pythondockersslftptls1.0

How to enable TLS 1.0 in python container?

I need to connect to an old FTP server, which uses TLS 1.0. I'm trying to enable TLS 1.0 support in my container but with no luck.

Environment: docker
Image: python:latest

What I did so far:

  1. Changed MinProtocol to TLS_v1.0 in /etc/ssl/openssl.cnf: https://github.com/SoftEtherVPN/SoftEtherVPN/issues/1358

  2. Set ssl_version to PROTOCOL_TLSv1 in my code:

#!/usr/local/bin/python
import ftplib
import ssl
from ftplib import FTP_TLS

ftplib.FTP_TLS.ssl_version = ssl.PROTOCOL_TLSv1
ftp = FTP_TLS('...')
ftp.login('...', '...')
ftp.retrlines('LIST')

ftp.quit()

And I'm getting this error:

  File "/usr/local/lib/python3.10/ftplib.py", line 745, in login
    self.auth()
  File "/usr/local/lib/python3.10/ftplib.py", line 756, in auth
    self.sock = self.context.wrap_socket(self.sock, server_hostname=self.host)
  File "/usr/local/lib/python3.10/ssl.py", line 512, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/local/lib/python3.10/ssl.py", line 1070, in _create
    self.do_handshake()
  File "/usr/local/lib/python3.10/ssl.py", line 1341, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:997)

How should I (if at all) approach using older TLS versions in a python container?

Solution

  • ... no ciphers available

    This is not a problem of TLS version but available ciphers. Thus just setting a lower protocol version does not help. It is unclear what ciphers the server supports and if these are even compiled into the version of OpenSSL you use from Python. For example RC4 is usually no longer compiled in.

    But it might well be that the necessary ciphers are only disabled by default, which is often the case with the higher security level often set by default. In this case it might help to decrease the security level, which also takes care of the TLS version

    #!/usr/local/bin/python
import ftplib
import ssl
from ftplib import FTP_TLS

ctx = ssl.create_default_context()
ctx.set_ciphers('DEFAULT:@SECLEVEL=1') # enables weaker ciphers and protocols
ftp = FTP_TLS(context=ctx)
ftp.set_debuglevel(10)
ftp.connect('...',21)
ftp.login('...','...')
ftp.quit()