Merge pull request #244 from FlipperPA/feature/support-tls-versions

etianen · web-flow · commit 608814f9c680 · 2022-06-07T21:59:28.000+01:00
Allows overriding the SSL/TLS version. (fixes `SSLV3_ALERT_HANDSHAKE_FAILURE` in Python 3.10)
diff --git a/README.rst b/README.rst
@@ -37,6 +37,10 @@ Available settings
     # Initiate TLS on connection.
     LDAP_AUTH_USE_TLS = False
 
+    # Specify which TLS version to use (Python 3.10 requires TLSv1 or higher)
+    import ssl
+    LDAP_AUTH_TLS_VERSION = ssl.PROTOCOL_TLSv1_2
+
     # The LDAP search base for looking up users.
     LDAP_AUTH_SEARCH_BASE = "ou=people,dc=example,dc=com"
 
diff --git a/django_python3_ldap/conf.py b/django_python3_ldap/conf.py
@@ -43,6 +43,11 @@ def __init__(self, settings):
         default=False,
     )
 
+    LDAP_AUTH_TLS_VERSION = LazySetting(
+        name="LDAP_AUTH_TLS_VERSION",
+        default="SSLv3",
+    )
+
     LDAP_AUTH_SEARCH_BASE = LazySetting(
         name="LDAP_AUTH_SEARCH_BASE",
         default="ou=people,dc=example,dc=com",
diff --git a/django_python3_ldap/ldap.py b/django_python3_ldap/ldap.py
@@ -166,23 +166,29 @@ def connection(**kwargs):
         )
     # Connect.
     try:
+        # Include SSL / TLS, if requested.
+        connection_args = {
+            "user": username,
+            "password": password,
+            "auto_bind": False,
+            "raise_exceptions": True,
+            "receive_timeout": settings.LDAP_AUTH_RECEIVE_TIMEOUT,
+        }
+        if settings.LDAP_AUTH_USE_TLS:
+            connection_args["tls"] = ldap3.Tls(
+                ciphers='ALL',
+                version=settings.LDAP_AUTH_TLS_VERSION,
+            )
         c = ldap3.Connection(
             server_pool,
-            user=username,
-            password=password,
-            auto_bind=False,
-            raise_exceptions=True,
-            receive_timeout=settings.LDAP_AUTH_RECEIVE_TIMEOUT,
+            **connection_args,
         )
     except LDAPException as ex:
         logger.warning("LDAP connect failed: {ex}".format(ex=ex))
         yield None
         return
     # Configure.
     try:
-        # Start TLS, if requested.
-        if settings.LDAP_AUTH_USE_TLS:
-            c.start_tls(read_server_info=False)
         # Perform initial authentication bind.
         c.bind(read_server_info=True)
         # If the settings specify an alternative username and password for querying, rebind as that.
