review, calculate also max TLS version

2025-04-05 14:17:35 +03:00 · 2024-11-14 06:54:10 +01:00 · 2024-11-14 06:54:10 +01:00 · 416081a81f
commit 416081a81f
parent 07b7d28323
2 changed files with 39 additions and 14 deletions
--- a/radicale/server.py
+++ b/radicale/server.py
@ -188,18 +188,24 @@ class ParallelHTTPSServer(ParallelHTTPServer):
        logger.info("SSL load files certificate='%s' key='%s'", certfile, keyfile)
        context.load_cert_chain(certfile=certfile, keyfile=keyfile)
        if protocol:
-            logger.info("SSL set explicit protocol: '%s'", protocol)
+            logger.info("SSL set explicit protocols (maybe not all supported by underlying OpenSSL): '%s'", protocol)
            context.options = utils.ssl_context_options_by_protocol(protocol, context.options)
            context.minimum_version = utils.ssl_context_minimum_version_by_options(context.options)
+            if (context.minimum_version == 0):
+                raise RuntimeError("No SSL minimum protocol active")
+            context.maximum_version = utils.ssl_context_maximum_version_by_options(context.options)
+            if (context.maximum_version == 0):
+                raise RuntimeError("No SSL maximum protocol active")
        else:
-            logger.info("SSL default protocol active")
-        logger.info("SSL minimum acceptable protocol: %s", context.minimum_version)
+            logger.info("SSL active protocols: (system-default)")
+        logger.debug("SSL minimum acceptable protocol: %s", context.minimum_version)
+        logger.debug("SSL maximum acceptable protocol: %s", context.maximum_version)
        logger.info("SSL accepted protocols: %s", ' '.join(utils.ssl_get_protocols(context)))
        if ciphersuite:
-            logger.info("SSL set explicit ciphersuite: '%s'", ciphersuite)
+            logger.info("SSL set explicit ciphersuite (maybe not all supported by underlying OpenSSL): '%s'", ciphersuite)
            context.set_ciphers(ciphersuite)
        else:
-            logger.info("SSL default ciphersuite active")
+            logger.info("SSL active ciphersuite: (system-default)")
        cipherlist = []
        for entry in context.get_ciphers():
            cipherlist.append(entry["name"])
--- a/radicale/utils.py
+++ b/radicale/utils.py
@ -115,7 +115,7 @@ def ssl_context_options_by_protocol(protocol: str, ssl_context_options):
            logger.debug("SSL context options, disable TLSv1.3")
            ssl_context_options |= ssl.OP_NO_TLSv1_3
        else:
-            logger.error("SSL protocol string: '%s' contain unsupported entry: '%s'", protocol, entry)
+            raise RuntimeError("SSL protocol config contains unsupported entry '%s'" % (entry))

    logger.debug("SSL resulting context options: '0x%x'", ssl_context_options)
    return ssl_context_options
@ -123,8 +123,8 @@ def ssl_context_options_by_protocol(protocol: str, ssl_context_options):

 def ssl_context_minimum_version_by_options(ssl_context_options):
    logger.debug("SSL calculate minimum version by context options: '0x%x'", ssl_context_options)
-    ssl_context_minimum_version = 0 # default
-    if ((ssl_context_options & ssl.OP_NO_SSLv3) and (ssl_context_minimum_version == 0)):
+    ssl_context_minimum_version = ssl.TLSVersion.SSLv3 # default
+    if ((ssl_context_options & ssl.OP_NO_SSLv3) and (ssl_context_minimum_version == ssl.TLSVersion.SSLv3)):
        ssl_context_minimum_version = ssl.TLSVersion.TLSv1
    if ((ssl_context_options & ssl.OP_NO_TLSv1) and (ssl_context_minimum_version == ssl.TLSVersion.TLSv1)):
        ssl_context_minimum_version = ssl.TLSVersion.TLSv1_1
@ -132,27 +132,46 @@ def ssl_context_minimum_version_by_options(ssl_context_options):
        ssl_context_minimum_version = ssl.TLSVersion.TLSv1_2
    if ((ssl_context_options & ssl.OP_NO_TLSv1_2) and (ssl_context_minimum_version == ssl.TLSVersion.TLSv1_2)):
        ssl_context_minimum_version = ssl.TLSVersion.TLSv1_3
-    if (ssl_context_minimum_version == 0):
-        ssl_context_minimum_version = ssl.TLSVersion.SSLv3 # default
+    if ((ssl_context_options & ssl.OP_NO_TLSv1_3) and (ssl_context_minimum_version == ssl.TLSVersion.TLSv1_3)):
+        ssl_context_minimum_version = 0 # all disabled

