Class SSL.Context
- Description
Keeps the state that is shared by all SSL-connections on a client, or for one port on a server. It includes policy configuration, the server or client certificate(s), the corresponding private key(s), etc. It also includes the session cache.
The defaults are usually suitable for a client, but for a server some configuration is necessary.
Typical use is to:
Call add_cert() with the certificates belonging to the server or client. Note that clients often don't have or need any certificates, and also that certificate-less server operation is possible, albeit discouraged and not enabled by default.
Suitable self-signed certificates can be created with Standards.X509.make_selfsigned_certificate().
Optionally call get_suites() to get a set of cipher_suites to assign to preferred_suites. This is only needed if the default set of suites from
get_suites(128, 1)
isn't satisfactory.
The initialized Context object is then passed to File()->create() or used as is embedded in Port.
- See also
- Variable advertised_protocols
array
(string(8bit)
) SSL.Context.advertised_protocols- Description
List of advertised protocols using using TLS application level protocol negotiation.
- Variable auth_level
int
SSL.Context.auth_level- Description
Policy for client authentication. One of SSL.Constants.AUTHLEVEL_none, SSL.Constants.AUTHLEVEL_verify, SSL.Constants.AUTHLEVEL_ask and SSL.Constants.AUTHLEVEL_require.
Defaults to SSL.Constants.AUTHLEVEL_none.
- Variable client_auth_methods
array
(int
) SSL.Context.client_auth_methods- Description
The possible client authentication methods. Used only if auth_level is AUTH_ask or AUTH_require. Generated by set_authorities.
- Variable ecc_curves
array
(int
) SSL.Context.ecc_curves- Description
Supported elliptical curve cipher curves in order of preference. Defaults to all supported curves, ordered with the largest curves first.
- Variable enable_renegotiation
bool
SSL.Context.enable_renegotiation- Description
If set enable SSL/TLS protocol renegotiation.
Defaults to
1
(enabled).- Note
RFC 7540 section 9.2.1 requires this to be turned off after Protocols.HTTP2 communication has started.
- Variable encrypt_then_mac
bool
SSL.Context.encrypt_then_mac- Description
Attempt to enable encrypt-then-mac mode. Defaults to
1
.- Deprecated
Replaced by extensions.
- Variable extensions
multiset
(int
) SSL.Context.extensions- Description
A list of all extensions that will be considered in the handshake process. Extensions not listed will not be sent, and will be ignored if received.
The following values are included by default.
Constants.EXTENSION_renegotiation_info
Protection against renegotiation attack (RFC 5746).
Constants.EXTENSION_max_fragment_length
Allows negotiation of the maximum fragment size (RFC 6066 section 4).
Constants.EXTENSION_encrypt_then_mac
Attempts to address attacks against block ciphers (RFC 7366).
Constants.EXTENSION_application_layer_protocol_negotiation
Required to support more than one protocol on the same TLS port (RFC 7639).
Constants.EXTENSION_signature_algorithms
Required to select which out of several certificates to use (RFC 5246 section 7.4.1.4.1).
Constants.EXTENSION_ec_point_formats
Required for elliptic curve key exchange (RFC 4492 section 5.1.2).
Constants.EXTENSION_elliptic_curves
Required for elliptic curve key exchange (RFC 4492 section 5.1.1).
Constants.EXTENSION_server_name
Allows the client to select which of several domains hosted on the same server it wants to connect to. Required by many websites (RFC 6066 section 3).
Constants.EXTENSION_session_ticket
Support session resumption without server-side state (RFC 4507 and RFC 5077).
Constants.EXTENSION_next_protocol_negotiation
Not supported by Pike. The server side will just check that the client packets are correctly formatted.
Constants.EXTENSION_signed_certificate_timestamp
Not supported by Pike. The server side will just check that the client packets are correctly formatted.
Constants.EXTENSION_early_data
Needed for TLS 1.3 0-RTT handshake. EXPERIMENTAL.
Constants.EXTENSION_padding
This extension is required to avoid a bug in some f5 SSL terminators for certain sizes of client handshake messages.
The following supported values are not included by default.
Constants.EXTENSION_truncated_hmac
This extension allows for the HMAC to be truncated for a small win in payload size. Not widely implemented and may be a security risk (RFC 6066 section 7).
Constants.EXTENSION_heartbeat
This extension allows the client and server to send heartbeats over the connection. Intended to keep TCP connections alive. Required to be set to use heartbleed_probe (RFC 6520).
