def _server(self, sock):
"""
Create a new server-side SSL L{Connection} object wrapped around
C{sock}.
"""
# Create the server side Connection. This is mostly setup boilerplate
# - use TLSv1, use a particular certificate, etc.
server_ctx = Context(TLSv1_METHOD)
server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
server_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
server_store = server_ctx.get_cert_store()
server_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
server_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
server_ctx.check_privatekey()
server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
# Here the Connection is actually created. If None is passed as the 2nd
# parameter, it indicates a memory BIO should be created.
server_conn = Connection(server_ctx, sock)
server_conn.set_accept_state()
return server_conn
python类OP_NO_SSLv2()的实例源码
def _client(self, sock):
"""
Create a new client-side SSL L{Connection} object wrapped around
C{sock}.
"""
# Now create the client side Connection. Similar boilerplate to the
# above.
client_ctx = Context(TLSv1_METHOD)
client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
client_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
client_store = client_ctx.get_cert_store()
client_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, client_key_pem))
client_ctx.use_certificate(load_certificate(FILETYPE_PEM, client_cert_pem))
client_ctx.check_privatekey()
client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
client_conn = Connection(client_ctx, sock)
client_conn.set_connect_state()
return client_conn
def __init__(self, server_address, RequestHandlerClass):
SocketServer.BaseServer.__init__(
self, server_address, RequestHandlerClass
)
# Same as normal, but make it secure:
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_options(SSL.OP_NO_SSLv2)
dir = os.curdir
ctx.use_privatekey_file(os.path.join(dir, 'server.pkey'))
ctx.use_certificate_file(os.path.join(dir, 'server.cert'))
self.socket = SSLWrapper(
SSL.Connection(
ctx, socket.socket(self.address_family, self.socket_type)
)
)
self.server_bind()
self.server_activate()
def _server(self, sock):
"""
Create a new server-side SSL `Connection` object wrapped around `sock`.
"""
# Create the server side Connection. This is mostly setup boilerplate
# - use TLSv1, use a particular certificate, etc.
server_ctx = Context(TLSv1_METHOD)
server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)
server_ctx.set_verify(
VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,
verify_cb
)
server_store = server_ctx.get_cert_store()
server_ctx.use_privatekey(
load_privatekey(FILETYPE_PEM, server_key_pem))
server_ctx.use_certificate(
load_certificate(FILETYPE_PEM, server_cert_pem))
server_ctx.check_privatekey()
server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
# Here the Connection is actually created. If None is passed as the
# 2nd parameter, it indicates a memory BIO should be created.
server_conn = Connection(server_ctx, sock)
server_conn.set_accept_state()
return server_conn
def _client(self, sock):
"""
Create a new client-side SSL `Connection` object wrapped around `sock`.
"""
# Now create the client side Connection. Similar boilerplate to the
# above.
client_ctx = Context(TLSv1_METHOD)
client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)
client_ctx.set_verify(
VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,
verify_cb
)
client_store = client_ctx.get_cert_store()
client_ctx.use_privatekey(
load_privatekey(FILETYPE_PEM, client_key_pem))
client_ctx.use_certificate(
load_certificate(FILETYPE_PEM, client_cert_pem))
client_ctx.check_privatekey()
client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
client_conn = Connection(client_ctx, sock)
client_conn.set_connect_state()
return client_conn
def _server(self, sock):
"""
Create a new server-side SSL L{Connection} object wrapped around
C{sock}.
"""
# Create the server side Connection. This is mostly setup boilerplate
# - use TLSv1, use a particular certificate, etc.
server_ctx = Context(TLSv1_METHOD)
server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
server_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
server_store = server_ctx.get_cert_store()
server_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
server_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
server_ctx.check_privatekey()
server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
# Here the Connection is actually created. If None is passed as the 2nd
# parameter, it indicates a memory BIO should be created.
server_conn = Connection(server_ctx, sock)
server_conn.set_accept_state()
return server_conn
def _client(self, sock):
"""
Create a new client-side SSL L{Connection} object wrapped around
C{sock}.
"""
# Now create the client side Connection. Similar boilerplate to the
# above.
client_ctx = Context(TLSv1_METHOD)
client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
client_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
client_store = client_ctx.get_cert_store()
client_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, client_key_pem))
client_ctx.use_certificate(load_certificate(FILETYPE_PEM, client_cert_pem))
client_ctx.check_privatekey()
client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
client_conn = Connection(client_ctx, sock)
client_conn.set_connect_state()
return client_conn
def _server(self, sock):
"""
Create a new server-side SSL :py:obj:`Connection` object wrapped around
:py:obj:`sock`.