    logger.debug("SSL context options: '0x%x' results in minimum version: %s", ssl_context_options, ssl_context_minimum_version)
    return ssl_context_minimum_version


+def ssl_context_maximum_version_by_options(ssl_context_options):
+    logger.debug("SSL calculate maximum version by context options: '0x%x'", ssl_context_options)
+    ssl_context_maximum_version = ssl.TLSVersion.TLSv1_3 # default
+    if ((ssl_context_options & ssl.OP_NO_TLSv1_3) and (ssl_context_maximum_version == ssl.TLSVersion.TLSv1_3)):
+        ssl_context_maximum_version = ssl.TLSVersion.TLSv1_2
+    if ((ssl_context_options & ssl.OP_NO_TLSv1_2) and (ssl_context_maximum_version == ssl.TLSVersion.TLSv1_2)):
+        ssl_context_maximum_version = ssl.TLSVersion.TLSv1_1
+    if ((ssl_context_options & ssl.OP_NO_TLSv1_1) and (ssl_context_maximum_version == ssl.TLSVersion.TLSv1_1)):
+        ssl_context_maximum_version = ssl.TLSVersion.TLSv1
+    if ((ssl_context_options & ssl.OP_NO_TLSv1) and (ssl_context_maximum_version == ssl.TLSVersion.TLSv1)):
+        ssl_context_maximum_version = ssl.TLSVersion.SSLv3
+    if ((ssl_context_options & ssl.OP_NO_SSLv3) and (ssl_context_maximum_version == ssl.TLSVersion.SSLv3)):
+        ssl_context_maximum_version = 0
+
+    logger.debug("SSL context options: '0x%x' results in maximum version: %s", ssl_context_options, ssl_context_maximum_version)
+    return ssl_context_maximum_version
+
+
 def ssl_get_protocols(context):
    protocols = []
    if not (context.options & ssl.OP_NO_SSLv3):
        if (context.minimum_version < ssl.TLSVersion.TLSv1):
            protocols.append("SSLv3")
    if not (context.options & ssl.OP_NO_TLSv1):
-        if (context.minimum_version < ssl.TLSVersion.TLSv1_1):
+        if (context.minimum_version < ssl.TLSVersion.TLSv1_1) and (context.maximum_version >= ssl.TLSVersion.TLSv1):
            protocols.append("TLSv1")
    if not (context.options & ssl.OP_NO_TLSv1_1):
-        if (context.minimum_version < ssl.TLSVersion.TLSv1_2):
+        if (context.minimum_version < ssl.TLSVersion.TLSv1_2) and (context.maximum_version >= ssl.TLSVersion.TLSv1_1):
            protocols.append("TLSv1.1")
    if not (context.options & ssl.OP_NO_TLSv1_2):
-        if (context.minimum_version < ssl.TLSVersion.TLSv1_3):
+        if (context.minimum_version <= ssl.TLSVersion.TLSv1_2) and (context.maximum_version >= ssl.TLSVersion.TLSv1_2):
            protocols.append("TLSv1.2")
    if not (context.options & ssl.OP_NO_TLSv1_3):
-        protocols.append("TLSv1.3")
+        if (context.minimum_version <= ssl.TLSVersion.TLSv1_3) and (context.maximum_version >= ssl.TLSVersion.TLSv1_3):
+            protocols.append("TLSv1.3")
    return protocols