Skip to content

plugin.api.http_session: add class TLSSecLevel1Adapter() #4345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 13, 2022

Conversation

mkbloke
Copy link
Member

@mkbloke mkbloke commented Feb 12, 2022

Creates an adapter with OpenSSL security level 1. Example usage:

from streamlink.plugin.api.http_session import TLSSecLevel1Adapter

adapter = TLSSecLevel1Adapter()
self.session.http.mount("https://filmon.com", adapter)
self.session.http.mount("https://www.filmon.com", adapter)


I have not added this to __all__, is that reasonable?
There are no tests; I'm not really sure how to test it.

merge before #4335

@mkbloke mkbloke force-pushed the tls-sec-level1-adaptor branch from 43dead5 to 1ead825 Compare February 12, 2022 22:07
Copy link
Member

@bastimeyer bastimeyer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For websites using TLS version < 1.3

The commit message is wrong. This has nothing to do with TLS 1.3. This simply allows a negotiation of old/insecure ciphers which are disabled by default in Python 3.10, as it now hardcodes more secure ciphers (seclevel=2) instead of relying on the system configuration via openssl, etc. This is a compile flag and it can be changed to --with-ssl-default-suites=openssl to make it work with the system's openssl config for example.

In case of FilmOn, where this adapter with the ciphers override is needed, the site is running via TLS 1.2. The protocol version doesn't matter here though and the latest one supported by client and server is automatically chosen in the protocol negotiation. Python 3.10 still allows TLS 1.2.


https://docs.python.org/3/library/ssl.html#ssl.SSLContext

Changed in version 3.10: The default cipher suites now include only secure AES and ChaCha20 ciphers with forward secrecy and security level 2. RSA and DH keys with less than 2048 bits and ECC keys with less than 224 bits are prohibited. PROTOCOL_TLS, PROTOCOL_TLS_CLIENT, and PROTOCOL_TLS_SERVER use TLS 1.2 as minimum TLS version.

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html

Level 0
Everything is permitted. This retains compatibility with previous versions of OpenSSL.

Level 1
The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. All export cipher suites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite using MD5 for the MAC is also prohibited.

Level 2
Security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any cipher suite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled.


I have not added this to __all__, is that reasonable?

It should be added there, as it's part of the module's public interface.

Creates an adapter with OpenSSL security level 1.  Example usage:

from streamlink.plugin.api.http_session import TLSSecLevel1Adapter

adapter = TLSSecLevel1Adapter()
self.session.http.mount("https://filmon.com", adapter)
self.session.http.mount("https://www.filmon.com", adapter)
@mkbloke mkbloke force-pushed the tls-sec-level1-adaptor branch from 1ead825 to ab844cb Compare February 13, 2022 19:42
@bastimeyer bastimeyer merged commit eecb0e3 into streamlink:master Feb 13, 2022
@mkbloke mkbloke deleted the tls-sec-level1-adaptor branch February 13, 2022 19:54
Billy2011 added a commit to Billy2011/streamlink-27 that referenced this pull request Feb 14, 2022
…eamlink#4345)

Creates an adapter with OpenSSL security level 1.  Example usage:

from streamlink.plugin.api.http_session import TLSSecLevel1Adapter

adapter = TLSSecLevel1Adapter()
self.session.http.mount("https://filmon.com", adapter)
self.session.http.mount("https://www.filmon.com", adapter)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants