OLD | NEW |
1 | 1 |
2 tlslite version 0.4.6 Mar 20 2013 | 2 tlslite version 0.4.8 Nov 12 2014 |
3 Trevor Perrin <tlslite at trevp.net> | 3 Trevor Perrin <tlslite at trevp.net> |
4 http://trevp.net/tlslite/ | 4 http://trevp.net/tlslite/ |
5 ============================================================================ | 5 ============================================================================ |
6 | 6 |
7 | 7 |
8 Table of Contents | 8 Table of Contents |
9 ================== | 9 ================== |
10 1 Introduction | 10 1 Introduction |
11 2 License/Acknowledgements | 11 2 License/Acknowledgements |
12 3 Installation | 12 3 Installation |
(...skipping 18 matching lines...) Expand all Loading... |
31 API documentation is available in the 'docs' directory. | 31 API documentation is available in the 'docs' directory. |
32 | 32 |
33 If you have questions or feedback, feel free to contact me. For discussing | 33 If you have questions or feedback, feel free to contact me. For discussing |
34 improvements to tlslite, also see 'tlslite-dev@googlegroups.com'. | 34 improvements to tlslite, also see 'tlslite-dev@googlegroups.com'. |
35 | 35 |
36 | 36 |
37 2 Licenses/Acknowledgements | 37 2 Licenses/Acknowledgements |
38 ============================ | 38 ============================ |
39 TLS Lite is written (mostly) by Trevor Perrin. It includes code from Bram | 39 TLS Lite is written (mostly) by Trevor Perrin. It includes code from Bram |
40 Cohen, Google, Kees Bos, Sam Rushing, Dimitris Moraitis, Marcelo Fernandez, | 40 Cohen, Google, Kees Bos, Sam Rushing, Dimitris Moraitis, Marcelo Fernandez, |
41 Martin von Loewis, and Dave Baggett. | 41 Martin von Loewis, Dave Baggett, and Yngve N. Pettersen (ported by Paul |
| 42 Sokolovsky). |
42 | 43 |
43 All code in TLS Lite has either been dedicated to the public domain by its | 44 All code in TLS Lite has either been dedicated to the public domain by its |
44 authors, or placed under a BSD-style license. See the LICENSE file for | 45 authors, or placed under a BSD-style license. See the LICENSE file for |
45 details. | 46 details. |
46 | 47 |
47 Thanks to Edward Loper for Epydoc, which generated the API docs. | 48 Thanks to Edward Loper for Epydoc, which generated the API docs. |
48 | 49 |
49 | |
50 3 Installation | 50 3 Installation |
51 =============== | 51 =============== |
52 Requirements: | 52 Requirements: |
53 Python 2.6 or higher is required. Python 3 is supported. | 53 Python 2.6 or higher is required. Python 3 is supported. |
54 | 54 |
55 Options: | 55 Options: |
56 - If you have the M2Crypto interface to OpenSSL, this will be used for fast | 56 - If you have the M2Crypto interface to OpenSSL, this will be used for fast |
57 RSA operations and fast ciphers. | 57 RSA operations and fast ciphers. |
58 | 58 |
59 - If you have pycrypto this will be used for fast RSA operations and fast | 59 - If you have pycrypto this will be used for fast RSA operations and fast |
(...skipping 220 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
280 connection.session.srpUsername # string | 280 connection.session.srpUsername # string |
281 connection.session.clientCertChain # X509CertChain | 281 connection.session.clientCertChain # X509CertChain |
282 connection.session.serverCertChain # X509CertChain | 282 connection.session.serverCertChain # X509CertChain |
283 connection.session.tackExt # TACKpy.TACK_Extension | 283 connection.session.tackExt # TACKpy.TACK_Extension |
284 | 284 |
285 X.509 chain objects return the end-entity fingerprint via getFingerprint(), | 285 X.509 chain objects return the end-entity fingerprint via getFingerprint(), |
286 and ignore the other certificates. | 286 and ignore the other certificates. |
287 | 287 |
288 TACK objects return the (validated) TACK ID via getTACKID(). | 288 TACK objects return the (validated) TACK ID via getTACKID(). |
289 | 289 |
290 To save yourself the trouble of inspecting certificates and/or TACKs after the | 290 To save yourself the trouble of inspecting certificates after the handshake, |
291 handshake, you can pass a Checker object into the handshake function. The | 291 you can pass a Checker object into the handshake function. The checker will be |
292 checker will be called if the handshake completes successfully. If the other | 292 called if the handshake completes successfully. If the other party isn't |
293 party isn't approved by the checker, a subclass of TLSAuthenticationError will | 293 approved by the checker, a subclass of TLSAuthenticationError will be raised. |
294 be raised. | |
295 | 294 |
296 If the handshake fails for any reason, including a Checker error, an exception | 295 If the handshake fails for any reason, including a Checker error, an exception |
297 will be raised and the socket will be closed. If the socket timed out or was | 296 will be raised and the socket will be closed. If the socket timed out or was |
298 unexpectedly closed, a socket.error or TLSAbruptCloseError will be raised. | 297 unexpectedly closed, a socket.error or TLSAbruptCloseError will be raised. |
299 | 298 |
300 Otherwise, either a TLSLocalAlert or TLSRemoteAlert will be raised, depending | 299 Otherwise, either a TLSLocalAlert or TLSRemoteAlert will be raised, depending |
301 on whether the local or remote implementation signalled the error. The | 300 on whether the local or remote implementation signalled the error. The |
302 exception object has a 'description' member which identifies the error based | 301 exception object has a 'description' member which identifies the error based |
