1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
|
//===----------------------------------------------------------------------===//
//
// This source file is part of the SwiftNIO open source project
//
// Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors
// Licensed under Apache License v2.0
//
// See LICENSE.txt for license information
// See CONTRIBUTORS.txt for the list of SwiftNIO project authors
//
// SPDX-License-Identifier: Apache-2.0
//
//===----------------------------------------------------------------------===//
#if compiler(>=5.1)
@_implementationOnly import CNIOBoringSSL
#else
import CNIOBoringSSL
#endif
import NIO
/// Known and supported TLS versions.
public enum TLSVersion {
case tlsv1
case tlsv11
case tlsv12
case tlsv13
}
/// Places NIOSSL can obtain certificates from.
public enum NIOSSLCertificateSource: Hashable {
@available(*, deprecated, message: "Use 'NIOSSLCertificate.fromPEMFile(_:)' to load the certificate(s) and use the '.certificate(NIOSSLCertificate)' case to provide them as a source")
case file(String)
case certificate(NIOSSLCertificate)
}
/// Places NIOSSL can obtain private keys from.
public enum NIOSSLPrivateKeySource: Hashable {
case file(String)
case privateKey(NIOSSLPrivateKey)
}
/// Places NIOSSL can obtain a trust store from.
public enum NIOSSLTrustRoots: Hashable {
/// Path to either a file of CA certificates in PEM format, or a directory containing CA certificates in PEM format.
///
/// If a path to a file is provided, the file can contain several CA certificates identified by
///
/// -----BEGIN CERTIFICATE-----
/// ... (CA certificate in base64 encoding) ...
/// -----END CERTIFICATE-----
///
/// sequences. Before, between, and after the certificates, text is allowed which can be used e.g.
/// for descriptions of the certificates.
///
/// If a path to a directory is provided, the files each contain one CA certificate in PEM format.
case file(String)
/// A list of certificates.
case certificates([NIOSSLCertificate])
/// The system default root of trust.
case `default`
internal init(from trustRoots: NIOSSLAdditionalTrustRoots) {
switch trustRoots {
case .file(let path):
self = .file(path)
case .certificates(let certs):
self = .certificates(certs)
}
}
}
/// Places NIOSSL can obtain additional trust roots from.
public enum NIOSSLAdditionalTrustRoots: Hashable {
/// See `NIOSSLTrustRoots.file`
case file(String)
/// See `NIOSSLTrustRoots.certificates`
case certificates([NIOSSLCertificate])
}
/// Available ciphers to use for TLS instead of a string based representation.
public struct NIOTLSCipher: RawRepresentable, Hashable {
public init(rawValue: UInt16) {
self.rawValue = rawValue
}
public init(_ rawValue: RawValue) {
self.rawValue = rawValue
}
public var rawValue: UInt16
public typealias RawValue = UInt16
public static let TLS_RSA_WITH_AES_128_CBC_SHA = NIOTLSCipher(rawValue: 0x2F)
public static let TLS_RSA_WITH_AES_256_CBC_SHA = NIOTLSCipher(rawValue: 0x35)
public static let TLS_RSA_WITH_AES_128_GCM_SHA256 = NIOTLSCipher(rawValue: 0x9C)
public static let TLS_RSA_WITH_AES_256_GCM_SHA384 = NIOTLSCipher(rawValue: 0x9D)
public static let TLS_AES_128_GCM_SHA256 = NIOTLSCipher(rawValue: 0x1301)
public static let TLS_AES_256_GCM_SHA384 = NIOTLSCipher(rawValue: 0x1302)
public static let TLS_CHACHA20_POLY1305_SHA256 = NIOTLSCipher(rawValue: 0x1303)
public static let TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = NIOTLSCipher(rawValue: 0xC009)
public static let TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = NIOTLSCipher(rawValue: 0xC00A)
public static let TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = NIOTLSCipher(rawValue: 0xC013)
public static let TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = NIOTLSCipher(rawValue: 0xC014)
public static let TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = NIOTLSCipher(rawValue: 0xC02B)
public static let TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = NIOTLSCipher(rawValue: 0xC02C)
public static let TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = NIOTLSCipher(rawValue: 0xC02F)
public static let TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = NIOTLSCipher(rawValue: 0xC030)
public static let TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = NIOTLSCipher(rawValue: 0xCCA8)
public static let TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = NIOTLSCipher(rawValue: 0xCCA9)
var standardName: String {
let boringSSLCipher = CNIOBoringSSL_SSL_get_cipher_by_value(self.rawValue)
return String(cString: CNIOBoringSSL_SSL_CIPHER_standard_name(boringSSLCipher))
}
}
/// Formats NIOSSL supports for serializing keys and certificates.
