Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to "pin" TLS version and/or ciphers #13

Closed
rugk opened this issue Dec 25, 2015 · 2 comments · Fixed by #55
Closed

Ability to "pin" TLS version and/or ciphers #13

rugk opened this issue Dec 25, 2015 · 2 comments · Fixed by #55
Labels
enhancement help wanted

Comments

@rugk
Copy link
Contributor

rugk commented Dec 25, 2015

It would be nice if you could not only pin the cert hash (#9), but also the ciphers and the TLS version to use. This would effectively make any downgrade attacks impossible and ensure that always the best encryption is used.

E.g. you can also do this in the PHP-SDK.
@lgrahl
Copy link
Contributor

lgrahl commented Dec 25, 2015

I'm in two minds about this. Certainly, a developer should have this option, and in fact he has because no one is required to use this project as is. Then again, good TLS settings security change over time and there are plenty of misleading optimal settings out there. I'm quite sure that the developers of aiohttp take this as seriously as we do and they can use their knowledge to provide us sane and safe TLS settings.

I guess it would be okay to add an optional keyword argument connector to the class Connection which contains a aiohttp.BaseConnector instance. But I wouldn't want to go any further. At least not without some very convincing arguments.

Nevertheless, if somebody wants to do it, the following should work (TLS settings from this page). I have not tested this and I'm definitely not recommending it!

import ssl
import aiohttp

from threema import gateway


class Connection(gateway.Connection):
    def __init__(self, *args, fingerprint=None, verify_fingerprint=False, **kwargs):
        super().__init__(*args, fingerprint=fingerprint,
                         verify_fingerprint=verify_fingerprint, **kwargs)

        # Create your own SSL context here...
        ssl_context = ssl.create_default_context()

        # Override session
        if fingerprint is None and verify_fingerprint:
            fingerprint = self.fingerprint
        connector = aiohttp.TCPConnector(fingerprint=fingerprint, ssl_context=ssl_context)
        self._session = aiohttp.ClientSession(connector=connector)

@rugk
Copy link
Contributor Author

rugk commented Dec 25, 2015

Yes I would also only make it optional (that's why I said "ability" 😃), so that the user can choose for him/herself the best ciphers and therefore he should know that this might need to be updated at some time.

@rugk rugk mentioned this issue May 8, 2017
Open
lgrahl added a commit that referenced this issue May 17, 2021
@lgrahl
Remove fingerprint and verify_fingerprint from Connection
4a79901 
The fingerprint will change from time to time and hard-coding it in this
library we cannot forcibly deploy (unlike e.g. the Threema apps) is a
surprising footgun since your services may suddenly fail (when Threema changes
the fingerprint). As pointed out in #17, hard-coding the fingerprint (over the
public key) is also undesirable. Furthermore, we want users to use their
custom `aiohttp.ClientSession` instance. Therefore, we have decided to remove
it. If you want to retain this feature, all you have to do is provide your own
`aiohttp.ClientSession` in the following way:

    Connection(session=aiohttp.ClientSession(
        connector=aiohttp.TCPConnector(ssl=<fingerprint>)))

See the aiohttp docs for details.

Closes #17
Resolves #13 (by providing your own `SSLContext`)
@lgrahl lgrahl mentioned this issue May 17, 2021
Merged
lgrahl added a commit that referenced this issue May 17, 2021
@lgrahl
Remove fingerprint and verify_fingerprint from Connection
aaaeb5c 
The fingerprint will change from time to time and hard-coding it in this
library we cannot forcibly deploy (unlike e.g. the Threema apps) is a
surprising footgun since your services may suddenly fail (when Threema changes
the fingerprint). As pointed out in #17, hard-coding the fingerprint (over the
public key) is also undesirable. Furthermore, we want users to use their
custom `aiohttp.ClientSession` instance. Therefore, we have decided to remove
it. If you want to retain this feature, all you have to do is provide your own
`aiohttp.ClientSession` in the following way:

    Connection(session=aiohttp.ClientSession(
        connector=aiohttp.TCPConnector(ssl=<fingerprint>)))

See the aiohttp docs for details.

Closes #17
Resolves #13 (by providing your own `SSLContext`)
lgrahl added a commit that referenced this issue May 17, 2021
@lgrahl
Remove fingerprint and verify_fingerprint from Connection
648e865 
The fingerprint will change from time to time and hard-coding it in this
library we cannot forcibly deploy (unlike e.g. the Threema apps) is a
surprising footgun since your services may suddenly fail (when Threema changes
the fingerprint). As pointed out in #17, hard-coding the fingerprint (over the
public key) is also undesirable. Furthermore, we want users to use their
custom `aiohttp.ClientSession` instance. Therefore, we have decided to remove
it. If you want to retain this feature, all you have to do is provide your own
`aiohttp.ClientSession` in the following way:

    Connection(session=aiohttp.ClientSession(
        connector=aiohttp.TCPConnector(ssl=<fingerprint>)))

See the aiohttp docs for details.

Closes #17
Resolves #13 (by providing your own `SSLContext`)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove hard-coded fingerprint threema-ch/threema-msgapi-sdk-python
2 participants
@lgrahl @rugk