Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding support for system recommended settings #53

Merged
merged 3 commits into from
Jun 25, 2024
Merged

Adding support for system recommended settings #53

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e526fc5
Add option of None for ciphersuites, indicating system recommended se…
jvdprng Jun 20, 2024
d10cb2e
Added system defaults for TLSVersion config
jvdprng Jun 20, 2024
fde7fd5
Merge branch 'main' into jp/sysdef
jvdprng Jun 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 18 additions & 4 deletions src/tlslib/stdlib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
import truststore

from .tlslib import (
DEFAULT_CIPHER_LIST,
Backend,
CipherSuite,
NextProtocol,
Expand Down Expand Up @@ -250,8 +251,12 @@ def _configure_context_for_ciphers(

Returns the context.
"""
if ciphers is not None:
ossl_names = [_cipher_map[cipher] for cipher in ciphers if cipher in _cipher_map]
if ciphers is None:
# OpenSSL does not necessarily have system recommended settings
# The default cipher list is used here instead
ciphers = DEFAULT_CIPHER_LIST

ossl_names = [_cipher_map[cipher] for cipher in ciphers if cipher in _cipher_map]
if not ossl_names:
msg = "None of the provided ciphers are supported by the OpenSSL backend!"
raise TLSError(msg)
Expand Down Expand Up @@ -293,9 +298,18 @@ def _init_context_common(
config.inner_protocols,
)

# In lieu of system recommended settings, we default to TLS v1.3
lowest_supported_version = config.lowest_supported_version
if lowest_supported_version is None:
lowest_supported_version = TLSVersion.TLSv1_3

highest_supported_version = config.highest_supported_version
if highest_supported_version is None:
highest_supported_version = TLSVersion.MAXIMUM_SUPPORTED

try:
some_context.minimum_version = _TLSMinVersionOpts[config.lowest_supported_version]
some_context.maximum_version = _TLSMaxVersionOpts[config.highest_supported_version]
some_context.minimum_version = _TLSMinVersionOpts[lowest_supported_version]
some_context.maximum_version = _TLSMaxVersionOpts[highest_supported_version]
except KeyError:
raise TLSError("Bad maximum/minimum options")

Expand Down
79 changes: 42 additions & 37 deletions src/tlslib/tlslib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
from typing import Generic, Protocol, TypeVar

__all__ = [
"TLSBuffer",
"TLSServerConfiguration",
"TLSClientConfiguration",
"ClientContext",
Expand Down Expand Up @@ -154,21 +155,22 @@ class TLSClientConfiguration(Generic[_TrustStore, _Certificate, _PrivateKey]):
and optionally a list of intermediate certificates. These certificates
will be offered to the server during the handshake if required.

:param ciphers Sequence[CipherSuite | int]:
:param ciphers Sequence[CipherSuite | int] | None:
The available ciphers for TLS connections created with this
configuration, in priority order.
configuration, in priority order. If None is provided, the backend
will choose a suitable default value (such as system recommended settings).

:param inner_protocols Sequence[NextProtocol | bytes]:
Protocols that connections created with this configuration should
advertise as supported during the TLS handshake. These may be
advertised using ALPN. This list of protocols should be ordered
by preference.

:param lowest_supported_version TLSVersion:
:param lowest_supported_version TLSVersion | None:
The minimum version of TLS that should be allowed on TLS
connections using this configuration.

:param highest_supported_version TLSVersion:
:param highest_supported_version TLSVersion | None:
The maximum version of TLS that should be allowed on TLS
connections using this configuration.

Expand All @@ -189,25 +191,17 @@ class TLSClientConfiguration(Generic[_TrustStore, _Certificate, _PrivateKey]):
def __init__(
self,
certificate_chain: SigningChain[_Certificate, _PrivateKey] | None = None,
ciphers: Sequence[CipherSuite] | None = None,
ciphers: Sequence[CipherSuite | int] | None = None,
inner_protocols: Sequence[NextProtocol | bytes] | None = None,
lowest_supported_version: TLSVersion | None = None,
highest_supported_version: TLSVersion | None = None,
trust_store: _TrustStore | None = None,
) -> None:
"""Initialize TLS client configuration."""
if ciphers is None:
ciphers = DEFAULT_CIPHER_LIST

if inner_protocols is None:
inner_protocols = []

if lowest_supported_version is None:
lowest_supported_version = TLSVersion.TLSv1_2

if highest_supported_version is None:
highest_supported_version = TLSVersion.MAXIMUM_SUPPORTED

self._certificate_chain = certificate_chain
self._ciphers = ciphers
self._inner_protocols = inner_protocols
Expand All @@ -226,8 +220,11 @@ def certificate_chain(self) -> SigningChain | None:
return self._certificate_chain