public enum NIOSSLSerializationFormats {
case pem
case der
}
/// Certificate verification modes.
public enum CertificateVerification {
/// All certificate verification disabled.
case none
/// Certificates will be validated against the trust store, but will not
/// be checked to see if they are valid for the given hostname.
case noHostnameVerification
/// Certificates will be validated against the trust store and checked
/// against the hostname of the service we are contacting.
case fullVerification
}
/// Support for TLS renegotiation.
///
/// In general, renegotiation should not be enabled except in circumstances where it is absolutely necessary.
/// Renegotiation is only supported in TLS 1.2 and earlier, and generally does not work very well. NIOSSL will
/// disallow most uses of renegotiation: the only supported use-case is to perform post-connection authentication
/// *as a client*. There is no way to initiate a TLS renegotiation in NIOSSL.
public enum NIORenegotiationSupport {
/// No support for TLS renegotiation. The default and recommended setting.
case none
/// Allow renegotiation exactly once. If you must use renegotiation, use this setting.
case once
/// Allow repeated renegotiation. To be avoided.
case always
}
/// Signature algorithms. The values are defined as in TLS 1.3
public struct SignatureAlgorithm : RawRepresentable, Hashable {
public typealias RawValue = UInt16
public var rawValue: UInt16
public init(rawValue: UInt16) {
self.rawValue = rawValue
}
public static let rsaPkcs1Sha1 = SignatureAlgorithm(rawValue: 0x0201)
public static let rsaPkcs1Sha256 = SignatureAlgorithm(rawValue: 0x0401)
public static let rsaPkcs1Sha384 = SignatureAlgorithm(rawValue: 0x0501)
public static let rsaPkcs1Sha512 = SignatureAlgorithm(rawValue: 0x0601)
public static let ecdsaSha1 = SignatureAlgorithm(rawValue: 0x0203)
public static let ecdsaSecp256R1Sha256 = SignatureAlgorithm(rawValue: 0x0403)
public static let ecdsaSecp384R1Sha384 = SignatureAlgorithm(rawValue: 0x0503)
public static let ecdsaSecp521R1Sha512 = SignatureAlgorithm(rawValue: 0x0603)
public static let rsaPssRsaeSha256 = SignatureAlgorithm(rawValue: 0x0804)
public static let rsaPssRsaeSha384 = SignatureAlgorithm(rawValue: 0x0805)
public static let rsaPssRsaeSha512 = SignatureAlgorithm(rawValue: 0x0806)
public static let ed25519 = SignatureAlgorithm(rawValue: 0x0807)
}
/// A secure default configuration of cipher suites for TLS 1.2 and earlier.
///
/// The goal of this cipher suite string is:
/// - Prefer cipher suites that offer Perfect Forward Secrecy (DHE/ECDHE)
/// - Prefer ECDH(E) to DH(E) for performance.
/// - Prefer any AEAD cipher suite over non-AEAD suites for better performance and security
/// - Prefer AES-GCM over ChaCha20 because hardware-accelerated AES is common
/// - Disable NULL authentication and encryption and any appearance of MD5
public let defaultCipherSuites = [
"ECDH+AESGCM",
"ECDH+CHACHA20",
"DH+AESGCM",
"DH+CHACHA20",
"ECDH+AES256",
"DH+AES256",
"ECDH+AES128",
"DH+AES",
"RSA+AESGCM",
"RSA+AES",
"!aNULL",
"!eNULL",
"!MD5",
].joined(separator: ":")
/// Encodes a string to the wire format of an ALPN identifier. These MUST be ASCII, and so
/// this routine will crash the program if they aren't, as these are always user-supplied
/// strings.
internal func encodeALPNIdentifier(identifier: String) -> [UInt8] {
var encodedIdentifier = [UInt8]()
encodedIdentifier.append(UInt8(identifier.utf8.count))
for codePoint in identifier.unicodeScalars {
encodedIdentifier.append(contentsOf: Unicode.ASCII.encode(codePoint)!)
