如何在 PyOpenSSL 中阻止 SSL 协议(protocol)以支持 TLS ？我正在使用 CentOS 7 并有以下版本:pyOpenSSL-0.13.1-3.el7.x86_64openssl-1.0.1e-34.el7_0.7.x86_64在我的配置文件中(如果是 CherryPy 应用的话)我有:'server.ssl_module': 'pyopenssl', 最佳答案 对于今天的 CherryPy 来说，这真是个好问题。本月我们开始讨论 CherryPy user group 中的 py2.6+ ssl 和 pyOpenSSL 上的 CherryPy 包装器的 SSL 问题和整体可维护性。我正在那里计划一个关于 SSL 问题的主题，因此您可以订阅该组以稍后获取更多详细信息。现在，这是可能的。我有 Debian Wheezy、Python 2.7.3-4+deb7u1、OpenSSL 1.0.1e-2+deb7u16。我已经从 repo 安装了 CherryPy(3.6 已经破坏了 SSL)和 pyOpenSSL 0.14。我试图覆盖两个 CherryPy SSL 适配器以在 Qualys SSL 实验室 test 中获得一些分数。它非常有用，我强烈建议您使用它来测试您的部署(无论您的前端是什么，CherryPy 与否)。因此，基于 ssl 的适配器仍然存在漏洞，我在 py2 ssl 适配器早在这些更改之前就已编写好，因此需要重写以支持新旧方式(主要是 SSL Contexts )。另一方面，经过改编的子类 pyOpenSSL 基本上没问题，除了: 启用 Secure Client-Initiated Renegotiation 。它可能依赖于 OpenSSL。 没有 Forward Secrecy , SSL.OP_SINGLE_DH_USE 本来可以帮助但它没有。也可能取决于 OpenSSL 的版本。 这是代码。#!/usr/bin/env python# -*- coding: utf-8 -*-import osimport sysimport sslimport cherrypyfrom cherrypy.wsgiserver.ssl_builtin import BuiltinSSLAdapterfrom cherrypy.wsgiserver.ssl_pyopenssl import pyOpenSSLAdapterfrom cherrypy import wsgiserverif sys.version_info < (3, 0): from cherrypy.wsgiserver.wsgiserver2 import ssl_adapterselse: from cherrypy.wsgiserver.wsgiserver3 import ssl_adapterstry: from OpenSSL import SSLexcept ImportError: passciphers = ( 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:' 'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:' '!eNULL:!MD5:!DSS:!RC4:!SSLv2')bundle = os.path.join(os.path.dirname(cherrypy.__file__), 'test', 'test.pem')config = { 'global' : { 'server.socket_host' : '127.0.0.1', 'server.socket_port' : 8443, 'server.thread_pool' : 8, 'server.ssl_module' : 'custom-pyopenssl', 'server.ssl_certificate' : bundle, 'server.ssl_private_key' : bundle, }}class BuiltinSsl(BuiltinSSLAdapter): '''Vulnerable, on py2 < 2.7.9, py3 < 3.3: * POODLE (SSLv3), adding ``!SSLv3`` to cipher list makes it very incompatible * can't disable TLS compression (CRIME) * supports Secure Client-Initiated Renegotiation (DOS) * no Forward Secrecy Also session caching doesn't work. Some tweaks are posslbe, but don't really change much. For example, it's possible to use ssl.PROTOCOL_TLSv1 instead of ssl.PROTOCOL_SSLv23 with little worse compatiblity. ''' def wrap(self, sock): """Wrap and return the given socket, plus WSGI environ entries.""" try: s = ssl.wrap_socket( sock, ciphers = ciphers, # the override is for this line do_handshake_on_connect = True, server_side = True, certfile = self.certificate, keyfile = self.private_key, ssl_version = ssl.PROTOCOL_SSLv23 ) except ssl.SSLError: e = sys.exc_info()[1] if e.errno == ssl.SSL_ERROR_EOF: # This is almost certainly due to the cherrypy engine # 'pinging' the socket to assert it's connectable; # the 'ping' isn't SSL. return None, {} elif e.errno == ssl.SSL_ERROR_SSL: if e.args[1].endswith('http request'): # The client is speaking HTTP to an HTTPS server. raise wsgiserver.NoSSLError elif e.args[1].endswith('unknown protocol'): # The client is speaking some non-HTTP protocol. # Drop the conn. return None, {} raise return s, self.get_environ(s)ssl_adapters['custom-ssl'] = BuiltinSslclass Pyopenssl(pyOpenSSLAdapter): '''Mostly fine, except: * Secure Client-Initiated Renegotiation * no Forward Secrecy, SSL.OP_SINGLE_DH_USE could have helped but it didn't ''' def get_context(self): """Return an SSL.Context from self attributes.""" c = SSL.Context(SSL.SSLv23_METHOD) # override: c.set_options(SSL.OP_NO_COMPRESSION | SSL.OP_SINGLE_DH_USE | SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) c.set_cipher_list(ciphers) c.use_privatekey_file(self.private_key) if self.certificate_chain: c.load_verify_locations(self.certificate_chain) c.use_certificate_file(self.certificate) return cssl_adapters['custom-pyopenssl'] = Pyopensslclass App: @cherrypy.expose def index(self): return '<em>Is this secure?</em>'if __name__ == '__main__': cherrypy.quickstart(App(), '/', config)更新这是 the article 和 discussion 应该决定 CherryPy 的 SSL 支持的 future 。关于python - 如何阻止 SSL 协议(protocol)以支持 TLS？，我们在Stack Overflow上找到一个类似的问题：https://stackoverflow.com/questions/29260947/