in mysql-connector-python/lib/mysql/connector/aio/abstracts.py [0:0]
def _validate_tls_ciphersuites(self) -> None:
"""Validates the tls_ciphersuites option."""
tls_ciphersuites = []
tls_cs = self._tls_ciphersuites
if isinstance(tls_cs, str):
if not (tls_cs.startswith("[") and tls_cs.endswith("]")):
raise AttributeError(
f"tls_ciphersuites must be a list, found: '{tls_cs}'"
)
tls_css = tls_cs[1:-1].split(",")
if not tls_css:
raise AttributeError(
"No valid cipher suite found in 'tls_ciphersuites' list"
)
for _tls_cs in tls_css:
_tls_cs = tls_cs.strip().upper()
if _tls_cs:
tls_ciphersuites.append(_tls_cs)
elif isinstance(tls_cs, (list, set)):
tls_ciphersuites = [tls_cs for tls_cs in tls_cs if tls_cs]
else:
raise AttributeError(
"tls_ciphersuites should be a list with one or more "
f"ciphersuites. Found: '{tls_cs}'"
)
tls_versions = (
TLS_VERSIONS[:] if self._tls_versions is None else self._tls_versions[:]
)
# A newer TLS version can use a cipher introduced on
# an older version.
tls_versions.sort(reverse=True)
newer_tls_ver = tls_versions[0]
# translated_names[0] are TLSv1.2 only
# translated_names[1] are TLSv1.3 only
translated_names: List[List[str]] = [[], []]
iani_cipher_suites_names = {}
ossl_cipher_suites_names: List[str] = []
# Old ciphers can work with new TLS versions.
# Find all the ciphers introduced on previous TLS versions.
for tls_ver in TLS_VERSIONS[: TLS_VERSIONS.index(newer_tls_ver) + 1]:
iani_cipher_suites_names.update(TLS_CIPHER_SUITES[tls_ver])
ossl_cipher_suites_names.extend(OPENSSL_CS_NAMES[tls_ver])
for name in tls_ciphersuites:
if "-" in name and name in ossl_cipher_suites_names:
if name in OPENSSL_CS_NAMES["TLSv1.3"]:
translated_names[1].append(name)
else:
translated_names[0].append(name)
elif name in iani_cipher_suites_names:
translated_name = iani_cipher_suites_names[name]
if translated_name in translated_names:
raise AttributeError(
DUPLICATED_IN_LIST_ERROR.format(
list="tls_ciphersuites", value=translated_name
)
)
if name in TLS_CIPHER_SUITES["TLSv1.3"]:
translated_names[1].append(iani_cipher_suites_names[name])
else:
translated_names[0].append(iani_cipher_suites_names[name])
else:
raise AttributeError(
f"The value '{name}' in tls_ciphersuites is not a valid "
"cipher suite"
)
if not translated_names[0] and not translated_names[1]:
raise AttributeError(
"No valid cipher suite found in the 'tls_ciphersuites' list"
)
# raise an error when using an unacceptable cipher
for cipher_as_ossl in translated_names[0]:
if cipher_as_ossl in UNACCEPTABLE_TLS_CIPHERSUITES["TLSv1.2"].values():
raise NotSupportedError(
f"Cipher {cipher_as_ossl} when used with TLSv1.2 is unacceptable."
)
for cipher_as_ossl in translated_names[1]:
if cipher_as_ossl in UNACCEPTABLE_TLS_CIPHERSUITES["TLSv1.3"].values():
raise NotSupportedError(
f"Cipher {cipher_as_ossl} when used with TLSv1.3 is unacceptable."
)
self._tls_ciphersuites = [
":".join(translated_names[0]),
":".join(translated_names[1]),
]