clarent is the home of the shared parts between merlyn and arthur. It is built as part of Crypto 101, the introductory book on cryptography.
SecureCiphersContextFactory now sets other sane defaults such as
SSL.OP_NO_COMPRESSION, SSL.OP_SINGLE_DH_USE,
SSL.OP_SINGLE_ECDH_USE.
Several minor cleanups. We now explicitly test that there is a supported ciphersuite for the OpenSSL that comes shipped with OS X Mavericks, since that's almost certainly the crappiest OpenSSL out there in the wild that we care about (developer desktop machines).
Improvements to certificate code:
- The context factory returned by
getContextFactorynow usesSSLv23_METHOD. This also allows TLSv1.1 and TLSv1.2. Previously, it used Twisted'sOpenSSLCertificateOptions's default, which isTLSv1_METHOD, which means "TLSv1.0 only". This caused an incompatibility between clients using this code andmerlyn, which usedSSLv23_METHOD. SecureCiphersContextFactorynow setsOP_NO_SSLv2as well asOP_NO_SSLv3, since those contain known security issues.
Furthermore, extensive tests were added for:
- Verifying the behavior of
SecureCiphersContextFactory - Verifying the preferred ciphersuite list
Moved dependencies into setup.py. This should make clarent
easier to install.
Calling makeCredentials when the credentials already exists now
raises an exception; previously, the old credentials were silently
overwritten. This wasn't an issue due to the way callers used this
function previously, but can be an issue for future implementations.
Added an SSL context factory that wraps other context factories, but limits them to secure ciphers.
- Added
clarent.path, gets data paths where you can dump some stuff. getContextFactoryandmakeCredentialsare now citizens ofclarent.certificate.
Bugfix: clarent no longer produces certificates without validity
periods (notBefore and notAfter). While silently dumping these
certs to disk appeared to succeed (yay, OpenSSL!), the produced file
would blow up any tool trying to read it, be it PyOpenSSL or the
openssl x509 command line tool.
This bug was fixed by adding notBefore and notAfter. A unit
test was added that does nothing but dump and load the produced
certificate as well.
- Removed the authentication API; all authentication is now done using TLS certificates.
- Added tools for making TLS keys and certificates.
Fixes for the tests of the auth API.
New TOFU-POP auth API.
Drastically simplified exercise interface: no more multiple steps, just rendering and asynchronous notification when they've been completed. Completion happens out-of-band: users are asynchronously notified when that happens.
Initial version; includes the usual tox-based CI stuff.
Features:
- Exercise API AMP commands and exceptions, with tests, from merlin
The server side to this is called merlyn, because the step-by-step oracle-like model reminded me of Merlin in the AM complexity class and Arthur-Merlin protocols. (It's not spelled the usual Merlin, because that primo PyPI real estate was already taken up by some weird setuptools fork.)
Arthur was named afterwards, since it's the other side of the
Arthur-Merlin protocol. I decided to keep the trend; Clarent was King Arthur's ceremonial sword.