Tls Dtls Config Module
- class mtf.network_port.tls.tls_dtls_config.SecureSocketType
Enum representing types of secure socket protocols.
Attributes:
- DTLSstr
Datagram Transport Layer Security (DTLS) protocol type, a variant of TLS used for datagram-based applications.
- TLSstr
Transport Layer Security (TLS) protocol type, widely used for securing communication over a computer network.
- DTLS
- TLS
- class mtf.network_port.tls.tls_dtls_config.ProtocolVersion
Enum representing different versions of SSL/TLS protocols.
Attributes:
- SSL2tuple
Secure Sockets Layer version 2.0, an early and now deprecated version of SSL.
- SSL3tuple
Secure Sockets Layer version 3.0, a more secure version than SSL2 but still deprecated.
- TLS10tuple
Transport Layer Security version 1.0, the first version of TLS succeeding SSL3.
- TLS11tuple
Transport Layer Security version 1.1, an improvement over TLS 1.0 with better security features.
- TLS12tuple
Transport Layer Security version 1.2, widely used with advanced security features compared to previous versions.
- TLS13tuple
Transport Layer Security version 1.3, the latest and most secure version of the TLS protocol.
- SSL2
- SSL3
- TLS10
- TLS11
- TLS12
- TLS13
- class mtf.network_port.tls.tls_dtls_config.TlsExtensionType
Enum representing the different types of TLS extensions.
TLS extensions are used in the TLS handshake to negotiate various parameters between the client and server. Each extension type corresponds to a specific functionality that can be negotiated or enabled during the handshake.
- Attributes:
SERVER_NAME (int): Server Name Indication (SNI) extension, value 0. MAX_FRAGMENT_LENGTH (int): Maximum Fragment Length extension, value 1. STATUS_REQUEST (int): Certificate Status Request extension, value 5. USER_MAPPING (int): User Mapping extension, value 6. CLIENT_AUTHZ (int): Client Authorization extension, value 7. CERT_TYPE (int): Certificate Type extension, value 9. SUPPORTED_GROUPS (int): Supported Elliptic Curves extension, value 10. EC_POINT_FORMATS (int): Supported EC Point Formats extension, value 11. SRP (int): Secure Remote Password extension, value 12. SIGNATURE_ALGORITHMS (int): Signature Algorithms extension, value 13. USE_SRTP (int): Use SRTP extension, value 14. HEARTBEAT (int): Heartbeat extension, value 15. ALPN (int): Application-Layer Protocol Negotiation (ALPN) extension, value 16. STATUS_REQUEST_V2 (int): Status Request Version 2 extension, value 17. CLIENT_CERT_TYPE (int): Client Certificate Type extension, value 19. SERVER_CERT_TYPE (int): Server Certificate Type extension, value 20. PADDING (int): Padding extension, value 21. ENCRYPT_THEN_MAC (int): Encrypt-Then-MAC extension, value 22. EXTENDED_MASTER_SECRET (int): Extended Master Secret extension, value 23. SESSION_TICKET (int): Session Ticket extension, value 35. EXTENDED_RANDOM (int): Extended Random extension, value 40. EARLY_DATA (int): Early Data extension, value 42. POST_HANDSHAKE_AUTH (int): Post-Handshake Authentication extension, value 49. COMPRESS_CERTIFICATE (int): Compress Certificate extension, value 27. RECORD_SIZE_LIMIT (int): Record Size Limit extension, value 28. PSK_IDENTITY (int): Pre-Shared Key Identity extension, value 41. SUPPORTED_VERSIONS (int): Supported Versions extension, value 43. COOKIE (int): Cookie extension, value 44. PSK_KEY_EXCHANGE_MODES (int): PSK Key Exchange Modes extension, value 45. SIGNATURE_ALGORITHMS_CERT (int): Signature Algorithms for Certificates extension, value 50. KEY_SHARE (int): Key Share extension, value 51. TRANSPARENCY_INFO (int): Certificate Transparency extension, value 52. CONNECTION_ID_DEPRECATED (int): Deprecated Connection ID extension, value 53. CONNECTION_ID (int): Connection ID extension, value 54. EXTERNAL_ID_HASH (int): External ID Hash extension, value 55. EXTERNAL_SESSION_ID (int): External Session ID extension, value 56. QUIC_TRANSPORT_PARAMETERS (int): QUIC Transport Parameters extension, value 57. TICKET_REQUEST (int): Ticket Request extension, value 58. DNSSEC_CHAIN (int): DNSSEC Chain extension, value 59. NPN (int): Next Protocol Negotiation (NPN) extension, value 13172. RENEGOTIATION_INFO (int): Renegotiation Info extension, value 65281.
