tlslib.insecure

Insecure options for the abstract interface to TLS for Python.

  1"""Insecure options for the abstract interface to TLS for Python."""
  2
  3import warnings
  4from abc import abstractmethod
  5from collections.abc import Callable
  6from typing import Protocol, TypeVar
  7
  8from ..tlslib import (
  9    ClientContext,
 10    ServerContext,
 11    TLSClientConfiguration,
 12    TLSImplementation,
 13    TLSServerConfiguration,
 14)
 15
 16
 17class SecurityWarning(Warning):
 18    """Warning regarding the insecurity caused by the use of this module"""
 19
 20
 21class InsecureConfiguration:
 22    """
 23    Class allowing users to define insecure configuration parameters for testing purposes.
 24    It should be noted that making use of any of the options in this class will lead to an
 25    insecure deployment of TLS.
 26
 27    :param _disable_hostname_check bool:
 28        Disables hostname_check of the server certificate. This allows anyone positioned
 29        in the network to intercept connections between legitimate clients and servers without
 30        detection and is insecure. A better option would be to obtain the server's (self-signed)
 31        certificate and place it in a newly-created TrustStore object.
 32
 33    :param disable_verification bool:
 34        Disables client verification of the server certificate. This allows anyone positioned
 35        in the network to intercept connections between legitimate clients and servers without
 36        detection and is insecure. A better option would be to obtain the server's (self-signed)
 37        certificate and place it in a newly-created TrustStore object.
 38    """
 39
 40    __slots__ = (
 41        "_disable_verification",
 42        "_disable_hostname_check",
 43    )
 44
 45    def __init__(
 46        self,
 47        disable_hostname_check: bool = False,
 48        disable_verification: bool = False,
 49    ) -> None:
 50        """Initializes the InsecureConfiguration."""
 51        warnings.warn(
 52            "Using InsecureConfiguration is insecure and should not be used in production.",
 53            SecurityWarning,
 54        )
 55
 56        if not disable_hostname_check and disable_verification:
 57            raise ValueError("Cannot disable verification without disabling hostname check")
 58
 59        self._disable_hostname_check = disable_hostname_check
 60        self._disable_verification = disable_verification
 61
 62    @property
 63    def disable_hostname_check(self) -> bool:
 64        """Whether client verification of the server hostname should be disabled."""
 65        return self._disable_hostname_check
 66
 67    @property
 68    def disable_verification(self) -> bool:
 69        """Whether client verification of the server certificate should be disabled."""
 70        return self._disable_verification
 71
 72
 73class InsecureClientContext(ClientContext, Protocol):
 74    """
 75    Class allowing users to make insecure choices for testing purposes.
 76
 77    :param tls_configuration TLSClientConfiguration
 78        The underlying TLS configuration to be used to instantiate the insecure context.
 79
 80    :param insecure_configuration InsecureConfiguration:
 81        The insecure configuration options that will make this context insecure.
 82    """
 83
 84    @abstractmethod
 85    def __init__(
 86        self,
 87        tls_configuration: TLSClientConfiguration,
 88        insecure_configuration: InsecureConfiguration,
 89    ) -> None:
 90        """
 91        Create a new insecure context object from a given TLS configuration and
 92        insecure configuration."""
 93
 94    @property
 95    @abstractmethod
 96    def insecure_configuration(self) -> InsecureConfiguration:
 97        """The insecure configuration options that will make this context insecure."""
 98
 99
100class InsecureServerContext(ServerContext, Protocol):
101    """
102    Class allowing users to make insecure choices for testing purposes.
103
104    :param tls_configuration TLSClientConfiguration | TLSServerConfiguration:
105        The underlying TLS configuration to be used to instantiate the insecure context.
106
107    :param insecure_configuration InsecureConfiguration:
108        The insecure configuration options that will make this context insecure.
109    """
110
111    @abstractmethod
112    def __init__(
113        self,
114        tls_configuration: TLSServerConfiguration,
115        insecure_configuration: InsecureConfiguration,
116    ) -> None:
117        """
118        Create a new insecure context object from a given TLS configuration and
119        insecure configuration."""
120
121    @property
122    @abstractmethod
123    def insecure_configuration(self) -> InsecureConfiguration:
124        """The insecure configuration options that will make this context insecure."""
125
126
127GenericClientContext = TypeVar("GenericClientContext", bound=ClientContext)
128GenericServerContext = TypeVar("GenericServerContext", bound=ServerContext)
129GenericInsecureClientContext = TypeVar("GenericInsecureClientContext", bound=InsecureClientContext)
130GenericInsecureServerContext = TypeVar("GenericInsecureServerContext", bound=InsecureServerContext)
131
132
133class InsecureTLSImplementation[
134    GenericInsecureClientContext: InsecureClientContext,
135    GenericInsecureServerContext: InsecureServerContext,
136](TLSImplementation):
137    """
138    An insecure version of a TLS API implementation that allows a user to make insecure
139    choices for testing purposes.
140    """
141
142    __slots__ = (
143        "_insecure_client_context",
144        "_insecure_server_context",
145    )
146
147    def __init__(
148        self,
149        client_context: type[GenericClientContext],
150        server_context: type[GenericServerContext],
151        validate_config: Callable[[TLSClientConfiguration | TLSServerConfiguration], None],
152        insecure_client_context: type[GenericInsecureClientContext],
153        insecure_server_context: type[GenericInsecureServerContext],
154    ) -> None:
155        """Initializes all attributes of the implementation."""
156
157        warnings.warn(
158            "Using an InsecureTLSImplementation is insecure. "
159            "This should not be used in production.",
160            SecurityWarning,
161        )
162
163        self._insecure_client_context = insecure_client_context
164        self._insecure_server_context = insecure_server_context
165
166        super().__init__(
167            client_context=client_context,
168            server_context=server_context,
169            validate_config=validate_config,
170        )
171
172    @property
173    def insecure_client_context(self) -> type[GenericInsecureClientContext]:
174        """The concrete implementation of the PEP 543 Insecure Client Context object used
175        by this TLS implementation.
176        """
177        return self._insecure_client_context
178
179    @property
180    def insecure_server_context(self) -> type[GenericInsecureServerContext]:
181        """The concrete implementation of the PEP 543 Insecure Server Context object used
182        by this TLS implementation.
183        """
184        return self._insecure_server_context
class SecurityWarning(builtins.Warning): 
18class SecurityWarning(Warning):
19    """Warning regarding the insecurity caused by the use of this module"""

