Package tlslite :: Module handshakesettings :: Class HandshakeSettings
[hide private]
[frames] | no frames]

type HandshakeSettings

source code


This class encapsulates various parameters that can be used with a TLS handshake.

Instance Methods [hide private]
 
__init__(self) source code
 
getCertificateTypes(self)
Get list of certificate types as IDs
source code
HandshakeSettings
validate(self)
Validate the settings, filter out unsupported ciphersuites and return a copy of object.
source code
Static Methods [hide private]
 
_sanityCheckExtensions(other)
Check if set extension settings are sane
source code
 
_sanityCheckKeySizes(other)
Check if key size limits are sane
source code
 
_sanityCheckPrimitivesNames(other)
Check if specified cryptographic primitive names are known
source code
 
_sanityCheckProtocolVersions(other)
Check if set protocol version are sane
source code
Instance Variables [hide private]
int minKeySize
The minimum bit length for asymmetric keys.
int maxKeySize
The maximum bit length for asymmetric keys.
list cipherNames
The allowed ciphers.
list macNames
The allowed MAC algorithms.
list certificateTypes
The allowed certificate types.
tuple minVersion
The minimum allowed SSL/TLS version.
tuple maxVersion
The maximum allowed SSL/TLS version.
list eccCurves
List of named curves that are to be supported
bool requireExtendedMasterSecret
whether to require negotiation of extended master secret calculation for successful connection.
list rsaSigHashes
List of hashes supported (and advertised as such) for TLS 1.2 signatures over Server Key Exchange or Certificate Verify with RSA signature algorithm.
bool sendFallbackSCSV
Whether to, as a client, send FALLBACK_SCSV.
bool useEncryptThenMAC
whether to support the encrypt then MAC extension from RFC 7366.
bool useExperimentalTackExtension
Whether to enabled TACK support.
bool useExtendedMasterSecret
whether to support the extended master secret calculation from RFC 7627.
Method Details [hide private]

__init__(self)
(Constructor)

source code 
Overrides: object.__init__
(inherited documentation)

validate(self)

source code 

Validate the settings, filter out unsupported ciphersuites and return a copy of object. Does not modify the original object.

Returns: HandshakeSettings
a self-consistent copy of settings
Raises:
  • ValueError - when settings are invalid, insecure or unsupported.

Instance Variable Details [hide private]

minKeySize

The minimum bit length for asymmetric keys.

If the other party tries to use SRP, RSA, or Diffie-Hellman parameters smaller than this length, an alert will be signalled. The default is 1023.

Type:
int

maxKeySize

The maximum bit length for asymmetric keys.

If the other party tries to use SRP, RSA, or Diffie-Hellman parameters larger than this length, an alert will be signalled. The default is 8193.

Type:
int

cipherNames

The allowed ciphers.

The allowed values in this list are 'aes256', 'aes128', '3des', and 'rc4'. If these settings are used with a client handshake, they determine the order of the ciphersuites offered in the ClientHello message.

If these settings are used with a server handshake, the server will choose whichever ciphersuite matches the earliest entry in this list.

NOTE: If '3des' is used in this list, but TLS Lite can't find an add-on library that supports 3DES, then '3des' will be silently removed.

The default value is ['rc4', 'aes256', 'aes128', '3des'].

Type:
list

macNames

The allowed MAC algorithms.

The allowed values in this list are 'sha' and 'md5'.

The default value is ['sha'].

Type:
list

certificateTypes

The allowed certificate types.

The only allowed certificate type is 'x509'. This list is only used with a client handshake. The client will advertise to the server which certificate types are supported, and will check that the server uses one of the appropriate types.

Type:
list

minVersion

The minimum allowed SSL/TLS version.

This variable can be set to (3,0) for SSL 3.0, (3,1) for TLS 1.0, (3,2) for TLS 1.1, or (3,3) for TLS 1.2. If the other party wishes to use a lower version, a protocol_version alert will be signalled. The default is (3,1).

Type:
tuple

maxVersion

The maximum allowed SSL/TLS version.

This variable can be set to (3,0) for SSL 3.0, (3,1) for TLS 1.0, (3,2) for TLS 1.1, or (3,3) for TLS 1.2. If the other party wishes to use a higher version, a protocol_version alert will be signalled. The default is (3,3). (WARNING: Some servers may (improperly) reject clients which offer support for TLS 1.1. In this case, try lowering maxVersion to (3,1)).

Type:
tuple

requireExtendedMasterSecret

whether to require negotiation of extended master secret calculation for successful connection. Requires useExtendedMasterSecret to be set to true. False by default.
Type:
bool

rsaSigHashes

List of hashes supported (and advertised as such) for TLS 1.2 signatures over Server Key Exchange or Certificate Verify with RSA signature algorithm.

The list is sorted from most wanted to least wanted algorithm.

The allowed hashes are: "md5", "sha1", "sha224", "sha256", "sha384" and "sha512". The default list does not include md5.

Type:
list

useEncryptThenMAC

whether to support the encrypt then MAC extension from RFC 7366. True by default.
Type:
bool

useExperimentalTackExtension

Whether to enabled TACK support.

Note that TACK support is not standardized by IETF and uses a temporary TLS Extension number, so should NOT be used in production software.

Type:
bool

useExtendedMasterSecret

whether to support the extended master secret calculation from RFC 7627. True by default.
Type:
bool