Python 3.6 SSL - 使用 TLSv1.0 而不是 TLSv1.2 密码 -(2 种身份验证和自签名证书)

Question

我在 python 3.6 中使用 ssl 库。我使用的是用 openssl 生成的自签名 ECDSA 证书。

服务器/客户端代码:

# Create a context in TLSv1.2, requiring a certificate (2-way auth)
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.options |= ssl.OP_NO_TLSv1
context.options |= ssl.OP_NO_TLSv1_1
context.verify_mode = ssl.CERT_REQUIRED
context.check_hostname = True # This line ommited in server code

# Set the list of allowed ciphers to those with key length of at least 128
# TODO Figure out why this isn't working
context.set_ciphers('TLSv1.2+HIGH+SHA256+ECDSA')

# Print some info about the connection
for cipher in context.get_ciphers():
    print(cipher)

输出:

{'id': 50380835, 'name': 'ECDHE-ECDSA-AES128-SHA256', 'protocol': 'TLSv1/SSLv3', 'description': 'ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256', 'strength_bits': 128, 'alg_bits': 128}

当前密码:

 connection.cipher()

('ECDHE-ECDSA-AES128-SHA256', 'TLSv1/SSLv3', 128)

我的问题:为什么选择的密码不是 TLSv1.2？

编辑:要求截图

基于另一个线程，我尝试将我的代码更改为以下内容，但没有成功。

 # Create a context in TLSv1.2, requiring a certificate (2-way auth)
    self.context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
    self.context.options |= ssl.OP_NO_SSLv2
    self.context.options |= ssl.OP_NO_SSLv3
    self.context.options |= ssl.OP_NO_TLSv1
    self.context.options |= ssl.OP_NO_TLSv1_1
    self.context.verify_mode = ssl.CERT_REQUIRED
    # self.context.check_hostname = True

    # Set the list of allowed ciphers to those with high key length
    # I went with  SHA384 because it seemed to have more security
    self.context.set_ciphers('TLSv1.2+ECDSA+HIGH')

Answer 1

此密码与 TLS 1.2 兼容，它是 RFC 5289 中定义的普通密码.

我认为我们需要稍微解释一下 Python 的文档，以了解 get_ciphers() 返回的内容，因为它没有解释。但是 cipher() 可能给了我们答案:

SSLSocket.cipher()

Returns a three-value tuple containing the name of the cipher being used, the version of the SSL protocol that defines its use, andthe number of secret bits being used. If no connection has beenestablished, returns None.

网络捕获将确认 TLS 协议(protocol)版本。