Warning regarding the insecurity caused by the use of this module

class InsecureConfiguration: 
22class InsecureConfiguration:
23    """
24    Class allowing users to define insecure configuration parameters for testing purposes.
25    It should be noted that making use of any of the options in this class will lead to an
26    insecure deployment of TLS.
27
28    :param _disable_hostname_check bool:
29        Disables hostname_check of the server certificate. This allows anyone positioned
30        in the network to intercept connections between legitimate clients and servers without
31        detection and is insecure. A better option would be to obtain the server's (self-signed)
32        certificate and place it in a newly-created TrustStore object.
33
34    :param disable_verification bool:
35        Disables client verification of the server certificate. This allows anyone positioned
36        in the network to intercept connections between legitimate clients and servers without
37        detection and is insecure. A better option would be to obtain the server's (self-signed)
38        certificate and place it in a newly-created TrustStore object.
39    """
40
41    __slots__ = (
42        "_disable_verification",
43        "_disable_hostname_check",
44    )
45
46    def __init__(
47        self,
48        disable_hostname_check: bool = False,
49        disable_verification: bool = False,
50    ) -> None:
51        """Initializes the InsecureConfiguration."""
52        warnings.warn(
53            "Using InsecureConfiguration is insecure and should not be used in production.",
54            SecurityWarning,
55        )
56
57        if not disable_hostname_check and disable_verification:
58            raise ValueError("Cannot disable verification without disabling hostname check")
59
60        self._disable_hostname_check = disable_hostname_check
61        self._disable_verification = disable_verification
62
63    @property
64    def disable_hostname_check(self) -> bool:
65        """Whether client verification of the server hostname should be disabled."""
66        return self._disable_hostname_check
67
68    @property
69    def disable_verification(self) -> bool:
70        """Whether client verification of the server certificate should be disabled."""
71        return self._disable_verification

Class allowing users to define insecure configuration parameters for testing purposes. It should be noted that making use of any of the options in this class will lead to an insecure deployment of TLS.