Constants.EXTENSION_extended_master_secret
Binds the master secret to important session parameters to protect against man in the middle attacks (RFC 7627).
- See also
- Variable ffdhe_groups
array
(int
) SSL.Context.ffdhe_groups- Description
Supported FFDHE groups for DHE key exchanges, in order of preference, most preferred first.
Defaults to the full set of supported FFDHE groups from the FFDHE draft, in order of size with the smallest group (2048 bits) first.
Server-side the first group in the list that satisfies the NIST guide lines for key strength (NIST SP800-57 5.6.1) (if any) for the selected cipher suite will be selected, and otherwise the largest group.
Client-side the list will be reversed (as a precaution if the server actually follows the clients preferences).
- Variable heartbleed_probe
bool
SSL.Context.heartbleed_probe- Description
If set, the other peer will be probed for the heartbleed bug during handshake. If heartbleed is found the connection is closed with insufficient security fatal error. Requires
Constants.EXTENSION_heartbeat
to be set in extensions.
- Variable max_sessions
int
SSL.Context.max_sessions- Description
Maximum number of sessions to keep in the cache.
- Variable max_version
ProtocolVersion
SSL.Context.max_version- Description
The maximum supported protocol version.
Defaults to PROTOCOL_TLS_MAX.
- Note
This value should not be less than min_version.
- Variable min_version
ProtocolVersion
SSL.Context.min_version- Description
The minimum supported protocol version.
Defaults to PROTOCOL_TLS_1_0.
- Note
This value should not be greater than max_version.
- Variable packet_max_size
int
SSL.Context.packet_max_size- Description
The maximum amount of data that is sent in each SSL packet by File. A value between 1 and
Constants.PACKET_MAX_SIZE
.
- Variable preferred_compressors
array
(int
) SSL.Context.preferred_compressors- Description
Lists the supported compression algorithms in order of preference.
Defaults to
({ COMPRESSION_null })
due to SSL attacks that target compression.
- Variable preferred_suites
array
(int
) SSL.Context.preferred_suites- Description
Cipher suites we want to support, in order of preference, best first. By default set to all suites with at least 128 bits cipher key length, excluding RC4, and ephemeral and non-ephemeral certificate based key exchange.
- Variable private_ffdhe_groups
mapping
(int(508..511)
:Crypto.DH.Parameters
) SSL.Context.private_ffdhe_groups- Description
DHE parameter lookup for the FFDHE private range.
Add any custom FFDHE-groups here.
Defaults to the empty mapping.
- Note
If you add any groups here, you will also need to update ffdhe_groups accordingly.
- Variable random
function
(int(0..)
:string(8bit)
) SSL.Context.random- Description
Used to generate random cookies for the hello-message. If we use the RSA keyexchange method, and this is a server, this random number generator is not used for generating the master_secret. By default set to
random_string
.
- Variable require_trust
int
SSL.Context.require_trust- Description
When set, require the chain to be known, even if the root is self signed.
Note that if set, and certificates are set to be verified, trusted issuers must be provided, or no connections will be accepted.
- Deprecated
Replaced by auth_level.
- Variable session_lifetime
int
SSL.Context.session_lifetime- Description
Sessions are removed from the cache when they have been inactive more than this number of seconds. Sessions are also removed from the cache if a connection using the session dies unexpectedly.
- Variable signature_algorithms
array
(array
(int
)) SSL.Context.signature_algorithms- Description
The set of <hash, signature> combinations to use by us.
Only used with TLS 1.2 and later.
Defaults to all combinations supported by Pike except for MD5.
This list is typically filtered by get_signature_algorithms() to get rid of combinations not supported by the runtime.
- Note
According to RFC 5246 section 7.4.2 all certificates needs to be signed by any of the supported signature algorithms. To be forward compatible this list needs to be limited to the combinations that have existing PKCS identifiers.
- See also
- Variable trusted_issuers_cache
mapping
(string(8bit)
:array
(Standards.X509.Verifier
)) SSL.Context.trusted_issuers_cache- Description
Mapping from DER-encoded issuer to Standards.X509.Verifiers compatible with eg Standards.X509.verify_certificate() and Standards.X509.load_authorities().
- See also
- Variable use_cache
int
SSL.Context.use_cache- Description
Non-zero to enable caching of sessions
- Variable verify_certificates
int
SSL.Context.verify_certificates- Description
Determines whether certificates presented by the peer are verified, or just accepted as being valid.
- Deprecated
Replaced by auth_level.