@property
def ciphers(self) -> Sequence[CipherSuite | int]:
"""The list of available ciphers for TLS connections, in priority order."""
def ciphers(self) -> Sequence[CipherSuite | int] | None:
"""
The list of available ciphers for TLS connections, in priority order.
None indicates that system recommended settings will be used.
"""
return self._ciphers

@property
Expand All @@ -239,13 +236,19 @@ def inner_protocols(self) -> Sequence[NextProtocol | bytes]:
return self._inner_protocols

@property
def lowest_supported_version(self) -> TLSVersion:
"""The minimum version of TLS that is allowed on TLS connections."""
def lowest_supported_version(self) -> TLSVersion | None:
"""
The minimum version of TLS that is allowed on TLS connections.
None indicates that system recommended settings will be used.
"""
return self._lowest_supported_version

@property
def highest_supported_version(self) -> TLSVersion:
"""The maximum version of TLS that will be allowed on TLS connections."""
def highest_supported_version(self) -> TLSVersion | None:
"""
The maximum version of TLS that will be allowed on TLS connections.
None indicates that system recommended settings will be used.
"""
return self._highest_supported_version

@property
Expand All @@ -269,21 +272,22 @@ class TLSServerConfiguration(Generic[_TrustStore, _Certificate, _PrivateKey]):
certificates. These certificates will be offered to the client during
the handshake if required.

:param ciphers Sequence[CipherSuite | int]:
:param ciphers Sequence[CipherSuite | int] | None:
The available ciphers for TLS connections created with this
configuration, in priority order.
configuration, in priority order. If None is provided, the backend
will choose a suitable default value (such as system recommended settings).

:param inner_protocols Sequence[NextProtocol | bytes]:
Protocols that connections created with this configuration should
advertise as supported during the TLS handshake. These may be
advertised using ALPN. This list of protocols should be ordered
by preference.

:param lowest_supported_version TLSVersion:
:param lowest_supported_version TLSVersion | None:
The minimum version of TLS that should be allowed on TLS
connections using this configuration.

:param highest_supported_version TLSVersion:
:param highest_supported_version TLSVersion | None:
The maximum version of TLS that should be allowed on TLS
connections using this configuration.

Expand Down Expand Up @@ -312,18 +316,10 @@ def __init__(
trust_store: _TrustStore | None = None,
) -> None:
"""Initialize TLS server configuration."""
if ciphers is None:
ciphers = DEFAULT_CIPHER_LIST

if inner_protocols is None:
inner_protocols = []

if lowest_supported_version is None:
lowest_supported_version = TLSVersion.TLSv1_2

if highest_supported_version is None:
highest_supported_version = TLSVersion.MAXIMUM_SUPPORTED

self._certificate_chain = certificate_chain
self._ciphers = ciphers
self._inner_protocols = inner_protocols
Expand All @@ -344,8 +340,11 @@ def certificate_chain(self) -> Sequence[SigningChain] | None:
return self._certificate_chain

@property
def ciphers(self) -> Sequence[CipherSuite | int]:
"""The list of available ciphers for TLS connections, in priority order."""
def ciphers(self) -> Sequence[CipherSuite | int] | None:
"""
The list of available ciphers for TLS connections, in priority order.
None indicates that system recommended settings will be used.
"""
return self._ciphers

@property
Expand All @@ -357,13 +356,19 @@ def inner_protocols(self) -> Sequence[NextProtocol | bytes]:
return self._inner_protocols

@property
def lowest_supported_version(self) -> TLSVersion:
"""The minimum version of TLS that is allowed on TLS connections."""
def lowest_supported_version(self) -> TLSVersion | None:
"""
The minimum version of TLS that is allowed on TLS connections.
None indicates that system recommended settings will be used.
"""
return self._lowest_supported_version

@property
def highest_supported_version(self) -> TLSVersion:
"""The maximum version of TLS that will be allowed on TLS connections."""
def highest_supported_version(self) -> TLSVersion | None:
"""
The maximum version of TLS that will be allowed on TLS connections.
None indicates that system recommended settings will be used.
"""
return self._highest_supported_version

@property
Expand Down