Parameters

  • _disable_hostname_check bool: Disables hostname_check of the server certificate. This allows anyone positioned in the network to intercept connections between legitimate clients and servers without detection and is insecure. A better option would be to obtain the server's (self-signed) certificate and place it in a newly-created TrustStore object.

  • disable_verification bool: Disables client verification of the server certificate. This allows anyone positioned in the network to intercept connections between legitimate clients and servers without detection and is insecure. A better option would be to obtain the server's (self-signed) certificate and place it in a newly-created TrustStore object.

InsecureConfiguration( disable_hostname_check: bool = False, disable_verification: bool = False) 
46    def __init__(
47        self,
48        disable_hostname_check: bool = False,
49        disable_verification: bool = False,
50    ) -> None:
51        """Initializes the InsecureConfiguration."""
52        warnings.warn(
53            "Using InsecureConfiguration is insecure and should not be used in production.",
54            SecurityWarning,
55        )
56
57        if not disable_hostname_check and disable_verification:
58            raise ValueError("Cannot disable verification without disabling hostname check")
59
60        self._disable_hostname_check = disable_hostname_check
61        self._disable_verification = disable_verification

Initializes the InsecureConfiguration.

disable_hostname_check: bool 
63    @property
64    def disable_hostname_check(self) -> bool:
65        """Whether client verification of the server hostname should be disabled."""
66        return self._disable_hostname_check

Whether client verification of the server hostname should be disabled.

disable_verification: bool 
68    @property
69    def disable_verification(self) -> bool:
70        """Whether client verification of the server certificate should be disabled."""
71        return self._disable_verification

Whether client verification of the server certificate should be disabled.

class InsecureClientContext(tlslib.tlslib.ClientContext, typing.Protocol): 
74class InsecureClientContext(ClientContext, Protocol):
75    """
76    Class allowing users to make insecure choices for testing purposes.
77
78    :param tls_configuration TLSClientConfiguration
79        The underlying TLS configuration to be used to instantiate the insecure context.
80
81    :param insecure_configuration InsecureConfiguration:
82        The insecure configuration options that will make this context insecure.
83    """
84
85    @abstractmethod
86    def __init__(
87        self,
88        tls_configuration: TLSClientConfiguration,
89        insecure_configuration: InsecureConfiguration,
90    ) -> None:
91        """
92        Create a new insecure context object from a given TLS configuration and
93        insecure configuration."""
94
95    @property
96    @abstractmethod
97    def insecure_configuration(self) -> InsecureConfiguration:
98        """The insecure configuration options that will make this context insecure."""

Class allowing users to make insecure choices for testing purposes.

:param tls_configuration TLSClientConfiguration The underlying TLS configuration to be used to instantiate the insecure context.

Parameters
  • insecure_configuration InsecureConfiguration: The insecure configuration options that will make this context insecure.
@abstractmethod
InsecureClientContext( tls_configuration: tlslib.tlslib.TLSClientConfiguration, insecure_configuration: InsecureConfiguration) 
85    @abstractmethod
86    def __init__(
87        self,
88        tls_configuration: TLSClientConfiguration,
89        insecure_configuration: InsecureConfiguration,
90    ) -> None:
91        """
92        Create a new insecure context object from a given TLS configuration and
93        insecure configuration."""

Create a new insecure context object from a given TLS configuration and insecure configuration.

insecure_configuration: InsecureConfiguration 
95    @property
96    @abstractmethod
97    def insecure_configuration(self) -> InsecureConfiguration:
98        """The insecure configuration options that will make this context insecure."""

The insecure configuration options that will make this context insecure.

Inherited Members
tlslib.tlslib.ClientContext
configuration
connect
create_buffer
class InsecureServerContext(tlslib.tlslib.ServerContext, typing.Protocol): 
101class InsecureServerContext(ServerContext, Protocol):
102    """
103    Class allowing users to make insecure choices for testing purposes.
104
105    :param tls_configuration TLSClientConfiguration | TLSServerConfiguration:
106        The underlying TLS configuration to be used to instantiate the insecure context.
107
108    :param insecure_configuration InsecureConfiguration:
109        The insecure configuration options that will make this context insecure.
110    """
111
112    @abstractmethod
113    def __init__(
114        self,
115        tls_configuration: TLSServerConfiguration,
116        insecure_configuration: InsecureConfiguration,
117    ) -> None:
118        """
119        Create a new insecure context object from a given TLS configuration and
120        insecure configuration."""
121
122    @property
123    @abstractmethod
124    def insecure_configuration(self) -> InsecureConfiguration:
125        """The insecure configuration options that will make this context insecure."""

