{"id":1226,"date":"2021-11-25T15:55:29","date_gmt":"2021-11-25T07:55:29","guid":{"rendered":"https:\/\/www.houquner.com\/?p=1226"},"modified":"2021-11-25T15:55:29","modified_gmt":"2021-11-25T07:55:29","slug":"boto3-enforcing-tls-1-2","status":"publish","type":"post","link":"https:\/\/www.houquner.com\/index.php\/archives\/1226","title":{"rendered":"boto3 Enforcing TLS 1.2"},"content":{"rendered":"

\u8c03\u7528AWS API\u63a5\u53e3\u8de8\u56fd\u9645\u5230\u6d77\u5916\u7684HTTPS\u6d41\u91cf\u4f1a\u53d7\u5230\u67d0\u4e9b\u5df2\u77e5\u56e0\u7d20\u7684\u5f71\u54cd\uff0c\u5bfc\u81f4TLSv1.3\u7684\u6d41\u91cf\u53d7\u5230\u5f71\u54cd\u3002<\/p>\n

https:\/\/www.zdnet.com\/article\/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni\/
\nhttps:\/\/www.medianama.com\/2020\/08\/223-china-blocks-https-traffic\/
\nhttps:\/\/www.theregister.com\/2020\/08\/11\/china_blocking_tls_1_3_esni\/<\/p>\n

 <\/p>\n

\u5f53client–server\u6700\u7ec8\u534f\u5546\u4f7f\u7528TLSv1.2\u52a0\u5bc6\u65f6\uff0c\u6293\u5305\u4e2d\u53ef\u4ee5\u770b\u5230Client Hello\u53ca\u540e\u7eedData\u4f20\u8f93\u5747\u4e3aProtocol\u4e3aTLSv1.2\u3002 \u5f53client–server\u4f7f\u7528TLSv1.3\u52a0\u5bc6\u65f6\uff0c\u6293\u5305\u4e2d\u53ef\u4ee5\u770b\u5230Client Hello\u7684Protocol\u4e3aTLSv1\u3002\u800c\u8fd9\u79cd\u201c\u964d\u7ea7\u201d\u7684\u73b0\u8c61\uff0c\u4ece\u4e00\u4e9b\u6587\u6863\u4e2d\u63d0\u5230\uff0c\u901a\u5e38\u4e2d\u95f4\u8bbe\u5907\u6216\u6d4f\u89c8\u5668\u7b49\uff0c\u5728\u9047\u5230\u8fde\u63a5\u5931\u8d25\uff0c\u534f\u8bae\u4e0d\u5f53\u65f6\uff0c\u5219\u4f1a\u5c1d\u8bd5downgrade\u964d\u7ea7\u5904\u7406\u3002 https:\/\/zhuanlan.zhihu.com\/p\/33489365<\/a><\/p>\n

\u5904\u7406\u6b63\u5e38\u7684\u8bf7\u6c42\u6700\u7ec8\u5e94\u8be5\u662f\u53cc\u65b9\u9009\u62e9TLS1.2\u8fdb\u884c\u7684\uff1b\u800c\u5f53\u9009\u62e9TLSv1.3\u52a0\u5bc6\u7684\u90a3\u6b21\u8bf7\u6c42\uff0c\u5219\u53ef\u80fd\u88ab\u2019\u5df2\u77e5\u56e0\u7d20\u2018\u4e22\u5f03\u3002 \u56e0\u6b64\u4ece\u6293\u5305\u4e5f\u53ef\u4ee5\u770b\u5230\u5ba2\u6237\u7aef\u7684\u591a\u6b21TCP\u91cd\u4f20\u3002<\/p>\n

 <\/p>\n

\u4e3a\u89e3\u51b3\u4ee5\u4e0a\u95ee\u9898AWS \u4e2d\u6709\u4ecb\u7ecd\uff1a<\/p>\n

https:\/\/boto3.amazonaws.com\/v1\/documentation\/api\/latest\/guide\/security.html#enforcing-tls-1-2<\/p>\n