"""
# Create the server side Connection. This is mostly setup boilerplate
# - use TLSv1, use a particular certificate, etc.
server_ctx = Context(TLSv1_METHOD)
server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
server_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
server_store = server_ctx.get_cert_store()
server_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
server_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
server_ctx.check_privatekey()
server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
# Here the Connection is actually created. If None is passed as the 2nd
# parameter, it indicates a memory BIO should be created.
server_conn = Connection(server_ctx, sock)
server_conn.set_accept_state()
return server_conn
def _client(self, sock):
"""
Create a new client-side SSL :py:obj:`Connection` object wrapped around
:py:obj:`sock`.
"""
# Now create the client side Connection. Similar boilerplate to the
# above.
client_ctx = Context(TLSv1_METHOD)
client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
client_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
client_store = client_ctx.get_cert_store()
client_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, client_key_pem))
client_ctx.use_certificate(load_certificate(FILETYPE_PEM, client_cert_pem))
client_ctx.check_privatekey()
client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
client_conn = Connection(client_ctx, sock)
client_conn.set_connect_state()
return client_conn
def test_tlsProtocolsreduceToMaxWithoutMin(self):
"""
When calling L{sslverify.OpenSSLCertificateOptions} with
C{lowerMaximumSecurityTo} but no C{raiseMinimumTo} or
C{insecurelyLowerMinimumTo} set, and C{lowerMaximumSecurityTo} is
below the minimum default, the minimum will be made the new maximum.
"""
opts = sslverify.OpenSSLCertificateOptions(
privateKey=self.sKey,
certificate=self.sCert,
lowerMaximumSecurityTo=sslverify.TLSVersion.SSLv3,
)
opts._contextFactory = FakeContext
ctx = opts.getContext()
options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION |
SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_TLSv1 |
SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1_2 | opts._OP_NO_TLSv1_3)
self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsSSLv3Only(self):
"""
When calling L{sslverify.OpenSSLCertificateOptions} with
C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to
SSLv3, it will exclude all others.
"""
opts = sslverify.OpenSSLCertificateOptions(
privateKey=self.sKey,
certificate=self.sCert,
insecurelyLowerMinimumTo=sslverify.TLSVersion.SSLv3,
lowerMaximumSecurityTo=sslverify.TLSVersion.SSLv3,
)
opts._contextFactory = FakeContext
ctx = opts.getContext()
options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION |
SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_TLSv1 |
SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1_2 | opts._OP_NO_TLSv1_3)
self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsTLSv1Point0Only(self):
"""
When calling L{sslverify.OpenSSLCertificateOptions} with
C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.0,
it will exclude all others.
"""
opts = sslverify.OpenSSLCertificateOptions(
privateKey=self.sKey,
certificate=self.sCert,
insecurelyLowerMinimumTo=sslverify.TLSVersion.TLSv1_0,
lowerMaximumSecurityTo=sslverify.TLSVersion.TLSv1_0,
)
opts._contextFactory = FakeContext
ctx = opts.getContext()
options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION |
SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 |
SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1_2 | opts._OP_NO_TLSv1_3)
self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsTLSv1Point1Only(self):
"""
When calling L{sslverify.OpenSSLCertificateOptions} with
C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.1,
it will exclude all others.
"""
opts = sslverify.OpenSSLCertificateOptions(
privateKey=self.sKey,
certificate=self.sCert,
insecurelyLowerMinimumTo=sslverify.TLSVersion.TLSv1_1,
lowerMaximumSecurityTo=sslverify.TLSVersion.TLSv1_1,
)
opts._contextFactory = FakeContext
ctx = opts.getContext()
options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION |
SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 |
SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_2 | opts._OP_NO_TLSv1_3)
self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsAllModernTLS(self):
"""
When calling L{sslverify.OpenSSLCertificateOptions} with
C{insecurelyLowerMinimumTo} set to TLSv1.0 and
C{lowerMaximumSecurityTo} to TLSv1.2, it will exclude both SSLs and
the (unreleased) TLSv1.3.
"""
opts = sslverify.OpenSSLCertificateOptions(
privateKey=self.sKey,
certificate=self.sCert,
insecurelyLowerMinimumTo=sslverify.TLSVersion.TLSv1_0,
lowerMaximumSecurityTo=sslverify.TLSVersion.TLSv1_2,
)
opts._contextFactory = FakeContext
ctx = opts.getContext()
options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION |
SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 |
opts._OP_NO_TLSv1_3)
self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsAtLeastAllSecureTLS(self):
"""
When calling L{sslverify.OpenSSLCertificateOptions} with
C{raiseMinimumTo} set to TLSv1.2, it will ignore all TLSs below
1.2 and SSL.
