diff options
author | Maximilian Hils <git@maximilianhils.com> | 2021-03-10 22:35:24 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-10 15:35:24 -0600 |
commit | 5dc698861c91b4aa83b284b282c0e91cdcee49a3 (patch) | |
tree | d98c73d18f263a76f0b10c7c75d1ea26d4ac858c /src | |
parent | d290855aab9f12d7cf739c63aad9ca3699d936f7 (diff) | |
download | pyopenssl-5dc698861c91b4aa83b284b282c0e91cdcee49a3.tar.gz |
Add SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_version bindings (#985)
* add Context.set_*_proto_version, fix #860
* docs: add new openssl tls methods
* accept the fact that nothing can be taken for granted
* bump minimum required cryptography version to 3.3
* drop support for Python 3.5
* use binary wheels for cryptography
* Revert "use binary wheels for cryptography"
This reverts commit 91a04c612ed1d0dd9fd541dfefe21cac7c25b1c1.
* docker ci: compile cryptography with rust
Diffstat (limited to 'src')
-rw-r--r-- | src/OpenSSL/SSL.py | 60 |
1 files changed, 58 insertions, 2 deletions
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index cd1e9be..660cd9f 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -44,6 +44,14 @@ __all__ = [ "TLSv1_METHOD", "TLSv1_1_METHOD", "TLSv1_2_METHOD", + "TLS_METHOD", + "TLS_SERVER_METHOD", + "TLS_CLIENT_METHOD", + "SSL3_VERSION", + "TLS1_VERSION", + "TLS1_1_VERSION", + "TLS1_2_VERSION", + "TLS1_3_VERSION", "OP_NO_SSLv2", "OP_NO_SSLv3", "OP_NO_TLSv1", @@ -139,6 +147,24 @@ SSLv23_METHOD = 3 TLSv1_METHOD = 4 TLSv1_1_METHOD = 5 TLSv1_2_METHOD = 6 +TLS_METHOD = 7 +TLS_SERVER_METHOD = 8 +TLS_CLIENT_METHOD = 9 + +try: + SSL3_VERSION = _lib.SSL3_VERSION + TLS1_VERSION = _lib.TLS1_VERSION + TLS1_1_VERSION = _lib.TLS1_1_VERSION + TLS1_2_VERSION = _lib.TLS1_2_VERSION + TLS1_3_VERSION = _lib.TLS1_3_VERSION +except AttributeError: + # Hardcode constants for cryptography < 3.4, see + # https://github.com/pyca/pyopenssl/pull/985#issuecomment-775186682 + SSL3_VERSION = 768 + TLS1_VERSION = 769 + TLS1_1_VERSION = 770 + TLS1_2_VERSION = 771 + TLS1_3_VERSION = 772 OP_NO_SSLv2 = _lib.SSL_OP_NO_SSLv2 OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3 @@ -603,8 +629,9 @@ class Context(object): :class:`OpenSSL.SSL.Context` instances define the parameters for setting up new SSL connections. - :param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or - TLSv1_METHOD. + :param method: One of TLS_METHOD, TLS_CLIENT_METHOD, or TLS_SERVER_METHOD. + SSLv23_METHOD, TLSv1_METHOD, etc. are deprecated and should + not be used. """ _methods = { @@ -614,6 +641,9 @@ class Context(object): TLSv1_METHOD: "TLSv1_method", TLSv1_1_METHOD: "TLSv1_1_method", TLSv1_2_METHOD: "TLSv1_2_method", + TLS_METHOD: "TLS_method", + TLS_SERVER_METHOD: "TLS_server_method", + TLS_CLIENT_METHOD: "TLS_client_method", } _methods = dict( (identifier, getattr(_lib, name)) @@ -661,6 +691,32 @@ class Context(object): self.set_mode(_lib.SSL_MODE_ENABLE_PARTIAL_WRITE) + def set_min_proto_version(self, version): + """ + Set the minimum supported protocol version. Setting the minimum + version to 0 will enable protocol versions down to the lowest version + supported by the library. + + If the underlying OpenSSL build is missing support for the selected + version, this method will raise an exception. + """ + _openssl_assert( + _lib.SSL_CTX_set_min_proto_version(self._context, version) == 1 + ) + + def set_max_proto_version(self, version): + """ + Set the maximum supported protocol version. Setting the maximum + version to 0 will enable protocol versions up to the highest version + supported by the library. + + If the underlying OpenSSL build is missing support for the selected + version, this method will raise an exception. + """ + _openssl_assert( + _lib.SSL_CTX_set_max_proto_version(self._context, version) == 1 + ) + def load_verify_locations(self, cafile, capath=None): """ Let SSL know where we can find trusted certificates for the certificate |