-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FFI interface to SSL_set_min_proto_version etc #5379
Comments
While I'm on the subject, would it also be possible to add support for the
(see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_new.html) They are the same as |
I would like to second the update of the pyca-cryptography interface to provide the interfaces recommended by @richvdh . I would like to specifically note that |
Adding these bindings is fine, but there are a few steps:
The latter is a requirement because maintaining an arbitrarily large set of bindings without knowing consumers turns out to be prohibitively difficult. We've recently stripped numerous methods due to the maintenance burden so we need to have a consumer in our downstream test suite. |
@reaperhulk thanks for the information, I already have some stuff in the works, so I'll look into the issues you've raised. |
@reaperhulk regarding |
There are two things at play here:
|
@reaperhulk duly noted, thanks for the update. I'm hoping to have something for you guys in the next day or so. This is fairly straightforward since (as noted) SSLv23_method and TLS_method are defined by a macro to be equivalent. |
Edit: looks like it didn't handle correctly on OpenSSL 1.0.2 for some reason, have to check my local environment. @reaperhulk I've put #5428 in to address the TLS_method related issues. It looks like some of the tests are failing, as you indicated earlier. I'm hoping this tiny PR will help me figure out the odds and ends of doing a PR for this project. Subsequent to this PR getting through (it's a simple method exposure) I plan on examining what to do about
These functions require a peak at the compiler options, since there isn't a convenient way to handle them for OpenSSL 1.0.2 (will need to do something similar to how SSLv3_method is handled) |
8bc6920 dropped support for 1.0.2, so implementing this should be more straightforward now. :) |
From pyca#5379 : Added bindings for SSL session and context interfaces to SET min and max protocol versions (added in OpenSSL 1.1.0). Added bindings for SSL session and context interfaces to GET min and max protocol versions (added in OpenSSL 1.1.1). Added conditional build variables to allow compilation on systems not offering these interfaces via the compiled library.
From pyca#5379 : Added bindings for SSL / CTX interfaces to SET min and max protocol versions (added in OpenSSL 1.1.0). Added bindings for SSL / CTX interfaces to GET min and max protocol versions (added in OpenSSL 1.1.1). Added conditional build variables to allow compilation on systems not offering these interfaces via the compiled library.
From pyca#5379 : Added bindings for SSL / CTX interfaces to SET min and max protocol versions (added in OpenSSL 1.1.0). Added bindings for SSL / CTX interfaces to GET min and max protocol versions (added in OpenSSL 1.1.1). Added conditional build variables to allow compilation on systems not offering these interfaces via the compiled library. Merge branch 'Min_Proto_Bindings' of github.com:th3b0x/cryptography into th3b0x-TLS_method-patch
OpenSSL 1.1.0 added a number of new functions for controlling the acceptable TLS protocol versions:
Additionally, OpenSSL 1.1.1 added getters for the same information:
See https://www.openssl.org/docs/man1.1.1/man3/SSL_set_max_proto_version.html for more details of these functions.
The intention, as documented at https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_new.html, is that these functions should be used instead of SSL_CTX_set_options and SSL_set_options for this purpose.
Anyway: it appears that these functions are not exposed via the
cryptography.hazmat.bindings.openssl.binding.Binding.lib
FFI interface. Could they be added?The text was updated successfully, but these errors were encountered: