 --- Removing TLSv1_1... Options: -6CFDFC01 (-1828584449) Protocols: TLSv1 - 3 TLSv1_2 - 5 --- Adding SSLv3... Options: -6EFDFC01 (-1862138881) Protocols: SSLv3 - 1 TLSv1 - 3 TLSv1_2 - 5 Computed protocols: [('SSLv2', 0, '0x1000000'), ('SSLv3', 1, '0x2000000'), ('TLSv1', 3, '0x4000000'), ('TLSv1_1', 4, '0x10000000'), ('TLSv1_2', 5, '0x8000000')] e:\Work\Dev\StackOverflow\q049788677>"c:\Install\x64\Python\Python\3.7\python.exe" code.py Python 3.7.0b4 (v3.7.0b4:eb96c37699, May 2 2018, 19:02:22) [MSC v.1913 64 bit (AMD64)] on win32 OpenSSL 1.1.0h 27 Mar 2018 Options: -7DBDFFAC (<Options.OP_NO_SSLv3|OP_CIPHER_SERVER_PREFERENCE|OP_NO_COMPRESSION|OP_ALL: -2109603756>) Protocols: TLSv1 - 3 TLSv1_1 - 4 TLSv1_2 - 5 --- Removing TLSv1_1... Options: -6DBDFFAC (<Options.OP_NO_TLSv1_1|OP_NO_SSLv3|OP_CIPHER_SERVER_PREFERENCE|OP_NO_COMPRESSION|OP_ALL: -1841168300>) Protocols: TLSv1 - 3 TLSv1_2 - 5 --- Adding SSLv3... Options: -6FBDFFAC (<Options.OP_NO_TLSv1_1|OP_CIPHER_SERVER_PREFERENCE|OP_NO_COMPRESSION|OP_ALL: -1874722732>) Protocols: SSLv3 - -1 TLSv1 - 3 TLSv1_2 - 5 Computed protocols: [('SSLv3', -1, '0x2000000'), ('TLSv1', <_SSLMethod.PROTOCOL_TLSv1: 3>, '0x4000000'), ('TLSv1_1', <_SSLMethod.PROTOCOL_TLSv1_1: 4>, '0x10000000'), ('TLSv1_2', <_SSLMethod.PROTOCOL_TLSv1_2: 5>, '0x8000000')]
OSX 9 x64:
cfati@cfati-macosx9x64-1:~/Work/Dev/StackOverflow/q049788677]> python code.py Python 2.7.10 (default, Oct 14 2015, 05:51:29) [GCC 4.8.2] on darwin OpenSSL 1.0.1p-fips 9 Jul 2015 Options: 830203FF (2197947391L) Protocols: TLSv1 - 3 TLSv1_1 - 4 TLSv1_2 - 5 () --- Removing TLSv1_1... Options: 930203FF (2466382847L) Protocols: TLSv1 - 3 TLSv1_2 - 5 () --- Adding SSLv3... Options: 910203FF (2432828415L) Protocols: SSLv3 - 1 TLSv1 - 3 TLSv1_2 - 5 () Computed protocols: [('SSLv2', 0, '0x1000000'), ('SSLv3', 1, '0x2000000'), ('TLSv1', 3, '0x4000000'), ('TLSv1_1', 4, '0x10000000'), ('TLSv1_2', 5, '0x8000000')]
Ubtu 16 x64:
[cfati@cfati-ubtu16x64-0:~/Work/Dev/StackOverflow/q049788677]> python3 code.py Python 3.5.2 (default, Nov 23 2017, 16:37:01) [GCC 5.4.0 20160609] on linux OpenSSL 1.0.2g 1 Mar 2016 Options: 830203FF (2197947391) Protocols: TLSv1 - 3 TLSv1_1 - 4 TLSv1_2 - 5 --- Removing TLSv1_1... Options: 930203FF (2466382847) Protocols: TLSv1 - 3 TLSv1_2 - 5 --- Adding SSLv3... Options: 930203FF (2466382847) Protocols: TLSv1 - 3 TLSv1_2 - 5 Computed protocols: [('SSLv2', -1, '0x1000000'), ('SSLv3', -1, '0x2000000'), ('TLSv1', <_SSLMethod.PROTOCOL_TLSv1: 3>, '0x4000000'), ('TLSv1_1', <_SSLMethod.PROTOCOL_TLSv1_1: 4>, '0x10000000'), ('TLSv1_2', <_SSLMethod.PROTOCOL_TLSv1_2: 5>, '0x8000000')] [cfati@cfati-ubtu16x64-0:~/Work/Dev/StackOverflow/q049788677]> [cfati@cfati-ubtu16x64-0:~/Work/Dev/StackOverflow/q049788677]> LD_LIBRARY_PATH=../q049493537/Python-3.6.4:../q049320993/ssl/build/lib ../q049493537/Python-3.6.4/python code.py Python 3.6.4 (default, Mar 28 2018, 23:34:25) [GCC 5.4.0 20160609] on linux OpenSSL 1.0.2h-fips 3 May 2016 Options: 835A03FF (<Options.OP_ALL|OP_NO_SSLv3|OP_NO_SSLv2|OP_CIPHER_SERVER_PREFERENCE|OP_SINGLE_DH_USE|OP_SINGLE_ECDH_USE|OP_NO_COMPRESSION: 2203714559>) Protocols: TLSv1 - 3 TLSv1_1 - 4 TLSv1_2 - 5 --- Removing TLSv1_1... Options: 935A03FF (<Options.OP_ALL|OP_NO_TLSv1_1|OP_NO_SSLv3|OP_NO_SSLv2|OP_CIPHER_SERVER_PREFERENCE|OP_SINGLE_DH_USE|OP_SINGLE_ECDH_USE|OP_NO_COMPRESSION: 2472150015>) Protocols: TLSv1 - 3 TLSv1_2 - 5 --- Adding SSLv3... Options: 915A03FF (<Options.OP_ALL|OP_NO_TLSv1_1|OP_NO_SSLv2|OP_CIPHER_SERVER_PREFERENCE|OP_SINGLE_DH_USE|OP_SINGLE_ECDH_USE|OP_NO_COMPRESSION: 2438595583>) Protocols: SSLv3 - -1 TLSv1 - 3 TLSv1_2 - 5 Computed protocols: [('SSLv2', -1, '0x1000000'), ('SSLv3', -1, '0x2000000'), ('TLSv1', <_SSLMethod.PROTOCOL_TLSv1: 3>, '0x4000000'), ('TLSv1_1', <_SSLMethod.PROTOCOL_TLSv1_1: 4>, '0x10000000'), ('TLSv1_2', <_SSLMethod.PROTOCOL_TLSv1_2: 5>, '0x8000000')]
关于python - 如何在 python ssl 中获取 TLS 客户端支持的 TLS 版本,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49788677/