"""
opts = sslverify.OpenSSLCertificateOptions(
privateKey=self.sKey,
certificate=self.sCert,
raiseMinimumTo=sslverify.TLSVersion.TLSv1_2
)
opts._contextFactory = FakeContext
ctx = opts.getContext()
options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION |
SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 |
SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1)
self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsAtLeastWillAcceptHigherDefault(self):
"""
When calling L{sslverify.OpenSSLCertificateOptions} with
C{raiseMinimumTo} set to a value lower than Twisted's default will
cause it to use the more secure default.
"""
opts = sslverify.OpenSSLCertificateOptions(
privateKey=self.sKey,
certificate=self.sCert,
raiseMinimumTo=sslverify.TLSVersion.SSLv3
)
opts._contextFactory = FakeContext
ctx = opts.getContext()
# Future maintainer warning: this will break if we change our default
# up, so you should change it to add the relevant OP_NO flags when we
# do make that change and this test fails.
options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION |
SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3)
self.assertEqual(options, ctx._options & options)
self.assertEqual(opts._defaultMinimumTLSVersion,
sslverify.TLSVersion.TLSv1_0)
def test_tlsProtocolsAllSecureTLS(self):
"""
When calling L{sslverify.OpenSSLCertificateOptions} with
C{insecurelyLowerMinimumTo} set to TLSv1.2, it will ignore all TLSs below
1.2 and SSL.
"""
opts = sslverify.OpenSSLCertificateOptions(
privateKey=self.sKey,
certificate=self.sCert,
insecurelyLowerMinimumTo=sslverify.TLSVersion.TLSv1_2
)
opts._contextFactory = FakeContext
ctx = opts.getContext()
options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION |
SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 |
SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1)
self.assertEqual(options, ctx._options & options)
def _server(self, sock):
"""
Create a new server-side SSL :py:obj:`Connection` object wrapped around
:py:obj:`sock`.
"""
# Create the server side Connection. This is mostly setup boilerplate
# - use TLSv1, use a particular certificate, etc.
server_ctx = Context(TLSv1_METHOD)
server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
server_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
server_store = server_ctx.get_cert_store()
server_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
server_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
server_ctx.check_privatekey()
server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
# Here the Connection is actually created. If None is passed as the 2nd
# parameter, it indicates a memory BIO should be created.
server_conn = Connection(server_ctx, sock)
server_conn.set_accept_state()
return server_conn
def _client(self, sock):
"""
Create a new client-side SSL :py:obj:`Connection` object wrapped around
:py:obj:`sock`.
"""
# Now create the client side Connection. Similar boilerplate to the
# above.
client_ctx = Context(TLSv1_METHOD)
client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
client_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
client_store = client_ctx.get_cert_store()
client_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, client_key_pem))
client_ctx.use_certificate(load_certificate(FILETYPE_PEM, client_cert_pem))
client_ctx.check_privatekey()
client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
client_conn = Connection(client_ctx, sock)
client_conn.set_connect_state()
return client_conn
def _server(self, sock):
"""
Create a new server-side SSL L{Connection} object wrapped around
C{sock}.
"""
# Create the server side Connection. This is mostly setup boilerplate
# - use TLSv1, use a particular certificate, etc.
server_ctx = Context(TLSv1_METHOD)
server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
server_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
server_store = server_ctx.get_cert_store()
server_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
server_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
server_ctx.check_privatekey()
server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
# Here the Connection is actually created. If None is passed as the 2nd
# parameter, it indicates a memory BIO should be created.
server_conn = Connection(server_ctx, sock)
server_conn.set_accept_state()
return server_conn
def get_context(self):
c = super(SecuredSSLServer, self).get_context()
c.set_options(SSL.OP_NO_SSLv2)
c.set_options(SSL.OP_NO_SSLv3)
c.set_options(SSL.OP_NO_TLSv1)
c.set_options(SSL.OP_NO_TLSv1_1)
return c
# Create our own sub-class of Bottle's ServerAdapter
# so that we can specify SSL. Using just server='cherrypy'
# uses the default cherrypy server, which doesn't use SSL
def test_set_options(self):
"""
`Context.set_options` returns the new options value.
"""
context = Context(TLSv1_METHOD)
options = context.set_options(OP_NO_SSLv2)
assert options & OP_NO_SSLv2 == OP_NO_SSLv2
def test_set_options_long(self):
"""
On Python 2 `Context.set_options` accepts values of type
`long` as well as `int`.
"""
context = Context(TLSv1_METHOD)
options = context.set_options(long(OP_NO_SSLv2))
assert options & OP_NO_SSLv2 == OP_NO_SSLv2
def create_basic_sslcontext():
ssl_ctx = SSL.Context(SSL.SSLv23_METHOD)
ssl_ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3 | SSL.OP_CIPHER_SERVER_PREFERENCE)
ssl_ctx.set_cipher_list(":".join(_SUPPROT_CIPHERS_SUITES))
# NOTE: cipher suite related to ECDHE will need this
ssl_ctx.set_tmp_ecdh(crypto.get_elliptic_curve('prime256v1'))
return ssl_ctx
def test_set_options(self):
"""
:py:obj:`Context.set_options` returns the new options value.