}
return encodedIdentifier
}
/// Decodes a string from the wire format of an ALPN identifier. These MUST be correctly
/// formatted ALPN identifiers, and so this routine will crash the program if they aren't.
internal func decodeALPNIdentifier(identifier: [UInt8]) -> String {
return String(decoding: identifier[1..<identifier.count], as: Unicode.ASCII.self)
}
/// Manages configuration of TLS for SwiftNIO programs.
public struct TLSConfiguration {
/// A default TLS configuration for client use.
public static let clientDefault = TLSConfiguration.makeClientConfiguration()
/// The minimum TLS version to allow in negotiation. Defaults to tlsv1.
public var minimumTLSVersion: TLSVersion
/// The maximum TLS version to allow in negotiation. If nil, there is no upper limit. Defaults to nil.
public var maximumTLSVersion: TLSVersion?
/// The pre-TLS1.3 cipher suites supported by this handler. This uses the OpenSSL cipher string format.
/// TLS 1.3 cipher suites cannot be configured.
public var cipherSuites: String = defaultCipherSuites
/// Public property used to set the internal cipherSuites from NIOTLSCipher.
public var cipherSuiteValues: [NIOTLSCipher] {
get {
guard let sslContext = try? NIOSSLContext(configuration: self) else {
return []
}
return sslContext.cipherSuites
}
set {
let assignedCiphers = newValue.map { $0.standardName }
self.cipherSuites = assignedCiphers.joined(separator: ":")
}
}
/// Allowed algorithms to verify signatures. Passing nil means, that a built-in set of algorithms will be used.
public var verifySignatureAlgorithms : [SignatureAlgorithm]?
/// Allowed algorithms to sign signatures. Passing nil means, that a built-in set of algorithms will be used.
public var signingSignatureAlgorithms : [SignatureAlgorithm]?
/// Whether to verify remote certificates.
public var certificateVerification: CertificateVerification
/// The trust roots to use to validate certificates. This only needs to be provided if you intend to validate
/// certificates.
///
/// - NOTE: If certificate validation is enabled and `trustRoots` is `nil` then the system default root of
/// trust is used (as if `trustRoots` had been explicitly set to `.default`).
public var trustRoots: NIOSSLTrustRoots?
/// Additional trust roots to use to validate certificates, used in addition to `trustRoots`.
public var additionalTrustRoots: [NIOSSLAdditionalTrustRoots]
/// The certificates to offer during negotiation. If not present, no certificates will be offered.
public var certificateChain: [NIOSSLCertificateSource]
/// The private key associated with the leaf certificate.
public var privateKey: NIOSSLPrivateKeySource?
/// The application protocols to use in the connection. Should be an ordered list of ASCII
/// strings representing the ALPN identifiers of the protocols to negotiate. For clients,
/// the protocols will be offered in the order given. For servers, the protocols will be matched
/// against the client's offered protocols in order.
public var applicationProtocols: [String] {
get {
return self.encodedApplicationProtocols.map(decodeALPNIdentifier)
}
set {
self.encodedApplicationProtocols = newValue.map(encodeALPNIdentifier)
}
}
internal var encodedApplicationProtocols: [[UInt8]]
/// The amount of time to wait after initiating a shutdown before performing an unclean
/// shutdown. Defaults to 5 seconds.
public var shutdownTimeout: TimeAmount
/// A callback that can be used to implement `SSLKEYLOGFILE` support.
public var keyLogCallback: NIOSSLKeyLogCallback?
/// Whether renegotiation is supported.
public var renegotiationSupport: NIORenegotiationSupport
/// Send the CA names derived from the `trustRoots` for client authentication.