- SERVER_NAME
- MAX_FRAGMENT_LENGTH
- STATUS_REQUEST
- USER_MAPPING
- CLIENT_AUTHZ
- CERT_TYPE
- SUPPORTED_GROUPS
- EC_POINT_FORMATS
- SRP
- SIGNATURE_ALGORITHMS
- USE_SRTP
- HEARTBEAT
- ALPN
- STATUS_REQUEST_V2
- CLIENT_CERT_TYPE
- SERVER_CERT_TYPE
- PADDING
- ENCRYPT_THEN_MAC
- EXTENDED_MASTER_SECRET
- SESSION_TICKET
- EXTENDED_RANDOM
- EARLY_DATA
- POST_HANDSHAKE_AUTH
- COMPRESS_CERTIFICATE
- RECORD_SIZE_LIMIT
- PSK_IDENTITY
- SUPPORTED_VERSIONS
- COOKIE
- PSK_KEY_EXCHANGE_MODES
- SIGNATURE_ALGORITHMS_CERT
- KEY_SHARE
- TRANSPARENCY_INFO
- CONNECTION_ID_DEPRECATED
- CONNECTION_ID
- EXTERNAL_ID_HASH
- EXTERNAL_SESSION_ID
- QUIC_TRANSPORT_PARAMETERS
- TICKET_REQUEST
- DNSSEC_CHAIN
- NPN
- RENEGOTIATION_INFO
- class mtf.network_port.tls.tls_dtls_config.TLSConfigurator
Configuration for TLS/DTLS.
- args:
address: The destination address (IP, port) tuple for the TLS/DTLS server or client. src_address: The Source address (IP, port) tuple for the TLS/DTLS client (binding). secure_version: The TLS/DTLS version to use. socket_type: The type of socket (TLS or DTLS). max_secure_version: The maximum TLS/DTLS version to support. min_secure_version: The minimum TLS/DTLS version to support. psk_identity: The identity for PSK (Pre-Shared Key). psk_identity_hint: Set the server PSK identity hint. psk_key: The key for PSK. time_out: The timeout value for the TLS/DTLS connection. backlog: The backlog value for the socket. buffer_size: The buffer size for socket data. cipher_list: The list of ciphers to support. options: Additional options for the TLS/DTLS context. curve_name: The elliptic curve to use for ECDHE key exchange. server_name: The server name for SNI (Server Name Indication). sni_callback: A callback function to handle server name indications. ocsp_callback: Optional callback function for OCSP client/server validation. ocsp_callback_data: Optional data for the OCSP client/server callback. srtp_profiles: Optional SRTP profiles to use(DTLS). alpn_protos: Optional list of ALPN protocols to advertise. alpn_select_callback: Optional callback function for ALPN protocol selection. client_ca_list: Optional list of client certificate authorities. keylog_callback: Optional callback function to handle TLS key material logging. keylog_file_path: Path to the key log file if the default key log callback is used. record_version: The record version of TLS/DTLS, represented as a tuple (major, minor) or as a ProtocolVersion enum.
- Notes:
If keylog_callback is not provided, a default callback will be used. This default callback writes keying material to the file specified by keylog_file_path.
Make sure to select the right cipher that supports both PSK and ECDHE. For example: ‘ECDHE-PSK-CHACHA20-POLY1305’. More supported ciphers can be found by running the command: openssl ciphers -v PSK
The list of supported curves can be found in the documentation or by running: openssl ecparam -list_curves
Selecting an unsupported curve will raise a ValueError
- address: tuple
- socket_type: SecureSocketType
- src_address: tuple | None
- secure_version: int | None
- max_secure_version: int
- min_secure_version: int
- psk_identity_hint: bytes | None
- psk_identity: bytes
- psk_key: bytes
- time_out: float
- backlog: int
- buffer_size: int
- cipher_list: bytes
- options: int
- curve_name: str | None
- server_name: str | None
- sni_callback: Callable[[Connection], None] | None
- ocsp_callback: Callable[[Connection, bytes, Any | None], bool] | None
- ocsp_callback_data: Any | None
- srtp_profiles: str | None
- alpn_protos: List[bytes] | None
- alpn_select_callback: Callable[[Connection, List[bytes]], bytes | None] | None
- client_ca_list: Sequence[X509Name] | None
- keylog_callback: Callable[[Connection, bytes], None] | None
- keylog_file_path: str
- record_version: ProtocolVersion | None
- __init__(address: tuple, socket_type: SecureSocketType, src_address: tuple | None = None, secure_version: int | None = 7, max_secure_version: int | None = None, min_secure_version: int | None = None, psk_identity_hint: bytes | None = None, psk_identity: bytes = b'client-identity', psk_key: bytes = b'mysecretpskkey', time_out: float = 5.0, backlog: int = 5, buffer_size: int = 1024, cipher_list: bytes = b'PSK-AES256-CBC-SHA', options: int | None = None, curve_name: str | None = None, server_name: str | None = None, sni_callback: Callable[[Connection], None] | None = None, ocsp_callback: Callable[[Connection, bytes, Any | None], bool] | None = None, ocsp_callback_data: Any | None = None, srtp_profiles: str | None = None, alpn_protos: List[bytes] | None = None, alpn_select_callback: Callable[[Connection, List[bytes]], bytes | None] | None = None, client_ca_list: Sequence[X509Name] | None = None, keylog_callback: Callable[[Connection, bytes], None] | None = None, keylog_file_path: str = 'keylogfile.log', record_version: ProtocolVersion | None = ProtocolVersion.TLS10) None