Skip to content

Commit 79a9d4c

Browse files
oscpacheoscpache
committed
Update TLS ciphers and versions
Ensure compliance with Oracle Cryptography Review Board standards. Change-Id: I80d532f08b58d2501fc87e13b4d176982b30a812
1 parent 7e76ac0 commit 79a9d4c

File tree

4 files changed

+28
-22
lines changed

4 files changed

+28
-22
lines changed

mysql-connector-python/lib/mysql/connector/tls_ciphers.py

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -29,11 +29,12 @@
2929
"""TLS ciphersuites and versions."""
3030

3131
# Generated from the OSSA cipher list
32-
# version: 3.3
33-
# date: 2024-01-10
32+
# version: 3.4
33+
# date: 2024-04-11
3434

3535
from typing import Dict, List
3636

37+
3738
APPROVED_TLS_VERSIONS: List[str] = ["TLSv1.2", "TLSv1.3"]
3839
"""Approved TLS versions."""
3940

@@ -61,11 +62,6 @@
6162
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256": "ECDHE-RSA-CHACHA20-POLY1305",
6263
"TLS_ECDHE_ECDSA_WITH_AES_256_CCM": "ECDHE-ECDSA-AES256-CCM",
6364
"TLS_ECDHE_ECDSA_WITH_AES_128_CCM": "ECDHE-ECDSA-AES128-CCM",
64-
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256": "DHE-RSA-AES128-GCM-SHA256",
65-
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384": "DHE-RSA-AES256-GCM-SHA384",
66-
"TLS_DHE_RSA_WITH_AES_256_CCM": "DHE-RSA-AES256-CCM",
67-
"TLS_DHE_RSA_WITH_AES_128_CCM": "DHE-RSA-AES128-CCM",
68-
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256": "DHE-RSA-CHACHA20-POLY1305",
6965
},
7066
"TLSv1.3": {
7167
"TLS_AES_128_GCM_SHA256": "TLS_AES_128_GCM_SHA256",
@@ -79,6 +75,11 @@
7975

8076
DEPRECATED_TLS_CIPHERSUITES: Dict[str, Dict[str, str]] = {
8177
"TLSv1.2": {
78+
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256": "DHE-RSA-AES128-GCM-SHA256",
79+
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384": "DHE-RSA-AES256-GCM-SHA384",
80+
"TLS_DHE_RSA_WITH_AES_256_CCM": "DHE-RSA-AES256-CCM",
81+
"TLS_DHE_RSA_WITH_AES_128_CCM": "DHE-RSA-AES128-CCM",
82+
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256": "DHE-RSA-CHACHA20-POLY1305",
8283
"TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8": "ECDHE-ECDSA-AES256-CCM8",
8384
"TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8": "ECDHE-ECDSA-AES128-CCM8",
8485
"TLS_DHE_RSA_WITH_AES_256_CCM_8": "DHE-RSA-AES256-CCM8",

mysql-connector-python/tests/qa/test_qa_ciphers.py

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -118,7 +118,9 @@ class CipherTests(tests.MySQLConnectorTests):
118118
),
119119
"3": (
120120
None,
121-
"ECDHE-RSA-AES256-GCM-SHA384",
121+
APPROVED_TLS_CIPHERSUITES["TLSv1.2"][
122+
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
123+
],
122124
["TLSv1.2"],
123125
["ECDHE-RSA-AES256-GCM-SHA384"], # approved
124126
),
@@ -157,12 +159,12 @@ class CipherTests(tests.MySQLConnectorTests):
157159
["TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"], # acceptable
158160
),
159161
"8": (
160-
None,
161-
APPROVED_TLS_CIPHERSUITES["TLSv1.2"][
162+
DeprecationWarning,
163+
DEPRECATED_TLS_CIPHERSUITES["TLSv1.2"][
162164
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
163165
],
164166
["TLSv1.2"],
165-
["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"], # approved
167+
["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"], # deprecated
166168
),
167169
},
168170
}

mysqlx-connector-python/lib/mysqlx/tls_ciphers.py

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -29,11 +29,12 @@
2929
"""TLS ciphersuites and versions."""
3030

3131
# Generated from the OSSA cipher list
32-
# version: 3.3
33-
# date: 2024-01-10
32+
# version: 3.4
33+
# date: 2024-04-11
3434

3535
from typing import Dict, List
3636

37+
3738
APPROVED_TLS_VERSIONS: List[str] = ["TLSv1.2", "TLSv1.3"]
3839
"""Approved TLS versions."""
3940

@@ -61,11 +62,6 @@
6162
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256": "ECDHE-RSA-CHACHA20-POLY1305",
6263
"TLS_ECDHE_ECDSA_WITH_AES_256_CCM": "ECDHE-ECDSA-AES256-CCM",
6364
"TLS_ECDHE_ECDSA_WITH_AES_128_CCM": "ECDHE-ECDSA-AES128-CCM",
64-
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256": "DHE-RSA-AES128-GCM-SHA256",
65-
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384": "DHE-RSA-AES256-GCM-SHA384",
66-
"TLS_DHE_RSA_WITH_AES_256_CCM": "DHE-RSA-AES256-CCM",
67-
"TLS_DHE_RSA_WITH_AES_128_CCM": "DHE-RSA-AES128-CCM",
68-
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256": "DHE-RSA-CHACHA20-POLY1305",
6965
},
7066
"TLSv1.3": {
7167
"TLS_AES_128_GCM_SHA256": "TLS_AES_128_GCM_SHA256",
@@ -79,6 +75,11 @@
7975

8076
DEPRECATED_TLS_CIPHERSUITES: Dict[str, Dict[str, str]] = {
8177
"TLSv1.2": {
78+
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256": "DHE-RSA-AES128-GCM-SHA256",
79+
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384": "DHE-RSA-AES256-GCM-SHA384",
80+
"TLS_DHE_RSA_WITH_AES_256_CCM": "DHE-RSA-AES256-CCM",
81+
"TLS_DHE_RSA_WITH_AES_128_CCM": "DHE-RSA-AES128-CCM",
82+
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256": "DHE-RSA-CHACHA20-POLY1305",
8283
"TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8": "ECDHE-ECDSA-AES256-CCM8",
8384
"TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8": "ECDHE-ECDSA-AES128-CCM8",
8485
"TLS_DHE_RSA_WITH_AES_256_CCM_8": "DHE-RSA-AES256-CCM8",

mysqlx-connector-python/tests/qa/test_qa_ciphers.py

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,9 @@ class CipherTests(tests.MySQLxTests):
109109
),
110110
"3": (
111111
None,
112-
"ECDHE-RSA-AES256-GCM-SHA384",
112+
APPROVED_TLS_CIPHERSUITES["TLSv1.2"][
113+
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
114+
],
113115
["TLSv1.2"],
114116
["ECDHE-RSA-AES256-GCM-SHA384"], # approved
115117
),
@@ -148,12 +150,12 @@ class CipherTests(tests.MySQLxTests):
148150
["TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"], # acceptable
149151
),
150152
"8": (
151-
None,
152-
APPROVED_TLS_CIPHERSUITES["TLSv1.2"][
153+
DeprecationWarning,
154+
DEPRECATED_TLS_CIPHERSUITES["TLSv1.2"][
153155
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
154156
],
155157
["TLSv1.2"],
156-
["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"], # approved
158+
["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"], # deprecated
157159
),
158160
},
159161
}

0 commit comments

Comments
 (0)