TLS versions?

[artyb55]

Hi,

Could you clarify which TLS versions are supported, and how much longer they may be supported for? How can the TLS version be specified? Does it depend on another python component? We have some devices which only support TLS 1.1, which I know is bad, but hopefully better than plain FTP.

Thank you, A

[asantoni]

Answering this question for my own future reference:

pyftpdlib doesn't set any explicit defaults for TLS/SSL versions or ciphers and neither does PyOpenSSL, so you get whatever the default is in the OpenSSL build on your system.

You can override the SSL options by assigning something to the ssl_options property on the TLSHandler, which will get passed into the SSL context it is created. The options are the constants starting with OP_ here and they can be bitwise ORed together: https://www.pyopenssl.org/en/latest/api/ssl.html#

eg:

from OpenSSL import SSL
from pyftpdlib.handlers import TLS_FTPHandler
...
handler = TLS_FTPHandler
handler.certfile = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
handler.keyfile = '/etc/ssl/private/ssl-cert-snakeoil.key'
handler.ssl_options = SSL.OP_NO_TLSv1 | SSL.OP_NO_SSLv3

Edit: There's actually an ssl_protocol property you can set too. See this comment from the code:

         - (int) ssl_protocol:
            the desired SSL protocol version to use. This defaults to
            PROTOCOL_SSLv23 which will negotiate the highest protocol
            that both the server and your installation of OpenSSL
            support.

         - (int) ssl_options:
            specific OpenSSL options. These default to:
            SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3| SSL.OP_NO_COMPRESSION
            which are all considered insecure features.
            Can be set to None in order to improve compatibility with
            older (insecure) FTP clients.

The defaults seem sensible....

ref: https://github.com/giampaolo/pyftpdlib/issues/535