\u4ee5\u4e0a\u65b9\u6cd5\u6709\u4e9b\u590d\u6742\uff0c<\/p>\n

\u7b80\u6d01\u65b9\u5f0f\u53ef\u53c2\u8003\uff1ahttps:\/\/github.com\/boto\/botocore\/issues\/2488<\/p>\n

\u5728\u539f\u6709\u4ee3\u7801\u7684\u57fa\u7840\u4e0a\u8fdb\u884c\u4e86\u7b80\u5355\u4fee\u6539\uff1a<\/p>\n

 <\/p>\n

\n
from botocore import httpsession<\/div>\n
from urllib3.util.ssl_ import (<\/div>\n
\u00a0 \u00a0 OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION<\/div>\n
)<\/div>\n
from _ssl import (OP_NO_TLSv1, OP_NO_TLSv1_1,OP_NO_TLSv1_2,OP_NO_TLSv1_3)<\/div>\n<\/div>\n
<\/div>\n
\n
\n
def custom_create_urllib3_context(ssl_version=None, cert_reqs=None, options=None, ciphers=None):<\/div>\n
\u00a0 \u00a0 if options is None:<\/div>\n
\u00a0 \u00a0 \u00a0 \u00a0 options = 0<\/div>\n
\u00a0 \u00a0 # Default options from botocore<\/div>\n
\u00a0 \u00a0 # SSLv2 is easily broken and is considered harmful and dangerous<\/div>\n
\u00a0 \u00a0 options |= OP_NO_SSLv2<\/div>\n
\u00a0 \u00a0 # SSLv3 has several problems and is now dangerous<\/div>\n
\u00a0 \u00a0 options |= OP_NO_SSLv3<\/div>\n
\u00a0 \u00a0 # Disable compression to prevent CRIME attacks for OpenSSL 1.0+<\/div>\n
\u00a0 \u00a0 # (issue urllib3#309)<\/div>\n
\u00a0 \u00a0 options |= OP_NO_COMPRESSION<\/div>\n
\u00a0 \u00a0 # OUR new options<\/div>\n
<\/div>\n
\u00a0 \u00a0 options |= OP_NO_TLSv1<\/div>\n
\u00a0 \u00a0 options |= OP_NO_TLSv1_1<\/div>\n
\u00a0 \u00a0 options |= OP_NO_TLSv1_3<\/div>\n
\u00a0 \u00a0 #options |= OP_NO_TLSv1_2<\/div>\n
\u00a0 \u00a0 return httpsession._original_create_urllib3_context(options=options)<\/div>\n<\/div>\n<\/div>\n
<\/div>\n
<\/div>\n
\u5728python\u4ee3\u7801\u7684\u5f00\u59cb\u589e\u52a0\u4ee5\u4e0b\u4ee3\u7801\uff1a<\/p>\n
\n
\u00a0 \u00a0 httpsession._original_create_urllib3_context = httpsession.create_urllib3_context<\/div>\n
\u00a0 \u00a0 httpsession.create_urllib3_context = custom_create_urllib3_context<\/div>\n<\/div>\n<\/div>\n

\u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1aKermit\u7684\u7f51\u7ad9<\/a> » boto3 Enforcing TLS 1.2<\/a><\/p>","protected":false},"excerpt":{"rendered":"

\u8c03\u7528AWS API\u63a5\u53e3\u8de8\u56fd\u9645\u5230\u6d77\u5916\u7684HTTPS\u6d41\u91cf\u4f1a\u53d7\u5230\u67d0\u4e9b\u5df2\u77e5\u56e0\u7d20\u7684\u5f71\u54cd\uff0c\u5bfc\u81f4TLSv1.3\u7684\u6d41\u91cf\u53d7\u5230\u5f71\u54cd\u3002 https:\/\/www.zdnet.com\/article\/china-is-now-blocking-all-encrypted-htt […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1226","post","type-post","status-publish","format-standard","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/posts\/1226"}],"collection":[{"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/comments?post=1226"}],"version-history":[{"count":1,"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/posts\/1226\/revisions"}],"predecessor-version":[{"id":1227,"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/posts\/1226\/revisions\/1227"}],"wp:attachment":[{"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/media?parent=1226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/categories?post=1226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/tags?post=1226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}