Support tls1.3 as default for tls server

Author: mosquito

aiomisc/service/tls.py

@@ -25,6 +25,16 @@ class SSLOptionsBase:
     verify: bool
     require_client_cert: bool
     purpose: ssl.Purpose
+    minimum_version: ssl.TLSVersion = ssl.TLSVersion.TLSv1_3
+    maximum_version: ssl.TLSVersion = ssl.TLSVersion.TLSv1_3
+    ciphers: Tuple[str, ...] = (
+        "ECDHE-RSA-AES256-GCM-SHA384",
+        "ECDHE-ECDSA-AES256-GCM-SHA384",
+        "ECDHE-RSA-CHACHA20-POLY1305",
+        "ECDHE-ECDSA-CHACHA20-POLY1305",
+        "ECDHE-RSA-AES128-GCM-SHA256",
+        "ECDHE-ECDSA-AES128-GCM-SHA256",
+    )
 
 
 class SSLOptions(SSLOptionsBase):
@@ -44,21 +54,41 @@ def __init__(
 
     def create_context(self) -> ssl.SSLContext:
         context = ssl.create_default_context(
-            purpose=self.purpose, cafile=self.ca,
+            purpose=self.purpose,
         )
 
-        if self.ca and not self.ca.exists():
-            raise FileNotFoundError("CA file doesn't exists")
+        # Disable compression to prevent CRIME attacks
+        context.options |= ssl.OP_NO_COMPRESSION
+
+        context.maximum_version = self.maximum_version
+        context.minimum_version = self.minimum_version
+        context.set_ciphers(":".join(self.ciphers))
+
+        if not self.verify:
+            context.check_hostname = False
+
+        if self.ca:
+            log.debug("Loading CA from %s", self.ca)
+            if not self.ca.exists():
+                raise FileNotFoundError(
+                    "CA file doesn't exists", str(self.ca.resolve()),
+                )
+            context.load_verify_locations(cafile=str(self.ca))
 
         if self.require_client_cert:
+            log.debug("Set server-side cert verification")
             context.verify_mode = ssl.VerifyMode.CERT_REQUIRED
+            # Post-handshake authentication is required
+            context.post_handshake_auth = True
+        else:
+            # Disable server-side cert verification
+            context.check_hostname = False
+            context.verify_mode = ssl.VerifyMode.CERT_NONE
 
+        # Load server-side cert and key
         if self.key and self.cert:
             context.load_cert_chain(self.cert, self.key)
 
-        if not self.verify:
-            context.check_hostname = False
-
         return context
 
 

poetry.toml

@@ -65,17 +65,16 @@ def ssl_client_context(certs):
     key = str(certs / "client.key")
     cert = str(certs / "client.pem")
 
-    context = ssl.create_default_context(
-        ssl.Purpose.SERVER_AUTH, capath=ca,
-    )
+    context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, capath=ca)
 
     if key:
         context.load_cert_chain(
             cert,
             key,
         )
 
+    context.load_verify_locations(cafile=ca)
     context.check_hostname = False
-    context.verify_mode = ssl.CERT_NONE
+    context.verify_mode = ssl.VerifyMode.CERT_NONE
 
     return context

tests/conftest.py

@@ -17,6 +17,7 @@
 import pytest
 
 import aiomisc
+from aiomisc import timeout
 from aiomisc.entrypoint import Entrypoint, entrypoint
 from aiomisc.service import TCPServer, TLSServer, UDPServer
 from aiomisc.service.aiohttp import AIOHTTPService
@@ -301,18 +302,22 @@ async def go():
 def test_tls_server(
     client_cert_required, certs, ssl_client_context, localhost,
 ):
-    event = asyncio.Event()
-
     class TestService(TLSServer):
         DATA = []
+        event: asyncio.Event
+
+        async def start(self):
+            await super().start()
+            self.event = asyncio.Event()
 
         async def handle_client(
             self, reader: asyncio.StreamReader,
             writer: asyncio.StreamWriter,
         ):
+            print("handle_client")
             self.DATA.append(await reader.readline())
             writer.close()
-            event.set()
+            self.event.set()
 
     service = TestService(
         address="127.0.0.1", port=0,
@@ -336,14 +341,17 @@ def writer(port):
             )
 
             ssock.connect(("127.0.0.1", port))
-            ssock.send(b"hello server\n")
+            count_bytes = ssock.send(b"hello server\n")
+            assert count_bytes == len(b"hello server\n")
+
+    @timeout(999)
+    async def go():
+        await asyncio.wait_for(writer(service.port), timeout=10)
+        await service.event.wait()
 
     with aiomisc.entrypoint(service) as loop:
         assert service.address == localhost
-        loop.run_until_complete(
-            asyncio.wait_for(writer(service.port), timeout=10),
-        )
-        loop.run_until_complete(event.wait())
+        loop.run_until_complete(go())
 
     assert TestService.DATA
     assert TestService.DATA == [b"hello server\n"]