/// This instructs the client which identities can be used by evaluating what CA the identity certificate was issued from.
public var sendCANameList: Bool
private init(cipherSuiteValues: [NIOTLSCipher] = [],
cipherSuites: String = defaultCipherSuites,
verifySignatureAlgorithms: [SignatureAlgorithm]?,
signingSignatureAlgorithms: [SignatureAlgorithm]?,
minimumTLSVersion: TLSVersion,
maximumTLSVersion: TLSVersion?,
certificateVerification: CertificateVerification,
trustRoots: NIOSSLTrustRoots,
certificateChain: [NIOSSLCertificateSource],
privateKey: NIOSSLPrivateKeySource?,
applicationProtocols: [String],
shutdownTimeout: TimeAmount,
keyLogCallback: NIOSSLKeyLogCallback?,
renegotiationSupport: NIORenegotiationSupport,
additionalTrustRoots: [NIOSSLAdditionalTrustRoots],
sendCANameList: Bool = false) {
self.cipherSuites = cipherSuites
self.verifySignatureAlgorithms = verifySignatureAlgorithms
self.signingSignatureAlgorithms = signingSignatureAlgorithms
self.minimumTLSVersion = minimumTLSVersion
self.maximumTLSVersion = maximumTLSVersion
self.certificateVerification = certificateVerification
self.trustRoots = trustRoots
self.additionalTrustRoots = additionalTrustRoots
self.certificateChain = certificateChain
self.privateKey = privateKey
self.encodedApplicationProtocols = []
self.shutdownTimeout = shutdownTimeout
self.renegotiationSupport = renegotiationSupport
self.sendCANameList = sendCANameList
self.applicationProtocols = applicationProtocols
self.keyLogCallback = keyLogCallback
if !cipherSuiteValues.isEmpty {
self.cipherSuiteValues = cipherSuiteValues
}
}
}
// MARK: BestEffortHashable
extension TLSConfiguration {
/// Returns a best effort result of whether two `TLSConfiguration` objects are equal.
///
/// The "best effort" stems from the fact that we are checking the pointer to the `keyLogCallback` closure.
///
/// - warning: You should probably not use this function. This function can return false-negatives, but not false-positives.
public func bestEffortEquals(_ comparing: TLSConfiguration) -> Bool {
let isKeyLoggerCallbacksEqual = withUnsafeBytes(of: self.keyLogCallback) { callbackPointer1 in
return withUnsafeBytes(of: comparing.keyLogCallback) { callbackPointer2 in
return callbackPointer1.elementsEqual(callbackPointer2)
}
}
return self.minimumTLSVersion == comparing.minimumTLSVersion &&
self.maximumTLSVersion == comparing.maximumTLSVersion &&
self.cipherSuites == comparing.cipherSuites &&
self.verifySignatureAlgorithms == comparing.verifySignatureAlgorithms &&
self.signingSignatureAlgorithms == comparing.signingSignatureAlgorithms &&
self.certificateVerification == comparing.certificateVerification &&
self.trustRoots == comparing.trustRoots &&
self.additionalTrustRoots == comparing.additionalTrustRoots &&
self.certificateChain == comparing.certificateChain &&
self.privateKey == comparing.privateKey &&
self.encodedApplicationProtocols == comparing.encodedApplicationProtocols &&
self.shutdownTimeout == comparing.shutdownTimeout &&
isKeyLoggerCallbacksEqual &&
self.renegotiationSupport == comparing.renegotiationSupport
}
/// Returns a best effort hash of this TLS configuration.
///
/// The "best effort" stems from the fact that we are hashing the pointer bytes of the `keyLogCallback` closure.
///
/// - warning: You should probably not use this function. This function can return false-negatives, but not false-positives.
public func bestEffortHash(into hasher: inout Hasher) {
hasher.combine(minimumTLSVersion)
hasher.combine(maximumTLSVersion)
hasher.combine(cipherSuites)
hasher.combine(verifySignatureAlgorithms)
hasher.combine(signingSignatureAlgorithms)
hasher.combine(certificateVerification)
hasher.combine(trustRoots)
hasher.combine(additionalTrustRoots)
hasher.combine(certificateChain)
hasher.combine(privateKey)
hasher.combine(encodedApplicationProtocols)
hasher.combine(shutdownTimeout)
withUnsafeBytes(of: keyLogCallback) { closureBits in
hasher.combine(bytes: closureBits)
}
hasher.combine(renegotiationSupport)
}
/// Creates a TLS configuration for use with client-side contexts.
