Fix Cypher Order, Extension Order and Groups Order gone wrong

.gitignore

@@ -9,4 +9,5 @@ coverage.xml
 pylint_report.txt
 build/
 docs/_build/
-htmlcov/
+htmlcov/
+.claude/

README

@@ -42,6 +42,8 @@ Functionality implemented include:
  - TLS Certificate Compression (RFC 8879)
  - Hybrid ML-KEM key exchage groups (draft-kwiatkowski-tls-ecdhe-mlkem-02)
  - support for Brainpool curves in TLS 1.2 and TLS 1.3
+ - Delegated Credentials (RFC 9345)
+ - ML-DSA certificates suppport (draft-ietf-tls-mldsa-00)
 
 
 tlslite-ng aims to be a drop-in replacement for tlslite while providing more

README.md

@@ -1,4 +1,4 @@
-tlslite-ng version 0.8.2 (2025-01-22)
+tlslite-ng version 0.9.0b2 (2025-09-26)
 
 [![GitHub CI](https://github.com/tlsfuzzer/tlslite-ng/actions/workflows/ci.yml/badge.svg)](https://github.com/tlsfuzzer/tlslite-ng/actions/workflows/ci.yml)
 [![Read the Docs](https://img.shields.io/readthedocs/tlslite-ng)](https://tlslite-ng.readthedocs.io/en/latest/)
@@ -61,7 +61,7 @@ Implemented TLS features include:
 * Extended master secret
 * padding extension
 * keying material exporter
-* RSA, RSA-PSS, DSA, ECDSA, and EdDSA certificates
+* RSA, RSA-PSS, DSA, ECDSA, EdDSA, and ML-DSA certificates
 * ticket based session resumption
 * 1-RTT handshake, Hello Retry Request, middlebox compatibility mode,
   cookie extension, post-handshake authentication and KeyUpdate
@@ -622,6 +622,10 @@ Similarly, while delegated credentials have a valid time option, it is not enfor
 12 History
 ===========
 
+0.9.0b2 - 2025-09-26
+* support for Delegated Credentials (Ganna Starovoytova)
+* (Experimental) support for ML-DSA certificates in TLS
+
 0.8.2 - 2025-01-22
 * additional test vectors for the RSA implicit rejection mechanism
 * fix negotiation of TLS 1.2 Brainpool key exchanges in TLS 1.3, only

docs/conf.py

@@ -32,9 +32,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = u'0.8'
+version = u'0.9'
 # The full version, including alpha/beta/rc tags.
-release = u'0.8.2'
+release = u'0.9.0b2'
 
 
 # -- General configuration ---------------------------------------------------

setup.py

@@ -11,7 +11,7 @@
     README = f.read()
 
 setup(name="tlslite-ng",
-      version="0.8.2",
+      version="0.9.0b2",
       author="Alicja Kario",
       author_email="[email protected]",
       url="https://github.com/tlsfuzzer/tlslite-ng",
@@ -24,7 +24,7 @@
                     'package1': ['LICENSE', 'README.md']},
       install_requires=['ecdsa>=0.18.0b1'],
       obsoletes=["tlslite"],
-      python_requires=">=2.6, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*, !=3.6.*",
+      python_requires=">=2.6, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*",
       classifiers=[
             'Development Status :: 5 - Production/Stable',
             'Intended Audience :: Developers',
@@ -35,12 +35,14 @@
             'Programming Language :: Python :: 2.6',
             'Programming Language :: Python :: 2.7',
             'Programming Language :: Python :: 3',
+            'Programming Language :: Python :: 3.6',
             'Programming Language :: Python :: 3.7',
             'Programming Language :: Python :: 3.8',
             'Programming Language :: Python :: 3.9',
             'Programming Language :: Python :: 3.10',
             'Programming Language :: Python :: 3.11',
             'Programming Language :: Python :: 3.12',
+            'Programming Language :: Python :: 3.13',
             'Topic :: Security :: Cryptography',
             'Topic :: Software Development :: Libraries :: Python Modules',
             'Topic :: System :: Networking'

tlslite/api.py

@@ -4,7 +4,7 @@
 #
 # See the LICENSE file for legal information regarding use of this file.
 
