mysql
diff --git a/‎CHANGES.txt
Lines changed: 1 addition & 0 deletions b/‎CHANGES.txt
Lines changed: 1 addition & 0 deletions
diff --git a/‎automation/generate_tls_ciphers_file.py
Lines changed: 180 additions & 0 deletions b/‎automation/generate_tls_ciphers_file.py
Lines changed: 180 additions & 0 deletions
diff --git a/‎mysql-connector-python/lib/mysql/connector/abstracts.py
Lines changed: 23 additions & 15 deletions b/‎mysql-connector-python/lib/mysql/connector/abstracts.py
Lines changed: 23 additions & 15 deletions
@@ -12,6 +12,7 @@ v8.4.0
 ======
 
 - WL#16203: GPL License Exception Update
+- WL#16173: Update allowed cipher and cipher-suite lists
 - WL#16053: Support GSSAPI/Kerberos authentication on Windows using authentication_ldap_sasl_client plug-in for C-extension
 
 v8.3.0
 
@@ -0,0 +1,180 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License, version 2.0, as
+# published by the Free Software Foundation.
+#
+# This program is designed to work with certain software (including
+# but not limited to OpenSSL) that is licensed under separate terms,
+# as designated in a particular file or component or in included license
+# documentation. The authors of MySQL hereby grant you an
+# additional permission to link the program and your derivative works
+# with the separately licensed software that they have either included with
+# the program or referenced in the documentation.
+#
+# Without limiting anything contained in the foregoing, this file,
+# which is part of MySQL Connector/Python, is also subject to the
+# Universal FOSS Exception, version 1.0, a copy of which can be found at
+# http://oss.oracle.com/licenses/universal-foss-exception.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See the GNU General Public License, version 2.0, for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
+
+"""
+Script to generate `tls_ciphers.py` given the OSSA CRB TLS Ciphersuites JSON file.
+
+This script produces `tls_ciphers.py` given the OSSA CRB TLS Ciphersuites
+JSON file. It's up to the developer to decide where or when this program
+will be executed.
+
+The program expects you to provide two command-line arguments:
+
+--src: Absolute path to the OSSA CRB TLS Ciphersuites JSON file.
+--dst: Absolute path to the folder location where `tls_ciphers.py` must be placed.
+
+You cannot change the name of the produced file, however, you can control the
+location where it should be placed.
+
+Use case example: Near the push freeze date of each release, the developer
+produces an updated `tls_ciphers.py` based on the latest version of the
+OSSA CRB TLS Ciphersuites file.
+"""
+
+import json
+import os
+import pathlib
+
+from argparse import ArgumentParser, Namespace
+from typing import Any, Dict
+
+HEADER = """{0}
+
+# Generated from the OSSA cipher list
+# version: {1}
+# date: {2}\n
+from typing import Dict, List\n\n
+APPROVED_TLS_VERSIONS: List[str] = ["TLSv1.2", "TLSv1.3"]
+{3}
+
+DEPRECATED_TLS_VERSIONS: List[str] = []
+{4}
+
+UNACCEPTABLE_TLS_VERSIONS: List[str] = ["TLSv1", "TLSv1.0", "TLSv1.1"]
+{5}
+
+"""
+
+LINE_NEW_CATEGORY = """{0}: Dict[str, Dict[str, str]] = """
+
+
+# Helper to setup command-line argument parser
+def setup_cmd_parser() -> Namespace:
+    parser = ArgumentParser(
+        description="Script to autogenerate tls_ciphers.py. "
+        "given the OSSA CRB TLS Ciphersuites json file."
+    )
+    parser.add_argument(
+        "--src",
+        nargs="?",
+        help="Absolute path to the OSSA CRB TLS Ciphersuites json file.",
+        required=True,
+        metavar="ossa_cipher_json_file_src",
+    )
+    parser.add_argument(
+        "--dst",
+        nargs="?",
+        help="Absolute path to the folder location where tls_ciphers.py must be dumped.",
+        required=True,
