Expose all SSL_OP_* constants
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pyOpenSSL |
New
|
Undecided
|
Unassigned |
Bug Description
My immediate pain point is the lack of `SSL_OP_
```
>>> OpenSSL.__version__
'0.13.1'
>>> SSL.SSLeay_
'OpenSSL 1.0.1e-fips 11 Feb 2013'
>>>
```
It would be awesome to have just _all_ constants there (this is just excerpt from openssl header .. some of those are already exposed):
```
#define SSL_OP_
#define SSL_OP_
/* Allow initial connection to servers that don't support RI */
#define SSL_OP_
#define SSL_OP_
#define SSL_OP_
#define SSL_OP_
#define SSL_OP_
#define SSL_OP_
#define SSL_OP_TLS_D5_BUG 0x00000100L
#define SSL_OP_
/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
* in OpenSSL 0.9.6d. Usually (depending on the application protocol)
* the workaround is not needed. Unfortunately some broken SSL/TLS
* implementations cannot handle it at all, which is why we include
* it in SSL_OP_ALL. */
#define SSL_OP_
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
* This used to be 0x000FFFFFL before 0.9.7. */
#define SSL_OP_ALL 0x80000BFFL
/* DTLS options */
#define SSL_OP_NO_QUERY_MTU 0x00001000L
/* Turn on Cookie Exchange (on relevant for servers) */
#define SSL_OP_
/* Don't use RFC4507 ticket extension */
#define SSL_OP_NO_TICKET 0x00004000L
/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */
#define SSL_OP_
/* As server, disallow session resumption on renegotiation */
#define SSL_OP_
/* Don't use compression even if supported */
#define SSL_OP_
/* Permit unsafe legacy renegotiation */
#define SSL_OP_
/* If set, always create a new key when using tmp_ecdh parameters */
#define SSL_OP_
/* If set, always create a new key when using tmp_dh parameters */
#define SSL_OP_
/* Set to always use the tmp_rsa key when doing RSA operations,
* even when this violates protocol specs */
#define SSL_OP_
/* Set on servers to choose the cipher according to the server's
* preferences */
#define SSL_OP_
/* If set, a server will allow a client to issue a SSLv3.0 version number
* as latest version supported in the premaster secret, even when TLSv1.0
* (version 3.1) was announced in the client hello. Normally this is
* forbidden to prevent version rollback attacks. */
#define SSL_OP_
#define SSL_OP_NO_SSLv2 0x01000000L
#define SSL_OP_NO_SSLv3 0x02000000L
#define SSL_OP_NO_TLSv1 0x04000000L
#define SSL_OP_NO_TLSv1_2 0x08000000L
#define SSL_OP_NO_TLSv1_1 0x10000000L
/* These next two were never actually used for anything since SSLeay
* zap so we have some more flags.
*/
/* The next flag deliberately changes the ciphertest, this is a check
* for the PKCS#1 attack */
#define SSL_OP_
#define SSL_OP_
#define SSL_OP_
#define SSL_OP_
/* Make server add server-hello extension from early version of
* cryptopro draft, when GOST ciphersuite is negotiated.
* Required for interoperability with CryptoPro CSP 3.x
*/
#define SSL_OP_
```
Update: there are at least 4 constants that appear to be desirable:
``` NO_COMPRESSION = 0x00020000L CIPHER_ SERVER_ PREFERENCE = 0x00400000L SINGLE_ ECDH_USE = 0x00080000L SINGLE_ DH_USE = 0x00100000L
SSL.OP_
SSL.OP_
SSL.OP_
SSL.OP_
```