Menu
▾
▴
Re: [pyOpenSSL] Problems with openssl-0.9.8j
|
From: Jean-Paul C. <ex...@di...> - 2009-01-18 03:07:16
|
On Sun, 18 Jan 2009 00:45:43 +0100, Christian Scharkus <mai...@go...> wrote: >Hi folks :) > >I use Arch Linux i686 with pyopenssl-0.8 and openssl-0.9.8j and have got >some problems with connecting to kekz.net:23002. > >http://codepad.org/2aad1eAI > >$ python >Python 2.6.1 (r261:67515, Dec 7 2008, 08:27:41) >[GCC 4.3.2] on linux2 >Type "help", "copyright", "credits" or "license" for more information. >>>> import socket >>>> from OpenSSL.SSL import SSLv3_METHOD, Connection, Context >>>> s = socket.socket() >>>> conn = Connection(Context(SSLv3_METHOD), s) >>>> conn.connect(('kekz.net',23002)) >>>> conn.do_handshake() >Traceback (most recent call last): > > File "<stdin>", line 1, in <module> >OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_RECORD', 'wrong version number')] This seems to be due to the change in OpenSSL 0.9.8j to sending a TLS extension section by default. A correct SSL server will ignore this section, but it seems there are a few SSL libraries which freak out when they encounter this. The next version of pyOpenSSL will include a way to work around this by exposing a constant to explicitly disable sending this TLS extension section. This is done with a Context option, so if your example code above were changed to set up the connection like this: from OpenSSL.SSL import OP_NO_TICKET ctx = Context(SSLv3_METHOD) ctx.set_options(OP_NO_TICKET) conn = Connection(ctx, s) Then it would work (I've tested this against trunk@HEAD of pyOpenSSL and OpenSSL 0.9.8j and it fixed the connection problem for me). You can probably also just use the value of OP_NO_TICKET with older versions of pyOpenSSL. It will have the same effect on OpenSSL 0.9.8j and no effect at all on older versions. Jean-Paul |