+        metavar="tls_ciphers_python_file_dst",
+    )
+    return parser.parse_args()
+
+
+def get_category_by_tls_version(
+    ossa_cipher_data: Dict[str, Any], category: str, tls_version: str
+) -> Dict[str, str]:
+    return {
+        category_data["iana_cipher_name"]: category_data["openssl_cipher_name"]
+        for category_data in ossa_cipher_data[category]
+        if tls_version in category_data["tls_protocol"]
+    }
+
+
+def main(src_file_location: pathlib.Path, dst_ciphers_file: pathlib.Path) -> None:
+    ossa_cipher = json.load(open(src_file_location))
+
+    categories = {
+        cat: {}
+        for cat in [
+            "mandatory_tls_ciphersuites",
+            "approved_tls_ciphersuites",
+            "deprecated_tls_ciphersuites",
+            "unacceptable_tls_ciphersuites",
+        ]
+    }
+    tls_versions = ["TLSv1.2", "TLSv1.3"]
+
+    for cat in categories:
+        for tls_version in tls_versions:
+            categories[cat][tls_version] = get_category_by_tls_version(
+                ossa_cipher_data=ossa_cipher, category=cat, tls_version=tls_version
+            )
+
+    with open(dst_ciphers_file, mode="w") as f:
+        f.write(
+            HEADER.format(
+                '"""TLS ciphersuites and versions."""',
+                ossa_cipher["metadata"][0]["version"],
+                ossa_cipher["metadata"][0]["date"],
+                '"""Approved TLS versions."""',
+                '"""Deprecated TLS versions."""',
+                '"""Unacceptable TLS versions."""',
+            )
+        )
+        for i, cat in enumerate(categories):
+            f.write(LINE_NEW_CATEGORY.format(cat.upper()))
+            json.dump(categories[cat], f, indent=4)
+            f.write(
+                '\n"""Access dictionary by TLS version that translates from cipher '
+                'suites IANI (key)\n to OpenSSL name (value)."""'
+            )
+            f.write("\n" if i + 1 == len(categories) else "\n\n")
+
+
+if __name__ == "__main__":
+    ossa_cipher_file_src = vars(setup_cmd_parser()).get("src")
+    tls_ciphers_file_dst = vars(setup_cmd_parser()).get("dst")
+
+    if not ossa_cipher_file_src:
+        raise RuntimeError(
+            "No src file was provided. Please provide the absolute path to "
+            "the OSSA CRB TLS Ciphersuites file. "
+            "Use --help option for argument details."
+        )
+    if not tls_ciphers_file_dst:
+        raise RuntimeError(
+            "No dst file was provided. Please provide the absolute path to "
+            "the folder location where tls_ciphers.py must be dumped. "
+            "Use --help option for argument details."
+        )
+
+    src_file_location = pathlib.Path(ossa_cipher_file_src)
+    dst_ciphers_file = pathlib.Path(tls_ciphers_file_dst)
+
+    for p in [src_file_location, dst_ciphers_file]:
+        if not os.path.exists(p):
+            raise FileNotFoundError(f"File {p} does not exists.")
+
+    if src_file_location.suffix != ".json":
+        raise RuntimeError(f"File {src_file_location} must be a json file.")
+
+    if not os.path.isdir(dst_ciphers_file):
+        raise RuntimeError(f"File {dst_ciphers_file} must be a folder location.")
+
+    main(src_file_location, pathlib.Path(dst_ciphers_file, "tls_ciphers.py"))
@@ -73,7 +73,6 @@
 from .constants import (
     CONN_ATTRS_DN,
     DEFAULT_CONFIGURATION,
-    DEPRECATED_TLS_VERSIONS,
     OPENSSL_CS_NAMES,
     TLS_CIPHER_SUITES,
     TLS_VERSIONS,
@@ -105,6 +104,7 @@
     )
 
 from .optionfiles import read_option_files
+from .tls_ciphers import UNACCEPTABLE_TLS_CIPHERSUITES, UNACCEPTABLE_TLS_VERSIONS
 from .types import (
     BinaryProtocolType,
     DescriptionType,
@@ -129,7 +129,7 @@
     "TLS protocol version (should be one of {})."
 )
 
