[Twisted-Python] Block TLS 1.0 and TLS 1.1 support on windows

[John Aherne]

Thanks for looking all this up.

I'd already decided to drop the endpoint server from string.

So I'm using Hynek Schlaweck PEM package to build the certificate options.

That seems to be working. Anyway I'm getting an A from Qualys at the moment
having reset the _defaultMinimumTLSVersion back to its default of tlsv1_0
and passing the raiseMinimumTo as TLSVersion.TLS1_2

Thanks for the pointers.

John



On Mon, Aug 31, 2020 at 7:26 PM L. Daniel Burr <ldanielburr at me.com> wrote:

> Hi John,
>
> I don't think you can accomplish it via a change to the description
> string, because serverFromString relies on the existing _parseSSL function
> is only passing the deprecated ssl method argument to CertificateOptions.
>
> I haven't tried this myself, but I think the solution is to provide your
> own plugin, implementing IPlugin and IStreamServerEndpointStringParser,
> e.g. "MyTLSParser" and use your own description string, e.g.,
> "tls:443:raiseMinimumTo=...".
>
> Or maybe there's a ticket somewhere about updating the existing ssl
> description and parser to handle the new CertificateOptions arguments.
> That might be the right thing to implement.
>
> Hope this helps,
>
> L. Daniel Burr
>
> On Aug 31, 2020, at 12:02 PM, John Aherne <johnaherne at rocs.co.uk> wrote:
>
> Thanks. That was quick.
>
> Just wondering how I can add that to my endpoint_description create
> serverfromstring.
>
> Or will I have to drop that.
>
> Let me  take a look.
>
> Cheers
>
> John
>
> On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr <ldanielburr at me.com> wrote:
>
>> Hi John,
>>
>> I think you want
>> https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html,
>> specifically, you want to pass the "raiseMinimumTo" parameter,
>>
>> Hope this helps,
>>
>> L. Daniel Burr
>>
>> On Aug 31, 2020, at 10:47 AM, John Aherne <johnaherne at rocs.co.uk> wrote:
>>
>>  I'm using twisted 20.3 and python3.6.8 and Windows 10
>>
>> I'm using endpoint_description with a tac file to start up a server.
>>
>> But I need to disable tls 1.0 and 1.1.
>>
>> I was hoping to find a parameter I could pass in to make the system only
>> recognise 1.2 and 1.3. But could not find anything that would do that. I
>> thought sslmethod would be what I wanted but that is limited to :
>>
>> Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD",
>> "TLSv1_METHOD". If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled
>> and QUALYS complains and downgrades the rating to B
>> In the end I found _defaultMinimumTLSVersion in _sslverify.py.
>>
>> I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
>>
>> But I don't think I should be doing that. I think I've missed some
>> obvious place where I can pass in a value to change this.
>>
>> Anyone  know where I should be looking.
>>
>> Thanks for any info
>>
>> --
>> *John Aherne*
>>
>>
>>
>>
>> *www.rocs.co.uk <http://www.rocs.co.uk/>*
>> 020 7223 7567
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>
>>
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>
>
>
> --
> *John Aherne*
>
>
>
>
> *www.rocs.co.uk <http://www.rocs.co.uk/>*
> 020 7223 7567
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>


-- 
*John Aherne*




*www.rocs.co.uk <http://www.rocs.co.uk>*
020 7223 7567
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20200831/f4ad5f5e/attachment-0001.htm>