Using TLS1.2 with ftplib in python 2.7.*

Question

I need to connect to a ftp server which requires TLS 1.2

the ftplib has an object called FTP_TLS.ssl_version but I can't choose ssl.PROTOCOL_TLSv1_2 because its available only in Python 3.4 and will be available at python 2.7.9 which is not released as of this post.

There is no way I can change my program to use Python 3.4 so what are my options?

Answer 1

One could assume that the default should already be to connect with the best TLS version possible. An explicit setting to TLS1.2 just means, that the client will not accept anything below TLS1.2 back from the server.

Unfortunately ftplib decided to hard code the version to TLSv1 and thus reduce the connection to TLS 1.0 even if the OpenSSL would support better versions. Since there is no way with older python versions to explicitly request TLS 1.1 or TLS 1.2 you need to request SSLv23 which automatically requests the best version possible:

import ssl
from ftplib import FTP_TLS
ftps = FTP_TLS('127.0.0.1')

## set protocol to SSLv23 to request best version
ftps.ssl_version = ssl.PROTOCOL_SSLv23; 

ftps.login()
ftps.prot_p()
ftps.retrlines('LIST')
ftps.quit()

The only change to normal use of ftplib is to set ssl_version to ssl.PROTOCOL_SSLv23 and thus it will request the best version possible. If this will be TLS 1.2 depends on the server and on the supported versions in the client. With Ubuntu TLS 1.2 is disabled on the client side up to version 13.10, so it will use at most TLS 1.1. With Ubuntu 14.04 it will use TLS 1.2 if the server supports it.

A side effect of this change is that it will not send an AUTH TLS command to the FTP server, but instead the older AUTH SSL command, but most servers will probably not care. Another side effect is that it will also allow TLS 1.0 or SSL 3.0 if the server does not support anything better. If you don't want this you have to fiddle with the SSL context options, but it looks like this is only available with python3.