Package tlslite :: Module handshakesettings
[hide private]
[frames] | no frames]

Source Code for Module tlslite.handshakesettings

  1  # Author: Trevor Perrin 
  2  # See the LICENSE file for legal information regarding use of this file. 
  3   
  4  """Class for setting handshake parameters.""" 
  5   
  6  from .constants import CertificateType 
  7  from .utils import cryptomath 
  8  from .utils import cipherfactory 
  9   
10 -class HandshakeSettings:
11 """This class encapsulates various parameters that can be used with 12 a TLS handshake. 13 @sort: minKeySize, maxKeySize, cipherNames, certificateTypes, 14 minVersion, maxVersion 15 16 @type minKeySize: int 17 @ivar minKeySize: The minimum bit length for asymmetric keys. 18 19 If the other party tries to use SRP, RSA, or Diffie-Hellman 20 parameters smaller than this length, an alert will be 21 signalled. The default is 1023. 22 23 @type maxKeySize: int 24 @ivar maxKeySize: The maximum bit length for asymmetric keys. 25 26 If the other party tries to use SRP, RSA, or Diffie-Hellman 27 parameters larger than this length, an alert will be signalled. 28 The default is 8193. 29 30 @type cipherNames: list 31 @ivar cipherNames: The allowed ciphers, in order of preference. 32 33 The allowed values in this list are 'aes256', 'aes128', '3des', and 34 'rc4'. If these settings are used with a client handshake, they 35 determine the order of the ciphersuites offered in the ClientHello 36 message. 37 38 If these settings are used with a server handshake, the server will 39 choose whichever ciphersuite matches the earliest entry in this 40 list. 41 42 NOTE: If '3des' is used in this list, but TLS Lite can't find an 43 add-on library that supports 3DES, then '3des' will be silently 44 removed. 45 46 The default value is ['aes256', 'aes128', '3des', 'rc4']. 47 48 @type certificateTypes: list 49 @ivar certificateTypes: The allowed certificate types, in order of 50 preference. 51 52 The allowed values in this list are 'x509'. This 53 list is only used with a client handshake. The client will 54 advertise to the server which certificate types are supported, and 55 will check that the server uses one of the appropriate types. 56 57 @type minVersion: tuple 58 @ivar minVersion: The minimum allowed SSL/TLS version. 59 60 This variable can be set to (3,0) for SSL 3.0, (3,1) for 61 TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to 62 use a lower version, a protocol_version alert will be signalled. 63 The default is (3,0). 64 65 @type maxVersion: tuple 66 @ivar maxVersion: The maximum allowed SSL/TLS version. 67 68 This variable can be set to (3,0) for SSL 3.0, (3,1) for 69 TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to 70 use a higher version, a protocol_version alert will be signalled. 71 The default is (3,2). (WARNING: Some servers may (improperly) 72 reject clients which offer support for TLS 1.1. In this case, 73 try lowering maxVersion to (3,1)). 74 75 @type useExperimentalTackExtension: bool 76 @ivar useExperimentalTackExtension: Whether to enabled TACK support. 77 78 Note that TACK support is not standardized by IETF and uses a temporary 79 TLS Extension number, so should NOT be used in production software. 80 """
81 - def __init__(self):
82 self.minKeySize = 1023 83 self.maxKeySize = 8193 84 self.cipherNames = ["aes256", "aes128", "3des", "rc4"] 85 self.cipherImplementations = ["openssl", "pycrypto","python"] 86 self.certificateTypes = ["x509"] 87 self.minVersion = (3,0) 88 self.maxVersion = (3,2) 89 self.useExperimentalTackExtension = False
90 91 # Validates the min/max fields, and certificateTypes 92 # Filters out unsupported cipherNames and cipherImplementations
93 - def _filter(self):
94 other = HandshakeSettings() 95 other.minKeySize = self.minKeySize 96 other.maxKeySize = self.maxKeySize 97 other.cipherNames = self.cipherNames 98 other.cipherImplementations = self.cipherImplementations 99 other.certificateTypes = self.certificateTypes 100 other.minVersion = self.minVersion 101 other.maxVersion = self.maxVersion 102 103 if not cipherfactory.tripleDESPresent: 104 other.cipherNames = [e for e in self.cipherNames if e != "3des"] 105 if len(other.cipherNames)==0: 106 raise ValueError("No supported ciphers") 107 if len(other.certificateTypes)==0: 108 raise ValueError("No supported certificate types") 109 110 if not cryptomath.m2cryptoLoaded: 111 other.cipherImplementations = [e for e in \ 112 other.cipherImplementations if e != "openssl"] 113 if not cryptomath.pycryptoLoaded: 114 other.cipherImplementations = [e for e in \ 115 other.cipherImplementations if e != "pycrypto"] 116 if len(other.cipherImplementations)==0: 117 raise ValueError("No supported cipher implementations") 118 119 if other.minKeySize<512: 120 raise ValueError("minKeySize too small") 121 if other.minKeySize>16384: 122 raise ValueError("minKeySize too large") 123 if other.maxKeySize<512: 124 raise ValueError("maxKeySize too small") 125 if other.maxKeySize>16384: 126 raise ValueError("maxKeySize too large") 127 for s in other.cipherNames: 128 if s not in ("aes256", "aes128", "rc4", "3des"): 129 raise ValueError("Unknown cipher name: '%s'" % s) 130 for s in other.cipherImplementations: 131 if s not in ("openssl", "python", "pycrypto"): 132 raise ValueError("Unknown cipher implementation: '%s'" % s) 133 for s in other.certificateTypes: 134 if s not in ("x509"): 135 raise ValueError("Unknown certificate type: '%s'" % s) 136 137 if other.minVersion > other.maxVersion: 138 raise ValueError("Versions set incorrectly") 139 140 if not other.minVersion in ((3,0), (3,1), (3,2)): 141 raise ValueError("minVersion set incorrectly") 142 143 if not other.maxVersion in ((3,0), (3,1), (3,2)): 144 raise ValueError("maxVersion set incorrectly") 145 146 return other
147
148 - def _getCertificateTypes(self):
149 l = [] 150 for ct in self.certificateTypes: 151 if ct == "x509": 152 l.append(CertificateType.x509) 153 else: 154 raise AssertionError() 155 return l
156