我想确保在使用请求库发布到HTTP服务器时,它会拒绝使用TLSv1或TLSv1.1进行通信。为此,我配置了我的https服务器以强制SSL协议使用TLSv1或TLSv1.1。我希望这些版本被拒绝。
我的python程序在CentOs机器上运行:
cat /etc/centos-release
CentOS release 6.7 (Final)
默认的Python版本是2.6.6:
which python
/usr/bin/python
Python 2.6.6 (r266:84292, Aug 18 2016, 15:13:37)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-17)] on linux2
我安装了python 2.7:
which python2.7
/usr/local/bin/python2.7
Python 2.7.6 (default, Jun 2 2017, 11:37:31)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-16)] on linux2
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.1e-fips 11 Feb 2013'
openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
使用pip2.7,我安装了所需的库以获取运行请求。我没有对openssl做任何改动。
我发送了两个测试警报,似乎我的程序已协商到TLSv1。我的印象是TLSv1已被弃用。该程序使用python 2.7执行,而不是python 2.6的系统默认值。
在我嵌入的python程序的顶部: #!的/ usr / local / bin目录/ python2.7
以下是显示TLSv1.1和TLSv1的2个帖子后警告:
"POST /testpost HTTP/1.1" 200 43 TLSv1.1/ECDHE-RSA-AES256-SHA "-" "python-requests/2.5.1 CPython/2.6.6 Linux/2.6.32-573.22.1.el6.x86_64" 0.006 <"{for: test purposes}"
"POST /testpost HTTP/1.1" 200 43 TLSv1/ECDHE-RSA-AES256-SHA "-" "python-requests/2.5.1 CPython/2.6.6 Linux/2.6.32-573.22.1.el6.x86_64" 0.006 <"{for: test purposes}"
有什么想法吗?
答案 0 :(得分:5)
ssl模块的文档有一个表格,显示哪些协议设置可以协同工作。通常,如果客户端和服务器都使用PROTOCOL_TLS(与PROTOCOL_SSLv23相同)连接,则使用最高共享协议版本。如果没有兼容的版本(例如服务器只说1.1,客户端只有1.0),那么你会收到错误。
requests documentation显示了如何强制客户端使用特定的tls版本,例如强制使用TLS 1.2(稍加修改的例子):
import ssl
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.poolmanager import PoolManager
class Tls12Adapter(HTTPAdapter):
""""Transport adapter that forces TLSv1.2"""
def init_poolmanager(self, *pool_args, **pool_kwargs):
self.poolmanager = PoolManager(
*pool_args,
ssl_version=ssl.PROTOCOL_TLSv1_2,
**pool_kwargs)
urllib3版本的SSLContext(请求用于连接)允许传递import ssl
import requests
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.poolmanager import PoolManager
from requests.packages.urllib3.util import ssl_
class TlsAdapter(HTTPAdapter):
def __init__(self, ssl_options=0, **kwargs):
self.ssl_options = ssl_options
super(TlsAdapter, self).__init__(**kwargs)
def init_poolmanager(self, *pool_args, **pool_kwargs):
ctx = ssl_.create_urllib3_context(ssl.PROTOCOL_TLS)
# extend the default context options, which is to disable ssl2, ssl3
# and ssl compression, see:
# https://github.com/shazow/urllib3/blob/6a6cfe9/urllib3/util/ssl_.py#L241
ctx.options |= self.ssl_options
self.poolmanager = PoolManager(*pool_args,
ssl_context=ctx,
**pool_kwargs)
session = requests.session()
# disallow tls1.0 and tls1.1, allow only tls1.2 (and newer if suported by
# the used openssl version)
adapter = TlsAdapter(ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1)
session.mount("https://", adapter)
,这样可以实现更灵活的配置,例如在允许任何较新版本的同时阻止特定版本:
db.chat.find().pretty().limit(3)
{
"_id" : ObjectId("593921425ccc8150f35e7662"),
"user1" : 1,
"user2" : 2,
"messages" : [
{
"sender" : 1,
"datetime" : ISODate("2017-06-08T10:04:50Z"),
"body" : "hiii 0"
},
{
"sender" : 2,
"datetime" : ISODate("2017-06-09T10:04:50Z"),
"body" : "hiii 1"
},
{
"sender" : 2,
"datetime" : ISODate("2017-06-10T10:04:50Z"),
"body" : "hiii 2"
}
]
}
{
"_id" : ObjectId("593921425ccc8150f35e7663"),
"user1" : 1,
"user2" : 3,
"messages" : [
{
"sender" : 1,
"datetime" : ISODate("2017-06-08T10:04:50Z"),
"body" : "hiii 0"
},
{
"sender" : 3,
"datetime" : ISODate("2017-06-09T10:04:50Z"),
"body" : "hiii 1"
},
{
"sender" : 1,
"datetime" : ISODate("2017-06-10T10:04:50Z"),
"body" : "hiii 2"
}
]
}
{
"_id" : ObjectId("593921425ccc8150f35e7664"),
"user1" : 1,
"user2" : 4,
"messages" : [
{
"sender" : 1,
"datetime" : ISODate("2017-06-08T10:04:50Z"),
"body" : "hiii 0"
},
{
"sender" : 1,
"datetime" : ISODate("2017-06-09T10:04:50Z"),
"body" : "hiii 1"
},
{
"sender" : 4,
"datetime" : ISODate("2017-06-10T10:04:50Z"),
"body" : "hiii 2"
}
]
}