python - 检测/检查请求的 TLS 版本

Question

我们收到了 Heroku 的以下电子邮件。我们在 heroku 中有一个 django 后端，有很多来自浏览器和其他系统的请求。
正如 Heroku 所说，我们认为浏览器不会有任何问题，因为即使是旧浏览器也与 TLS 1.2 兼容:https://caniuse.com/tls1-2
但是，我们不知道其他系统是否正在使用 TLS 1.0 或 TLS 1.1 与我们的系统连接。
我们可以从我们的代码中检测到它吗？像这样的东西？

if request.getProtocolTLS() in ["TLS1.0", "TLS1.1"]:
    send_admin_mail('Alert old protocol of TLS', request.user, request.get_full_path())

更新 使用我们应用程序的真实数据:

云:Heroku

框架:Django 1.11.11

Python版本:3.6

WSGI HTTP 服务器:gunicorn

文件:
网页: python manage.py collectstatic --noinput ； gunicorn joinupback.wsgi --log-file - --max-requests 6700 --max-requests-jitter 20

Dear Heroku Customer,

At Salesforce, our top priority is providing you with a trusted Heroku platform, and today we begin our migration off of older, less secure TLS versions with a plan to completely block TLS v1.0/v1.1 next year after July 31, 2021. While this restriction is generally not a problem for web browser clients, some old, non-browser clients may be affected. This notice gives you one full year to make whatever changes are necessary to ensure all clients use TLS v1.2, or greater (v1.2+).

Heroku currently supports TLS v1.0/v1.1, as well as the latest, more secure TLS v1.2+ protocol on all apps. In April 2016, the PCI Council released version 3.1 of their Data Security Standard (DSS). Among the many changes and recommendations was that SSL and TLS v1.0 can no longer be used. Today's recommendation is to use TLS v1.2+, not just for PCI compliance, but as a general best practice for encryption of data in transit on the internet.

Today, Heroku begins implementing these recommendations to transition all apps to TLS v1.2+, so that we can End of Life TLS v1.0/v1.1 next year.

What do I need to do?There is nothing you need to do for this change to take affect. Everything will happen automatically, without any action by you. However, if there are clients that access your app using TLS v1.0/1.1, they will need to be updated by July 31, 2021.

What do I need to know?We recently changed the ciphers used on all new Heroku apps deployed in Private Spaces to support only TLS v1.2+. Existing apps already running in a Private Space remain unchanged, using the previous default cipher suite.

Later this year, we will make a similar change to the default ciphers for all new Heroku apps.

If you run your apps in a Private Space, you may wish to change their cipher suite to TLS v1.2+ only so that they will be unaffected when we will block TLS v1.0/v1.1 traffic. Details on how to do this are in the Routing in Private Spaces Dev Center article (“SSL Security” section).

When we change the default cipher suite for Common Runtime apps (i.e. apps not in Private Spaces), we will also provide instructions for you to change the cipher suite for these existing apps as well.

Beginning on June 1, 2021, we will begin migration all apps to the new cipher suites and block TLS v1.0/v1.1 completing this migration by July 31, 2021.

After July 31, 2021, clients that access Heroku apps using TLS v1.0/v1.0 will be blocked. It is important that you take the necessary steps before then to ensure that your apps remain accessible to all your clients.

Sincerely,Heroku

Answer 1

由于你不是在https模式下启动gunicorn，我们可以排除reverse proxy <-> gunicorn .所以 - 你没有问题，你的反向代理有，这意味着 Heroku 有。
如果您 start gunicorn with ssl那么你可以select the ssl version用过的。
仍然 - 这封信是关于通知您访问您网站的人们的设备应该升级，如果他们真的很古老。您将无法检测到这一点，因为 the WSGI specification不需要将 SSL 协议(protocol)从反向代理传送到 WSGI 服务器。但是可以这样做，但我不知道一个人对 Heroku 的控制量。
例如，使用 uWSGI ，nginx的uwsgi模块和ssl模块，一个可以搞定:

nginx ssl 模块定义$ssl_protocol

uwsgi_param指令定义要传递给 WSGI 环境的变量

Django 会通过 django.core.handlers.wsgi.WsgiRequest 阅读这些内容。并将它们提供给 request.META .