SleekXMPP
SleekXMPP copied to clipboard
fritzy
module 'ssl' has no attribute 'PROTOCOL_SSLv3'
On debian Stretch, support for PROTOCOL_SSLv3 is disabled and Sleekxmpp failed.
DEBUG Starting TLS
INFO Negotiating TLS
INFO Using SSL/TLS version: TLS
INFO Note: SSLv23 doesn't mean SSLv2 and SSLv3, but means all supported versions, actually TLSv1.0+, since SSLv2 and SSLv3 is disabled.
ERROR Connection error.
ERROR module 'ssl' has no attribute 'PROTOCOL_SSLv3'
Traceback (most recent call last):
File "/home/inkey/.local/share/virtualenvs/errbot/lib/python3.5/site-packages/sleekxmpp-1.4.0-py3.5.egg/sleekxmpp/xmlstream/xmlstream.py", line 1568, in _process
if not self.__read_xml():
File "/home/inkey/.local/share/virtualenvs/errbot/lib/python3.5/site-packages/sleekxmpp-1.4.0-py3.5.egg/sleekxmpp/xmlstream/xmlstream.py", line 1640, in __read_xml
self.__spawn_event(xml)
File "/home/inkey/.local/share/virtualenvs/errbot/lib/python3.5/site-packages/sleekxmpp-1.4.0-py3.5.egg/sleekxmpp/xmlstream/xmlstream.py", line 1708, in __spawn_event
handler.prerun(stanza_copy)
File "/home/inkey/.local/share/virtualenvs/errbot/lib/python3.5/site-packages/sleekxmpp-1.4.0-py3.5.egg/sleekxmpp/xmlstream/handler/callback.py", line 64, in prerun
self.run(payload, True)
File "/home/inkey/.local/share/virtualenvs/errbot/lib/python3.5/site-packages/sleekxmpp-1.4.0-py3.5.egg/sleekxmpp/xmlstream/handler/callback.py", line 76, in run
self._pointer(payload)
File "/home/inkey/.local/share/virtualenvs/errbot/lib/python3.5/site-packages/sleekxmpp-1.4.0-py3.5.egg/sleekxmpp/features/feature_starttls/starttls.py", line 64, in _handle_starttls_proceed
if self.xmpp.start_tls():
File "/home/inkey/.local/share/virtualenvs/errbot/lib/python3.5/site-packages/sleekxmpp-1.4.0-py3.5.egg/sleekxmpp/xmlstream/xmlstream.py", line 940, in start_tls
ssl_socket = self._create_secure_socket()
File "/home/inkey/.local/share/virtualenvs/errbot/lib/python3.5/site-packages/sleekxmpp-1.4.0-py3.5.egg/sleekxmpp/xmlstream/xmlstream.py", line 462, in _create_secure_socket
if self.ssl_version == ssl.PROTOCOL_SSLv3:
AttributeError: module 'ssl' has no attribute 'PROTOCOL_SSLv3'
According to https://docs.python.org/3/library/ssl.html:
Changed in version 3.5: The default ssl_version is changed from PROTOCOL_SSLv3 to PROTOCOL_TLS for maximum compatibility with modern servers.
I was able to fix it with this command in the source tree:
for A in find . -type f | xargs grep -l PROTOCOL_SSLv3; do sed -i -e 's/PROTOCOL_SSLv3/PROTOCOL_TLS/g' $A;done
the backticks around the find aren't showing up so i dont know whats up with tat .. I'm sure there is a better compatible way to fix this. like adding ssl.PROTOCOL_SSLvr = ssl.PROTOCOL_TLS to the init.py of the module
I was able to fix this issue by editing sleekxmpp/xmlstream/xmlstream.py
Essentially I removed every instance of ssl.PROTOCOL_SSLv3 and any code relating to it.
@@ -459,10 +459,6 @@ class XMLStream(object):
# Good, create_default_context() is supported, which consists
# recommended security settings by default.
ctx = ssl.create_default_context()
- if self.ssl_version == ssl.PROTOCOL_SSLv3:
- # But if the user specifies insecure SSLv3, do a favor.
- ctx.options &= ~ssl.OP_NO_SSLv3 # UNSET NO_SSLv3, or set SSLv3
- ctx.set_ciphers(_CIPHERS_SSL) # _CIPHERS_SSL is weaker
# XXX: certificate is not verified in most circumstances.
# FIXME: need to provide a new option that verifies against system CAs.
@@ -472,16 +468,6 @@ class XMLStream(object):
elif cert_policy == ssl.CERT_REQUIRED:
ctx.load_verify_locations(cafile=self.ca_certs)
else:
- # Oops, create_default_context() is not supported.
- if self.ssl_version == ssl.PROTOCOL_SSLv3:
- # First, if the user specifies insecure SSLv3, do a favor.
- ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
- ctx.set_ciphers(_CIPHERS_SSL)
- else:
- # Or, set the version to TLSv1 (later is not supported),
- # and set a list of good ciphers.
- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
- ctx.set_ciphers(_CIPHERS_TLS)
# And in both case, CRIME attack needs to be prevented.
if sys.version_info >= (3, 3):
ctx.options &= ssl.OP_NO_COMPRESSION
@@ -497,10 +483,6 @@ class XMLStream(object):
elif sys.version_info >= (2, 7, 9):
# Good, create_default_context() is supported, do the same as Python 3.4.
ctx = ssl.create_default_context()
- if self.ssl_version == ssl.PROTOCOL_SSLv3:
- # If the user specifies insecure SSLv3, do a favor.
- ctx.options &= ~ssl.OP_NO_SSLv3
- ctx.set_ciphers(_CIPHERS_SSL)
if cert_policy == ssl.CERT_NONE:
# XXX: certificate is not verified!
ctx.check_hostname = False
@@ -508,10 +490,7 @@ class XMLStream(object):
elif cert_policy == ssl.CERT_REQUIRED:
ctx.load_verify_locations(cafile=self.ca_certs)
else:
- if self.ssl_version == ssl.PROTOCOL_SSLv3:
- ssl_args['ssl_version'] = ssl.PROTOCOL_SSLv3
- else:
- ssl_args['ssl_version'] = ssl.PROTOCOL_TLSv1
+ ssl_args['ssl_version'] = ssl.PROTOCOL_SSLv23
ctx = None
if ctx:
I don't know if this is the best way but it is working on Ubuntu 16.04.5 LTS using python 2.7.12
You can also change the last line ssl.PROTOCOL_SSLv23 to ssl.PROTOCOL_TLSv1_2
@inkhey @potnii @nathanjameshill @kaymccormick @tuckerrc: There is a PR:
- https://github.com/fritzy/SleekXMPP/pull/500
The master is: https://github.com/fritzy/SleekXMPP/commits/develop
The correct patch is located at here:
https://github.com/fritzy/SleekXMPP/pull/470
I've submitted this patch years ago, but unfortunately, the project maintainer disappeared and it cannot be merged.