///
/// This provides sensible defaults, and can be used without customisation. For server-side
/// contexts, you should use `makeServerConfiguration` instead.
///
/// For customising fields, modify the returned TLSConfiguration object.
public static func makeClientConfiguration() -> TLSConfiguration {
return TLSConfiguration(cipherSuites: defaultCipherSuites,
verifySignatureAlgorithms: nil,
signingSignatureAlgorithms: nil,
minimumTLSVersion: .tlsv1,
maximumTLSVersion: nil,
certificateVerification: .fullVerification,
trustRoots: .default,
certificateChain: [],
privateKey: nil,
applicationProtocols: [],
shutdownTimeout: .seconds(5),
keyLogCallback: nil,
renegotiationSupport: .none,
additionalTrustRoots: [],
sendCANameList: false)
}
/// Create a TLS configuration for use with server-side contexts.
///
/// This provides sensible defaults while requiring that you provide any data that is necessary
/// for server-side function. For client use, try `makeClientConfiguration` instead.
///
/// For customising fields, modify the returned TLSConfiguration object.
public static func makeServerConfiguration(
certificateChain: [NIOSSLCertificateSource],
privateKey: NIOSSLPrivateKeySource
) -> TLSConfiguration {
return TLSConfiguration(cipherSuites: defaultCipherSuites,
verifySignatureAlgorithms: nil,
signingSignatureAlgorithms: nil,
minimumTLSVersion: .tlsv1,
maximumTLSVersion: nil,
certificateVerification: .none,
trustRoots: .default,
certificateChain: certificateChain,
privateKey: privateKey,
applicationProtocols: [],
shutdownTimeout: .seconds(5),
keyLogCallback: nil,
renegotiationSupport: .none,
additionalTrustRoots: [],
sendCANameList: false)
}
}
// MARK: Deprecated constructors.
extension TLSConfiguration {
/// Create a TLS configuration for use with server-side contexts. This allows setting the `NIOTLSCipher` property specifically.
///
/// This provides sensible defaults while requiring that you provide any data that is necessary
/// for server-side function. For client use, try `makeClientConfiguration` instead.
@available(*, deprecated, renamed: "makeServerConfiguration(certificateChain:privateKey:)")
public static func forServer(certificateChain: [NIOSSLCertificateSource],
privateKey: NIOSSLPrivateKeySource,
cipherSuites: [NIOTLSCipher],
verifySignatureAlgorithms: [SignatureAlgorithm]? = nil,
signingSignatureAlgorithms: [SignatureAlgorithm]? = nil,
minimumTLSVersion: TLSVersion = .tlsv1,
maximumTLSVersion: TLSVersion? = nil,
certificateVerification: CertificateVerification = .none,
trustRoots: NIOSSLTrustRoots = .default,
applicationProtocols: [String] = [],
shutdownTimeout: TimeAmount = .seconds(5),
keyLogCallback: NIOSSLKeyLogCallback? = nil,
additionalTrustRoots: [NIOSSLAdditionalTrustRoots] = []) -> TLSConfiguration {
return TLSConfiguration(cipherSuiteValues: cipherSuites,
verifySignatureAlgorithms: verifySignatureAlgorithms,
signingSignatureAlgorithms: signingSignatureAlgorithms,
minimumTLSVersion: minimumTLSVersion,
maximumTLSVersion: maximumTLSVersion,
certificateVerification: certificateVerification,
trustRoots: trustRoots,
certificateChain: certificateChain,
privateKey: privateKey,
applicationProtocols: applicationProtocols,
shutdownTimeout: shutdownTimeout,
keyLogCallback: keyLogCallback,
renegotiationSupport: .none, // Servers never support renegotiation: there's no point.
additionalTrustRoots: additionalTrustRoots)
}
/// Create a TLS configuration for use with server-side contexts.