-__version__ = "0.8.2"
+__version__ = "0.9.0b2"
 # the whole module is about importing most commonly used methods, for use
 # by other applications
 # pylint: disable=unused-import

tlslite/constants.py

@@ -158,30 +158,68 @@ class ExtensionType(TLSEnum):
 
     server_name = 0  # RFC 6066 / 4366
     max_fragment_length = 1  # RFC 6066 / 4366
+    client_certificate_url = 2  # RFC 6066
+    trusted_ca_keys = 3  # RFC 6066
+    truncated_hmac = 4  # RFC 6066
     status_request = 5  # RFC 6066 / 4366
+    user_mapping = 6  # RFC 4681
+    client_authz = 7  # RFC 5878
+    server_authz = 8  # RFC 5878
     cert_type = 9  # RFC 6091
     supported_groups = 10  # RFC 4492, RFC-ietf-tls-negotiated-ff-dhe-10
     ec_point_formats = 11  # RFC 4492
     srp = 12  # RFC 5054
     signature_algorithms = 13  # RFC 5246
+    use_srtp = 14  # RFC 5764
     heartbeat = 15  # RFC 6520
     alpn = 16  # RFC 7301
+    status_request_v2 = 17  # RFC 6961
+    signed_certificate_timestamp = 18  # RFC 6962
+    client_certificate_type = 19  # RFC 7250
+    server_certificate_type = 20  # RFC 7250
     client_hello_padding = 21  # RFC 7685
     encrypt_then_mac = 22  # RFC 7366
     extended_master_secret = 23  # RFC 7627
+    token_binding = 24  # RFC 8472
+    cached_info = 25  # RFC 7924
+    tls_lts = 26  # draft-gutmann-tls-lts
     compress_certificate = 27  # RFC 8879
     record_size_limit = 28  # RFC 8449
-    session_ticket = 35 # RFC 5077
+    pwd_protect = 29  # RFC 8492
+    pwd_clear = 30  # RFC 8492
+    password_salt = 31  # RFC 8492
+    ticket_pinning = 32  # RFC 8672
+    tls_cert_with_extern_psk = 33  # RFC 8773
+    delegated_credential = 34  # TLS 1.3, RFC 9345
+    session_ticket = 35  # RFC 5077
+    TLMSP = 36  # draft-gutmann-tls-lts
+    TLMSP_proxying = 37  # draft-gutmann-tls-lts
+    TLMSP_delegate = 38  # draft-gutmann-tls-lts
+    supported_ekt_ciphers = 39  # RFC 8870
     extended_random = 40  # draft-rescorla-tls-extended-random-02
     pre_shared_key = 41  # TLS 1.3
     early_data = 42  # TLS 1.3
     supported_versions = 43  # TLS 1.3
     cookie = 44  # TLS 1.3
     psk_key_exchange_modes = 45  # TLS 1.3
+    certificate_authorities = 47  # RFC 8446
+    oid_filters = 48  # RFC 8446
     post_handshake_auth = 49  # TLS 1.3
     signature_algorithms_cert = 50  # TLS 1.3
     key_share = 51  # TLS 1.3
-    delegated_credential = 34 # TLS 1.3, RFC 9345
+    transparency_info = 52  # RFC 9162
+    connection_id_deprecated = 53  # RFC 9146 (deprecated)
+    connection_id = 54  # RFC 9146
+    external_id_hash = 55  # RFC 8844
+    external_session_id = 56  # RFC 8844
+    quic_transport_parameters = 57  # RFC 9001
+    ticket_request = 58  # RFC 9149
+    dnssec_chain = 59  # RFC 9102
+    sequence_number_encryption_algorithms = 60  # draft-ietf-tls-dtls13
+    rrc = 61  # RFC 9146
+    tls_flags = 62  # draft-ietf-tls-tlsflags
+    ech_outer_extensions = 64768  # draft-ietf-tls-esni
+    encrypted_client_hello = 65037  # draft-ietf-tls-esni
     supports_npn = 13172
     tack = 0xF300
     renegotiation_info = 0xff01  # RFC 5746