303 on the codes in RFC 2246. A TLSLocalAlert also has a 'message' string that may | 302 on the codes in RFC 2246. A TLSLocalAlert also has a 'message' string that may |
304 have more details. | 303 have more details. |
(...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
443 TLS Lite can be used with subclasses of asyncore.dispatcher. See the comments | 442 TLS Lite can be used with subclasses of asyncore.dispatcher. See the comments |
444 in TLSAsyncDispatcherMixIn.py for details. This is still experimental, and | 443 in TLSAsyncDispatcherMixIn.py for details. This is still experimental, and |
445 may not work with all asyncore.dispatcher subclasses. | 444 may not work with all asyncore.dispatcher subclasses. |
446 | 445 |
447 | 446 |
448 11 Security Considerations | 447 11 Security Considerations |
449 =========================== | 448 =========================== |
450 TLS Lite is beta-quality code. It hasn't received much security analysis. Use | 449 TLS Lite is beta-quality code. It hasn't received much security analysis. Use |
451 at your own risk. | 450 at your own risk. |
452 | 451 |
| 452 TLS Lite does NOT verify certificates by default. |
| 453 |
| 454 TLS Lite's pure-python ciphers are probably vulnerable to timing attacks. |
| 455 |
453 TLS Lite is probably vulnerable to the "Lucky 13" timing attack if AES or 3DES | 456 TLS Lite is probably vulnerable to the "Lucky 13" timing attack if AES or 3DES |
454 are used. Thus, TLS Lite prefers the RC4 cipher. | 457 are used, or the weak cipher RC4 otherwise. This unhappy situation will remain |
| 458 until TLS Lite implements authenticated-encryption ciphersuites (like GCM), or |
| 459 RFC 7366. |
455 | 460 |
456 | 461 |
457 12 History | 462 12 History |
458 =========== | 463 =========== |
459 0.4.6 - 3/20/2013 | 464 0.4.8 - 11/12/2014 |
| 465 - Added more acknowledgements and security considerations |
| 466 0.4.7 - 11/12/2014 |
| 467 - Added TLS 1.2 support (Yngve Pettersen and Paul Sokolovsky) |
| 468 - Don't offer SSLv3 by default (e.g. POODLE) |
| 469 - Fixed bug with PyCrypto_RSA integration |
| 470 - Fixed harmless bug that added non-prime into sieves list |
| 471 - Added "make test" and "make test-dev" targets (Hubert Kario) |
| 472 0.4.5 - 3/20/2013 |
460 - **API CHANGE**: TLSClosedConnectionError instead of ValueError when writing | 473 - **API CHANGE**: TLSClosedConnectionError instead of ValueError when writing |
461 to a closed connection. This inherits from socket.error, so should | 474 to a closed connection. This inherits from socket.error, so should |
462 interact better with SocketServer (see http://bugs.python.org/issue14574) | 475 interact better with SocketServer (see http://bugs.python.org/issue14574) |
463 and other things expecting a socket.error in this situation. | 476 and other things expecting a socket.error in this situation. |
464 - Added support for RC4-MD5 ciphersuite (if enabled in settings) | 477 - Added support for RC4-MD5 ciphersuite (if enabled in settings) |
465 - This is allegedly necessary to connect to some Internet servers. | 478 - This is allegedly necessary to connect to some Internet servers. |
466 - Added TLSConnection.unread() function | 479 - Added TLSConnection.unread() function |
467 - Switched to New-style classes (inherit from 'object') | 480 - Switched to New-style classes (inherit from 'object') |
468 - Minor cleanups | 481 - Minor cleanups |
469 | |
470 0.4.5 - (release engineering problem, skipped!) | |
471 | |
472 0.4.4 - 2/25/2013 | 482 0.4.4 - 2/25/2013 |
473 - Added Python 3 support (Martin von Loewis) | 483 - Added Python 3 support (Martin von Loewis) |
474 - Added NPN client support (Marcelo Fernandez) | 484 - Added NPN client support (Marcelo Fernandez) |
475 - Switched to RC4 as preferred cipher | 485 - Switched to RC4 as preferred cipher |
476 - faster in Python, avoids "Lucky 13" timing attacks | 486 - faster in Python, avoids "Lucky 13" timing attacks |
477 - Fixed bug when specifying ciphers for anon ciphersuites | 487 - Fixed bug when specifying ciphers for anon ciphersuites |
478 - Made RSA hashAndVerify() tolerant of sigs w/o encoded NULL AlgorithmParam | 488 - Made RSA hashAndVerify() tolerant of sigs w/o encoded NULL AlgorithmParam |
479 - (this function is not used for TLS currently, and this tolerance may | 489 - (this function is not used for TLS currently, and this tolerance may |
480 not even be necessary) | 490 not even be necessary) |
481 0.4.3 - 9/27/2012 | 491 0.4.3 - 9/27/2012 |
(...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
644 - fixed server when it has a key, but client selects plain SRP | 654 - fixed server when it has a key, but client selects plain SRP |
645 - fixed server to postpone errors until it has read client's messages | 655 - fixed server to postpone errors until it has read client's messages |
646 - fixed ServerHello to only include extension data if necessary | 656 - fixed ServerHello to only include extension data if necessary |
647 0.1.1 - 2/02/2004 | 657 0.1.1 - 2/02/2004 |
648 - fixed close_notify behavior | 658 - fixed close_notify behavior |
649 - fixed handling of empty application data packets | 659 - fixed handling of empty application data packets |
650 - fixed socket reads to not consume extra bytes | 660 - fixed socket reads to not consume extra bytes |
651 - added testing functions to tls.py | 661 - added testing functions to tls.py |
652 0.1.0 - 2/01/2004 | 662 0.1.0 - 2/01/2004 |
653 - first release | 663 - first release |
OLD | NEW |