Chapter 6 ■ tLS/SSL
111
settings of a server that uses Python 3.4’s create_default_context() are stricter than the settings of a client that uses
it. In one terminal window, start up the script from Listing 6-3 as a server. I will again presume that you have available
the certificate files ca.crt and localhost.pem from the chapter06 directory of the book’s source code repository.
$ /usr/bin/python3.4 safe_tls.py -s localhost.pem '' 1060
This server is happy to accept connections using recent protocol versions and ciphers; in fact, it will negotiate a
strong configuration with Perfect Forward Security enabled if it has the opportunity. Simply taking Python’s defaults,
watch what happens if you connect using Listing 6-4, shown here:
$ /usr/bin/python3.4 test_tls.py -a ca.crt localhost 1060
Address we want to talk to.......... ('localhost', 1060)
Peer certificate.................... provided
Name(s) on peer certificate......... localhost
Whether name(s) match the hostname.. Yes
Certificates loaded of type crl..... 0
Certificates loaded of type x509.... 1
Certificates loaded of type x509_ca. 0
Protocol version negotiated......... TLSv1.2
Cipher chosen for this connection... ECDHE-RSA-AES128-GCM-SHA256
Cipher defined in TLS version....... TLSv1/SSLv3
Cipher key has this many bits....... 128
Compression algorithm in use........ none
The combination ECDHE-RSA-AES128-GCM-SHA256 is one of the best that OpenSSL currently offers! But the
safe_tls.py server will refuse to talk to a client that supports only Windows XP levels of encryption. Start the
safe_tls.py server up again for another run, and this time connect with the following options:
$ /usr/bin/python3.4 test_tls.py -p SSLv3 -a ca.crt localhost 1060
Address we want to talk to.......... ('localhost', 1060)
Traceback (most recent call last):
...
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:598)
The old SSLv3 protocol is flatly refused by the careful server settings that Python has provided. Old end-of-
lifetime ciphers like RC4 will also result in failure, even if used in combination with modern protocols.
$ /usr/bin/python3.4 test_tls.py -C 'RC4' -a ca.crt localhost 1060
Address we want to talk to.......... ('localhost', 1060)
Traceback (most recent call last):
...
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:598)