On Sun, 18 Jan 2009 00:45:43 +0100, Christian Scharkus <mai...@go...> wrote:
>Hi folks :)
>
>I use Arch Linux i686 with pyopenssl-0.8 and openssl-0.9.8j and have got
>some problems with connecting to kekz.net:23002.
>
>http://codepad.org/2aad1eAI
>
>$ python
>Python 2.6.1 (r261:67515, Dec 7 2008, 08:27:41)
>[GCC 4.3.2] on linux2
>Type "help", "copyright", "credits" or "license" for more information.
>>>> import socket
>>>> from OpenSSL.SSL import SSLv3_METHOD, Connection, Context
>>>> s = socket.socket()
>>>> conn = Connection(Context(SSLv3_METHOD), s)
>>>> conn.connect(('kekz.net',23002))
>>>> conn.do_handshake()
>Traceback (most recent call last):
>
> File "<stdin>", line 1, in <module>
>OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_RECORD', 'wrong version number')]
This seems to be due to the change in OpenSSL 0.9.8j to sending a TLS
extension section by default. A correct SSL server will ignore this
section, but it seems there are a few SSL libraries which freak out
when they encounter this.
The next version of pyOpenSSL will include a way to work around this
by exposing a constant to explicitly disable sending this TLS extension
section.
This is done with a Context option, so if your example code above were
changed to set up the connection like this:
from OpenSSL.SSL import OP_NO_TICKET
ctx = Context(SSLv3_METHOD)
ctx.set_options(OP_NO_TICKET)
conn = Connection(ctx, s)
Then it would work (I've tested this against trunk@HEAD of pyOpenSSL and
OpenSSL 0.9.8j and it fixed the connection problem for me).
You can probably also just use the value of OP_NO_TICKET with older versions
of pyOpenSSL. It will have the same effect on OpenSSL 0.9.8j and no effect
at all on older versions.
Jean-Paul
|