-TLS_VERSION_DEPRECATED_ERROR = (
+TLS_VERSION_UNACCEPTABLE_ERROR = (
     "The given tls_version: '{}' are no longer allowed (should be one of {})."
 )
 
@@ -340,7 +340,7 @@ def _validate_tls_ciphersuites(self) -> None:
         # an older version.
         tls_versions.sort(reverse=True)  # type: ignore[union-attr]
         newer_tls_ver = tls_versions[0]
-        # translated_names[0] belongs to TLSv1, TLSv1.1 and TLSv1.2
+        # translated_names[0] are TLSv1.2 only
         # translated_names[1] are TLSv1.3 only
         translated_names: List[List[str]] = [[], []]
         iani_cipher_suites_names = {}
@@ -380,6 +380,18 @@ def _validate_tls_ciphersuites(self) -> None:
                 "No valid cipher suite found in the 'tls_ciphersuites' list"
             )
 
+        # raise an error when using an unacceptable cipher
+        for cipher_as_ossl in translated_names[0]:
+            if cipher_as_ossl in UNACCEPTABLE_TLS_CIPHERSUITES["TLSv1.2"].values():
+                raise NotSupportedError(
+                    f"Cipher {cipher_as_ossl} when used with TLSv1.2 is unacceptable."
+                )
+        for cipher_as_ossl in translated_names[1]:
+            if cipher_as_ossl in UNACCEPTABLE_TLS_CIPHERSUITES["TLSv1.3"].values():
+                raise NotSupportedError(
+                    f"Cipher {cipher_as_ossl} when used with TLSv1.3 is unacceptable."
+                )
+
         self._ssl["tls_ciphersuites"] = [
             ":".join(translated_names[0]),
             ":".join(translated_names[1]),
@@ -441,13 +453,13 @@ def _validate_tls_versions(self) -> None:
             )
 
         use_tls_versions = []
-        deprecated_tls_versions = []
+        unacceptable_tls_versions = []
         invalid_tls_versions = []
         for tls_ver in tls_versions:
             if tls_ver in TLS_VERSIONS:
                 use_tls_versions.append(tls_ver)
-            if tls_ver in DEPRECATED_TLS_VERSIONS:
-                deprecated_tls_versions.append(tls_ver)
+            if tls_ver in UNACCEPTABLE_TLS_VERSIONS:
+                unacceptable_tls_versions.append(tls_ver)
             else:
                 invalid_tls_versions.append(tls_ver)
 
@@ -456,12 +468,11 @@ def _validate_tls_versions(self) -> None:
                 raise NotSupportedError(
                     TLS_VER_NO_SUPPORTED.format(tls_version, TLS_VERSIONS)
                 )
-            use_tls_versions.sort()
             self._ssl["tls_versions"] = use_tls_versions
-        elif deprecated_tls_versions:
+        elif unacceptable_tls_versions:
             raise NotSupportedError(
-                TLS_VERSION_DEPRECATED_ERROR.format(
-                    deprecated_tls_versions, TLS_VERSIONS
+                TLS_VERSION_UNACCEPTABLE_ERROR.format(
+                    unacceptable_tls_versions, TLS_VERSIONS
                 )
             )
         elif invalid_tls_versions:
@@ -731,13 +742,10 @@ def config(self, **kwargs: Any) -> None:
                 raise AttributeError(
                     "ssl_key and ssl_cert need to be both set, or neither"
                 )
-            if "tls_versions" in self._ssl and self._ssl["tls_versions"] is not None:
+            if self._ssl.get("tls_versions") is not None:
                 self._validate_tls_versions()
 
-            if (
-                "tls_ciphersuites" in self._ssl
-                and self._ssl["tls_ciphersuites"] is not None
-            ):
+            if self._ssl.get("tls_ciphersuites") is not None:
                 self._validate_tls_ciphersuites()
 
         if self._conn_attrs is None: