[Twisted-Python] Block TLS 1.0 and TLS 1.1 support on windows

Glyph glyph at twistedmatrix.com
Mon Aug 31 22:47:41 MDT 2020 

Super glad you got this working!

However, what L. Daniel Burr suggested is correct - whether there's an existing ticket or not, the string endpoint should support all of these features.

(However, using pem is fine, too.)

-g

> On Aug 31, 2020, at 1:16 PM, John Aherne <johnaherne at rocs.co.uk> wrote:
> 
> Thanks for looking all this up.
> 
> I'd already decided to drop the endpoint server from string.
> 
> So I'm using Hynek Schlaweck PEM package to build the certificate options.
> 
> That seems to be working. Anyway I'm getting an A from Qualys at the moment having reset the _defaultMinimumTLSVersion back to its default of tlsv1_0 and passing the raiseMinimumTo as TLSVersion.TLS1_2
> 
> Thanks for the pointers.
> 
> John
> 
> 
> 
> On Mon, Aug 31, 2020 at 7:26 PM L. Daniel Burr <ldanielburr at me.com <mailto:ldanielburr at me.com>> wrote:
> Hi John,
> 
> I don't think you can accomplish it via a change to the description string, because serverFromString relies on the existing _parseSSL function is only passing the deprecated ssl method argument to CertificateOptions.
> 
> I haven't tried this myself, but I think the solution is to provide your own plugin, implementing IPlugin and IStreamServerEndpointStringParser, e.g. "MyTLSParser" and use your own description string, e.g., "tls:443:raiseMinimumTo=...".
> 
> Or maybe there's a ticket somewhere about updating the existing ssl description and parser to handle the new CertificateOptions arguments.  That might be the right thing to implement.
> 
> Hope this helps,
> 
> L. Daniel Burr
> 
>> On Aug 31, 2020, at 12:02 PM, John Aherne <johnaherne at rocs.co.uk <mailto:johnaherne at rocs.co.uk>> wrote:
>> 
>> Thanks. That was quick.
>> 
>> Just wondering how I can add that to my endpoint_description create serverfromstring.
>> 
>> Or will I have to drop that.
>> 
>> Let me  take a look.
>> 
>> Cheers
>> 
>> John
>> 
>> On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr <ldanielburr at me.com <mailto:ldanielburr at me.com>> wrote:
>> Hi John,
>> 
>> I think you want https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html <https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html>, specifically, you want to pass the "raiseMinimumTo" parameter,
>> 
>> Hope this helps,
>> 
>> L. Daniel Burr
>> 
>>> On Aug 31, 2020, at 10:47 AM, John Aherne <johnaherne at rocs.co.uk <mailto:johnaherne at rocs.co.uk>> wrote:
>>> 
>>>  I'm using twisted 20.3 and python3.6.8 and Windows 10  
>>> 
>>> I'm using endpoint_description with a tac file to start up a server.
>>> 
>>> But I need to disable tls 1.0 and 1.1. 
>>> 
>>> I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :
>>> 
>>> Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD".
>>> 
>>> If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B
>>> 
>>> In the end I found _defaultMinimumTLSVersion in _sslverify.py.
>>> 
>>> I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.
>>> 
>>> But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.
>>> 
>>> Anyone  know where I should be looking.
>>> 
>>> Thanks for any info
>>> 
>>> -- 
>>> John Aherne
>>> 
>>> 
>>> 
>>> www.rocs.co.uk <http://www.rocs.co.uk/>
>>> 020 7223 7567
>>> _______________________________________________
>>> Twisted-Python mailing list
>>> Twisted-Python at twistedmatrix.com <mailto:Twisted-Python at twistedmatrix.com>
>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
>> 
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com <mailto:Twisted-Python at twistedmatrix.com>
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
>> 
>> 
>> -- 
>> John Aherne
>> 
>> 
>> 
>> www.rocs.co.uk <http://www.rocs.co.uk/>
>> 020 7223 7567
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com <mailto:Twisted-Python at twistedmatrix.com>
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
> 
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com <mailto:Twisted-Python at twistedmatrix.com>
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
> 
> 
> -- 
> John Aherne
> 
> 
> 
> www.rocs.co.uk <http://www.rocs.co.uk/>
> 020 7223 7567
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20200831/a0996623/attachment.htm>

More information about the Twisted-Python mailing list