Class allowing users to make insecure choices for testing purposes.

Parameters

  • tls_configuration TLSClientConfiguration | TLSServerConfiguration: The underlying TLS configuration to be used to instantiate the insecure context.

  • insecure_configuration InsecureConfiguration: The insecure configuration options that will make this context insecure.

@abstractmethod
InsecureServerContext( tls_configuration: tlslib.tlslib.TLSServerConfiguration, insecure_configuration: InsecureConfiguration) 
112    @abstractmethod
113    def __init__(
114        self,
115        tls_configuration: TLSServerConfiguration,
116        insecure_configuration: InsecureConfiguration,
117    ) -> None:
118        """
119        Create a new insecure context object from a given TLS configuration and
120        insecure configuration."""

Create a new insecure context object from a given TLS configuration and insecure configuration.

insecure_configuration: InsecureConfiguration 
122    @property
123    @abstractmethod
124    def insecure_configuration(self) -> InsecureConfiguration:
125        """The insecure configuration options that will make this context insecure."""

The insecure configuration options that will make this context insecure.

Inherited Members
tlslib.tlslib.ServerContext
configuration
connect
create_buffer
class InsecureTLSImplementation(tlslib.tlslib.TLSImplementation, typing.Generic[GenericInsecureClientContext, GenericInsecureServerContext]): 
134class InsecureTLSImplementation[
135    GenericInsecureClientContext: InsecureClientContext,
136    GenericInsecureServerContext: InsecureServerContext,
137](TLSImplementation):
138    """
139    An insecure version of a TLS API implementation that allows a user to make insecure
140    choices for testing purposes.
141    """
142
143    __slots__ = (
144        "_insecure_client_context",
145        "_insecure_server_context",
146    )
147
148    def __init__(
149        self,
150        client_context: type[GenericClientContext],
151        server_context: type[GenericServerContext],
152        validate_config: Callable[[TLSClientConfiguration | TLSServerConfiguration], None],
153        insecure_client_context: type[GenericInsecureClientContext],
154        insecure_server_context: type[GenericInsecureServerContext],
155    ) -> None:
156        """Initializes all attributes of the implementation."""
157
158        warnings.warn(
159            "Using an InsecureTLSImplementation is insecure. "
160            "This should not be used in production.",
161            SecurityWarning,
162        )
163
164        self._insecure_client_context = insecure_client_context
165        self._insecure_server_context = insecure_server_context
166
167        super().__init__(
168            client_context=client_context,
169            server_context=server_context,
170            validate_config=validate_config,
171        )
172
173    @property
174    def insecure_client_context(self) -> type[GenericInsecureClientContext]:
175        """The concrete implementation of the PEP 543 Insecure Client Context object used
176        by this TLS implementation.
177        """
178        return self._insecure_client_context
179
180    @property
181    def insecure_server_context(self) -> type[GenericInsecureServerContext]:
182        """The concrete implementation of the PEP 543 Insecure Server Context object used
183        by this TLS implementation.
184        """
185        return self._insecure_server_context

An insecure version of a TLS API implementation that allows a user to make insecure choices for testing purposes.

insecure_client_context: type[GenericInsecureClientContext] 
173    @property
174    def insecure_client_context(self) -> type[GenericInsecureClientContext]:
175        """The concrete implementation of the PEP 543 Insecure Client Context object used
176        by this TLS implementation.
177        """
178        return self._insecure_client_context

The concrete implementation of the PEP 543 Insecure Client Context object used by this TLS implementation.

insecure_server_context: type[GenericInsecureServerContext] 
180    @property
181    def insecure_server_context(self) -> type[GenericInsecureServerContext]:
182        """The concrete implementation of the PEP 543 Insecure Server Context object used
183        by this TLS implementation.
184        """
185        return self._insecure_server_context

The concrete implementation of the PEP 543 Insecure Server Context object used by this TLS implementation.

Inherited Members
tlslib.tlslib.TLSImplementation
TLSImplementation
client_context
server_context
validate_config