Support SSLContext.options in _create_ssl_context, --ssl-options

[javabrett]

Reading https://docs.python.org/3/library/ssl.html , use of PROTOCOL_* to specify the exact protocol and version is becoming increasingly deprecated, e.g. for TLSv1_2:

ssl.PROTOCOL_TLSv1_2
...
New in version 3.4.

Deprecated since version 3.6: OpenSSL has deprecated all version specific protocols. Use the default protocol PROTOCOL_TLS with flags like OP_NO_SSLv3 instead.

... suggesting that this is replaced by PROTOCOL_TLS and a suite of or-ed OP_* options passed to SSLContext.options (if you want to override or amend ssl.OP_ALL, which seems to be currently SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS). Some care should be taken not to unintentionally mask-out the base ssl.OP_ALL.

This SSL/TLS option might be exposed by a new config ssl_options / ssl_options.

[berkerpeksag]

+1 from me.

[javabrett]

Looking for thoughts on how this option might be presented.

• Would it be acceptable if this were a config-file-only option ssl_options with no command-line equivalent --ssl-options? That would put it at-odds with --ssl-version, but that might be acceptable if using this option is less-common, has a sensible default, and if it saves a lot of parsing code.
• If a command-line is required, and with reference to the in-flight PR Ssl version named constants #1890, where it is proposed to simplify the protocol version options by stripping ssl.PROTOCOL_ as inferred and allowing just the following e.g. TLS_SERVER be presented as the config value. How we might offer a parsable string equivalent here? ssl.Options is an enum with int flags starting with OP_, so ssl.Options.OP_ could be the implied prefix here to match ... but given that these options will almost always need to be expressed as some bitwise OR or ANDNOT to set or clear flags, the parsing promises to be somewhat involved, unless some sort of evil eval were attempted.

If a config-file only option were permitted (or at least initially), and since that can be any Python, that seems to offer a pretty straightforward approach for the options-parsing part of this at least.

Thoughts please.

[javabrett]

Some info on typical Python 3.6 constants and defaults:

>>> for ssl_option in ssl.Options:
...     print(repr(ssl_option))
... 
<Options.OP_NO_TLSv1_3: 0>
<Options.OP_NO_TICKET: 16384>
<Options.OP_NO_COMPRESSION: 131072>
<Options.OP_SINGLE_ECDH_USE: 524288>
<Options.OP_SINGLE_DH_USE: 1048576>
<Options.OP_CIPHER_SERVER_PREFERENCE: 4194304>
<Options.OP_NO_SSLv2: 16777216>
<Options.OP_NO_SSLv3: 33554432>
<Options.OP_NO_TLSv1: 67108864>
<Options.OP_NO_TLSv1_2: 134217728>
<Options.OP_NO_TLSv1_1: 268435456>
<Options.OP_ALL: 2147484671>

>>> ctx = ssl.SSLContext()
>>> print(repr(ctx.options))
<
Options.OP_ALL|
OP_NO_SSLv3|
OP_NO_SSLv2|
OP_CIPHER_SERVER_PREFERENCE|
OP_SINGLE_DH_USE|
OP_SINGLE_ECDH_USE|
OP_NO_COMPRESSION
: 2203714559
>

OP_ALL = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

SSL_OP_ALL = (varies a little by version)

SSL_OP_MICROSOFT_SESS_ID_BUG|
SSL_OP_NETSCAPE_CHALLENGE_BUG|
SSL_OP_LEGACY_SERVER_CONNECT|
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG|
SSL_OP_TLSEXT_PADDING|
SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER|
SSL_OP_SAFARI_ECDHE_ECDSA_BUG|
SSL_OP_SSLEAY_080_CLIENT_DH_BUG|
SSL_OP_TLS_D5_BUG|
SSL_OP_TLS_BLOCK_PADDING_BUG|
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS|
SSL_OP_CRYPTOPRO_TLSEXT_BUG

[tilgovi]

@javabrett I appreciate the thinking about configuration sanity and would like to not add a lot of parsing code. Whatever you're willing and able to do is great. I would also be happy to start with limiting it to the configuration file and if someone wants to propose and implement a good way to express it on the CLI in the future, that can be an improvement later.