"""
context = Context(TLSv1_METHOD)
options = context.set_options(OP_NO_SSLv2)
self.assertTrue(OP_NO_SSLv2 & options)
def test_set_options_long(self):
"""
On Python 2 :py:obj:`Context.set_options` accepts values of type
:py:obj:`long` as well as :py:obj:`int`.
"""
context = Context(TLSv1_METHOD)
options = context.set_options(long(OP_NO_SSLv2))
self.assertTrue(OP_NO_SSLv2 & options)
def test_ssl_options(self):
from OpenSSL import SSL
from OpenSSL._util import lib
from pyftpdlib.handlers import TLS_FTPHandler
try:
TLS_FTPHandler.ssl_context = None
ctx = TLS_FTPHandler.get_ssl_context()
# Verify default opts.
with contextlib.closing(socket.socket()) as s:
s = SSL.Connection(ctx, s)
opts = lib.SSL_CTX_get_options(ctx._context)
self.assertTrue(opts & SSL.OP_NO_SSLv2)
self.assertTrue(opts & SSL.OP_NO_SSLv3)
self.assertTrue(opts & SSL.OP_NO_COMPRESSION)
TLS_FTPHandler.ssl_context = None # reset
# Make sure that if ssl_options is None no options are set
# (except OP_NO_SSLv2 whch is enabled by default unless
# ssl_proto is set to SSL.SSLv23_METHOD).
TLS_FTPHandler.ssl_context = None
TLS_FTPHandler.ssl_options = None
ctx = TLS_FTPHandler.get_ssl_context()
with contextlib.closing(socket.socket()) as s:
s = SSL.Connection(ctx, s)
opts = lib.SSL_CTX_get_options(ctx._context)
self.assertTrue(opts & SSL.OP_NO_SSLv2)
# self.assertFalse(opts & SSL.OP_NO_SSLv3)
self.assertFalse(opts & SSL.OP_NO_COMPRESSION)
finally:
TLS_FTPHandler.ssl_context = None
def __init__(self, addr, port, key, cert, request_handler_class):
self._addr = addr
self._port = port
self._key = key
self._cert = cert
self._handler = request_handler_class
SocketServer.BaseServer.__init__(self, (addr, port), request_handler_class)
ctx = SSL.Context(SSL.SSLv23_METHOD)
#ctx = SSL.Context(SSL.TLSv1_2_METHOD)
ctx.set_options(SSL.OP_NO_SSLv2)
ctx.use_privatekey_file(key)
ctx.use_certificate_file(cert)
def cb_ALPN(conn, protos):
print "ALPN CALLBACK"
return b'h2'
ctx.set_alpn_select_callback(cb_ALPN)
def cb_NPN(conn, protos):
print "NPN CALLBACK"
return b'h2'
ctx.set_npn_select_callback(cb_NPN)
#Must be .socket
self.socket = SSLWrapper(SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type)))
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.server_bind()
self.server_activate()
def fromOpenSSLCipherString(cls, cipherString):
"""
Create a new instance using an OpenSSL cipher string.
@param cipherString: An OpenSSL cipher string that describes what
cipher suites are acceptable.
See the documentation of U{OpenSSL
<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>} or
U{Apache
<http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite>}
for details.
@type cipherString: L{unicode}
@return: Instance representing C{cipherString}.
@rtype: L{twisted.internet.ssl.AcceptableCiphers}
"""
return cls(_expandCipherString(
nativeString(cipherString),
SSL.SSLv23_METHOD, SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
)
# A secure default.
# Sources for more information on TLS ciphers:
#
# - https://wiki.mozilla.org/Security/Server_Side_TLS
# - https://www.ssllabs.com/projects/best-practices/index.html
# - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
#
# The general intent is:
# - Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE),
# - prefer ECDHE over DHE for better performance,
# - prefer any AES-GCM and ChaCha20 over any AES-CBC for better performance and
# security,
# - prefer AES-GCM to ChaCha20 because AES hardware support is common,
# - disable NULL authentication, MD5 MACs and DSS for security reasons.
#
def cacheContext(self):
if self._context is None:
ctx = self._contextFactory(self.sslmethod)
# Disallow SSLv2! It's insecure! SSLv3 has been around since
# 1996. It's time to move on.
ctx.set_options(SSL.OP_NO_SSLv2)
ctx.use_certificate_file(self.certificateFileName)
ctx.use_privatekey_file(self.privateKeyFileName)
self._context = ctx