///
/// This provides sensible defaults while requiring that you provide any data that is necessary
/// for server-side function. For client use, try `makeClientConfiguration` instead.
@available(*, deprecated, renamed: "makeServerConfiguration(certificateChain:privateKey:)")
public static func forServer(certificateChain: [NIOSSLCertificateSource],
privateKey: NIOSSLPrivateKeySource,
cipherSuites: String = defaultCipherSuites,
minimumTLSVersion: TLSVersion = .tlsv1,
maximumTLSVersion: TLSVersion? = nil,
certificateVerification: CertificateVerification = .none,
trustRoots: NIOSSLTrustRoots = .default,
applicationProtocols: [String] = [],
shutdownTimeout: TimeAmount = .seconds(5),
keyLogCallback: NIOSSLKeyLogCallback? = nil) -> TLSConfiguration {
return TLSConfiguration(cipherSuites: cipherSuites,
verifySignatureAlgorithms: nil,
signingSignatureAlgorithms: nil,
minimumTLSVersion: minimumTLSVersion,
maximumTLSVersion: maximumTLSVersion,
certificateVerification: certificateVerification,
trustRoots: trustRoots,
certificateChain: certificateChain,
privateKey: privateKey,
applicationProtocols: applicationProtocols,
shutdownTimeout: shutdownTimeout,
keyLogCallback: keyLogCallback,
renegotiationSupport: .none, // Servers never support renegotiation: there's no point.
additionalTrustRoots: [])
}
/// Create a TLS configuration for use with server-side contexts.
///
/// This provides sensible defaults while requiring that you provide any data that is necessary
/// for server-side function. For client use, try `makeClientConfiguration` instead.
@available(*, deprecated, renamed: "makeServerConfiguration(certificateChain:privateKey:)")
public static func forServer(certificateChain: [NIOSSLCertificateSource],
privateKey: NIOSSLPrivateKeySource,
cipherSuites: String = defaultCipherSuites,
verifySignatureAlgorithms: [SignatureAlgorithm]? = nil,
signingSignatureAlgorithms: [SignatureAlgorithm]? = nil,
minimumTLSVersion: TLSVersion = .tlsv1,
maximumTLSVersion: TLSVersion? = nil,
certificateVerification: CertificateVerification = .none,
trustRoots: NIOSSLTrustRoots = .default,
applicationProtocols: [String] = [],
shutdownTimeout: TimeAmount = .seconds(5),
keyLogCallback: NIOSSLKeyLogCallback? = nil) -> TLSConfiguration {
return TLSConfiguration(cipherSuites: cipherSuites,
verifySignatureAlgorithms: verifySignatureAlgorithms,
signingSignatureAlgorithms: signingSignatureAlgorithms,
minimumTLSVersion: minimumTLSVersion,
maximumTLSVersion: maximumTLSVersion,
certificateVerification: certificateVerification,
trustRoots: trustRoots,
certificateChain: certificateChain,
privateKey: privateKey,
applicationProtocols: applicationProtocols,
shutdownTimeout: shutdownTimeout,
keyLogCallback: keyLogCallback,
renegotiationSupport: .none, // Servers never support renegotiation: there's no point.
additionalTrustRoots: [])
}
/// Create a TLS configuration for use with server-side contexts.
///
/// This provides sensible defaults while requiring that you provide any data that is necessary
/// for server-side function. For client use, try `makeClientConfiguration` instead.
