SSLv3 connection with ssl librairie in Python

[madem]

Hello, I want to make a programm (Python 2.7) which detect the ssl/tls version which are available on a website. And I just want to use standard Python librairies.

Here is my code:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103

#encoding=utf-8       import ssl     import socket     import traceback     import logging     import sys     import json       class AnalyseSSL:       cipher_list="RC4-SHA".split(":")              list_version_ssl_tls = [     ("SSLv2", ssl.OP_ALL | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2),     ("SSLv3", ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2),     ("TLSv1", ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2),     ("TLSv1_1", ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_2),     ("TLSv1_2", ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1), ]           def __init__(self, hostname, port):     self.hostname = hostname     self.port = port     # try to connect to the hostname with all cipher suite for each SSL/TLS version def try_all_ssl_tls_version(self):     logging.warning("---------------------------------------- %s", port)     nb_tentative_max = 5     cpt_tentative_max = 0     resultat = {}       try:     print 'hostname : ', hostname     for version in self.list_version_ssl_tls:                                           # Pour chaque version de SSL/TLS         cpt_nb_tentative_max = 0         is_version_supported = False         if cpt_tentative_max >= 5:                 break;         for cipher_suite in self.cipher_list:                                                # Pour chaque cipher suite             print cipher_suite     context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)                   # création du context             context.check_hostname = False             context.verify_mode = ssl.CERT_NONE             context.options = version[1]                                                   # on spécifie la version de SSL/TLS qu'on veut utiliser     print context.options       try:                 context.set_ciphers(cipher_suite)                                       # on spécifie la cipher suite à utiliser             except Exception as e:                 print "Exception : ", e     pass                            traceback.print_exc(e)                 s_ = socket.socket(socket.AF_INET, socket.SOCK_STREAM)             s = context.wrap_socket(s_)             #s = context.wrap_socket(s_, server_hostname=hostname)             #print "timeout : ", s.gettimeout()             s.settimeout(5)             #print "timeout : ", s.gettimeout()                 try:                 s.connect((hostname, port))                                                 # on tente de se connecter                 if (is_version_supported == False):                     print version[0], "supporté"                     is_version_supported = True                 print s.cipher()                 #logging.info("---------------------------------------- %s %s", %(version[0], s.cipher()))                 s.close()               except socket.timeout:                 cpt_tentative_max += 1                 if cpt_tentative_max >= 5:                     break;             except Exception as e:                                                                         # si la connexion a échoué                 #print "[version ", version[0], " with ", cipher_suite, " :: ", e                 #print s.getpeercert()                 #traceback.print_exc(e)     print e                 pass         if is_version_supported == False:             print version[0], "non supporté"           print "\n"     except Exception as e:     print e     traceback.print_exec(e)     pass   hostname = 'PUT YOUR IP HERE' port = 443   A = AnalyseSSL(hostname, port) A.try_all_ssl_tls_version()

The problem is i cant etablish an sslv3 connection. I've got an ip (and i'm sure sslv3 is enable on this ip with cipher suite suite RC4-SHA, i tested it with openssl and testssl.sh).

My program work fine for the third tls version but it's impossible to use sslv3 or sslv2. Here is the error i've got :

1	[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:581)

I cant use SSLv3, but why ? (I recompile my openssl librairie in order to enable sslv3 and it works because if i use :

1	openssl s_client -connect IP -ssl3 -ciphers RC4-SHA

that's works.

How can I solve this ? Thx :)

[nilamo]

Does it work without using python? Try using telnet to access the server/port, and if it works, then we know the issue is somewhere in the python code, and not with a blocked port or something.

[madem]

nilamo, it works whitout using python, i try it with openssl command as i said.
Here is the command and the result is good : Openssl s_client -connect IP -ssl3 -ciphers RC4-SHA

I can connect to this ip:port with SSLv3 and RC4-SHA cipher.
So the problem came from my python code. I used ssl librairie which is a wrapper of openssl.
I recompiled openssl librarire in order to permit me to use sslv3 connection (because it's disable in the last version because of security weakness). Now i can use sslv3 with openssl but cant use it when using python. (did i need to recompile ssl librarie too ?)

Thx :)

---

J'ai fais une toute petite erreur dans la commande openssl, voici la bonne commande openssl qui fonctionne bien : openssl s_client -connect IP:PORT -ssl3 -cipher RC4-SHA

[madem]

I did a small mistake in the openssl command line i wrote, here is the good version : openssl s_client -connect IP:PORT -ssl3 -cipher RC4-SHA
So this command works , i'm sure SSLv3 is available, but cant connect using ssl librarie :/