5

Is it possible to see which TLS version was negotiated with the server using Python requests module? Something similar to what openssl s_client -connect would return

---
No client certificate CA names sent
---
SSL handshake has read 3043 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
PalePal
  • 53
  • 1
  • 4
  • What error you are getting? – Akash Oct 02 '17 at 19:04
  • No error, I'm able to connect, but I want to see whether my connection is using TLS 1.2 :) – PalePal Oct 02 '17 at 19:05
  • According to the documentation it looks like they use whatever is the urllib3 default is unless you specify differently. But without digging too much more, you could simply use wireshark to log the traffic and view the handshake protocol version in your capture. http://docs.python-requests.org/en/master/user/advanced/#example-specific-ssl-version – stephen Oct 02 '17 at 19:53
  • @stephen yeah, "whatever is the urllib3 default" was my first idea, but Python does not make a lot of sense - documentation says one thing, the code says another one. Like I should have ssl.OP_NO_SSLv3, but ssl.py does not contain this code :D Wireshark was my initial thought, but I'm in a commercial environment and it doesn't work :) – PalePal Oct 02 '17 at 20:00

1 Answers1

2

Copying the core of my other answer at https://stackoverflow.com/a/55462022/6368697 if you want to do things just once and for tests, a monkey patching can be enough (and otherwise read the rest of my answer which offers a proper implementation with a transport adapter, and also proper display of certificates received):

import requests
from requests.packages.urllib3.connection import VerifiedHTTPSConnection

SOCK = None

_orig_connect = requests.packages.urllib3.connection.VerifiedHTTPSConnection.connect

def _connect(self):
    global SOCK
    _orig_connect(self)
    SOCK = self.sock

requests.packages.urllib3.connection.VerifiedHTTPSConnection.connect = _connect

requests.get('https://yahoo.com')
tlscon = SOCK.connection
print 'Cipher is %s/%s' % (tlscon.get_cipher_name(), tlscon.get_cipher_version())
print 'Remote certificates: %s' % (tlscon.get_peer_certificate())
print 'Protocol version: %s' % tlscon.get_protocol_version_name()

This yields:

Cipher is ECDHE-RSA-AES128-GCM-SHA256/TLSv1.2
Remote certificates: <OpenSSL.crypto.X509 object at 0x10c60e310>
Protocol version: TLSv1.2
Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54