@available(*, deprecated, renamed: "makeServerConfiguration(certificateChain:privateKey:)")
public static func forServer(certificateChain: [NIOSSLCertificateSource],
privateKey: NIOSSLPrivateKeySource,
cipherSuites: String = defaultCipherSuites,
verifySignatureAlgorithms: [SignatureAlgorithm]? = nil,
signingSignatureAlgorithms: [SignatureAlgorithm]? = nil,
minimumTLSVersion: TLSVersion = .tlsv1,
maximumTLSVersion: TLSVersion? = nil,
certificateVerification: CertificateVerification = .none,
trustRoots: NIOSSLTrustRoots = .default,
applicationProtocols: [String] = [],
shutdownTimeout: TimeAmount = .seconds(5),
keyLogCallback: NIOSSLKeyLogCallback? = nil,
additionalTrustRoots: [NIOSSLAdditionalTrustRoots]) -> TLSConfiguration {
return TLSConfiguration(cipherSuites: cipherSuites,
verifySignatureAlgorithms: verifySignatureAlgorithms,
signingSignatureAlgorithms: signingSignatureAlgorithms,
minimumTLSVersion: minimumTLSVersion,
maximumTLSVersion: maximumTLSVersion,
certificateVerification: certificateVerification,
trustRoots: trustRoots,
certificateChain: certificateChain,
privateKey: privateKey,
applicationProtocols: applicationProtocols,
shutdownTimeout: shutdownTimeout,
keyLogCallback: keyLogCallback,
renegotiationSupport: .none, // Servers never support renegotiation: there's no point.
additionalTrustRoots: additionalTrustRoots)
}
/// Creates a TLS configuration for use with client-side contexts. This allows setting the `NIOTLSCipher` property specifically.
///
/// This provides sensible defaults, and can be used without customisation. For server-side
/// contexts, you should use `makeServerConfiguration` instead.
@available(*, deprecated, renamed: "makeClientConfiguration()")
public static func forClient(cipherSuites: [NIOTLSCipher],
verifySignatureAlgorithms: [SignatureAlgorithm]? = nil,
signingSignatureAlgorithms: [SignatureAlgorithm]? = nil,
minimumTLSVersion: TLSVersion = .tlsv1,
maximumTLSVersion: TLSVersion? = nil,
certificateVerification: CertificateVerification = .fullVerification,
trustRoots: NIOSSLTrustRoots = .default,
certificateChain: [NIOSSLCertificateSource] = [],
privateKey: NIOSSLPrivateKeySource? = nil,
applicationProtocols: [String] = [],
shutdownTimeout: TimeAmount = .seconds(5),
keyLogCallback: NIOSSLKeyLogCallback? = nil,
renegotiationSupport: NIORenegotiationSupport = .none,
additionalTrustRoots: [NIOSSLAdditionalTrustRoots] = []) -> TLSConfiguration {
return TLSConfiguration(cipherSuiteValues: cipherSuites,
verifySignatureAlgorithms: verifySignatureAlgorithms,
signingSignatureAlgorithms: signingSignatureAlgorithms,
minimumTLSVersion: minimumTLSVersion,
maximumTLSVersion: maximumTLSVersion,
certificateVerification: certificateVerification,
trustRoots: trustRoots,
certificateChain: certificateChain,
privateKey: privateKey,
applicationProtocols: applicationProtocols,
shutdownTimeout: shutdownTimeout,
keyLogCallback: keyLogCallback,
renegotiationSupport: renegotiationSupport,
additionalTrustRoots: additionalTrustRoots)
}
/// Creates a TLS configuration for use with client-side contexts.
///
/// This provides sensible defaults, and can be used without customisation. For server-side
/// contexts, you should use `makeServerConfiguration` instead.
@available(*, deprecated, renamed: "makeClientConfiguration()")
public static func forClient(cipherSuites: String = defaultCipherSuites,
minimumTLSVersion: TLSVersion = .tlsv1,
maximumTLSVersion: TLSVersion? = nil,
certificateVerification: CertificateVerification = .fullVerification,
trustRoots: NIOSSLTrustRoots = .default,
certificateChain: [NIOSSLCertificateSource] = [],
privateKey: NIOSSLPrivateKeySource? = nil,
applicationProtocols: [String] = [],
shutdownTimeout: TimeAmount = .seconds(5),
keyLogCallback: NIOSSLKeyLogCallback? = nil) -> TLSConfiguration {
return TLSConfiguration(cipherSuites: cipherSuites,
verifySignatureAlgorithms: nil,
signingSignatureAlgorithms: nil,
minimumTLSVersion: minimumTLSVersion,
maximumTLSVersion: maximumTLSVersion,
certificateVerification: certificateVerification,
trustRoots: trustRoots,
certificateChain: certificateChain,
privateKey: privateKey,
applicationProtocols: applicationProtocols,
shutdownTimeout: shutdownTimeout,
keyLogCallback: keyLogCallback,
renegotiationSupport: .none, // Default value is here for backward-compatibility.
additionalTrustRoots: [])
}
/// Creates a TLS configuration for use with client-side contexts.
///
/// This provides sensible defaults, and can be used without customisation. For server-side
/// contexts, you should use `makeServerConfiguration` instead.
@available(*, deprecated, renamed: "makeClientConfiguration()")
public static func forClient(cipherSuites: String = defaultCipherSuites,
minimumTLSVersion: TLSVersion = .tlsv1,
maximumTLSVersion: TLSVersion? = nil,
certificateVerification: CertificateVerification = .fullVerification,
trustRoots: NIOSSLTrustRoots = .default,
certificateChain: [NIOSSLCertificateSource] = [],
privateKey: NIOSSLPrivateKeySource? = nil,
applicationProtocols: [String] = [],
shutdownTimeout: TimeAmount = .seconds(5),
keyLogCallback: NIOSSLKeyLogCallback? = nil,
renegotiationSupport: NIORenegotiationSupport) -> TLSConfiguration {
return TLSConfiguration(cipherSuites: cipherSuites,
verifySignatureAlgorithms: nil,
signingSignatureAlgorithms: nil,
minimumTLSVersion: minimumTLSVersion,
maximumTLSVersion: maximumTLSVersion,
certificateVerification: certificateVerification,
trustRoots: trustRoots,
certificateChain: certificateChain,
privateKey: privateKey,
applicationProtocols: applicationProtocols,
shutdownTimeout: shutdownTimeout,
keyLogCallback: keyLogCallback,
renegotiationSupport: renegotiationSupport,
additionalTrustRoots: [])
}
/// Creates a TLS configuration for use with client-side contexts.
///
/// This provides sensible defaults, and can be used without customisation. For server-side
/// contexts, you should use `makeServerConfiguration` instead.
@available(*, deprecated, renamed: "makeClientConfiguration()")
public static func forClient(cipherSuites: String = defaultCipherSuites,
verifySignatureAlgorithms: [SignatureAlgorithm]? = nil,
signingSignatureAlgorithms: [SignatureAlgorithm]? = nil,
minimumTLSVersion: TLSVersion = .tlsv1,
maximumTLSVersion: TLSVersion? = nil,
certificateVerification: CertificateVerification = .fullVerification,
trustRoots: NIOSSLTrustRoots = .default,
certificateChain: [NIOSSLCertificateSource] = [],
privateKey: NIOSSLPrivateKeySource? = nil,
applicationProtocols: [String] = [],
shutdownTimeout: TimeAmount = .seconds(5),
keyLogCallback: NIOSSLKeyLogCallback? = nil,
renegotiationSupport: NIORenegotiationSupport) -> TLSConfiguration {
return TLSConfiguration(cipherSuites: cipherSuites,
verifySignatureAlgorithms: verifySignatureAlgorithms,
signingSignatureAlgorithms: signingSignatureAlgorithms,
minimumTLSVersion: minimumTLSVersion,
maximumTLSVersion: maximumTLSVersion,
certificateVerification: certificateVerification,
trustRoots: trustRoots,
certificateChain: certificateChain,
privateKey: privateKey,
applicationProtocols: applicationProtocols,
shutdownTimeout: shutdownTimeout,
keyLogCallback: keyLogCallback,
renegotiationSupport: renegotiationSupport,
additionalTrustRoots: [])
}
/// Creates a TLS configuration for use with client-side contexts.
///
/// This provides sensible defaults, and can be used without customisation. For server-side
/// contexts, you should use `makeServerConfiguration` instead.
@available(*, deprecated, renamed: "makeClientConfiguration()")
public static func forClient(cipherSuites: String = defaultCipherSuites,
verifySignatureAlgorithms: [SignatureAlgorithm]? = nil,
signingSignatureAlgorithms: [SignatureAlgorithm]? = nil,
minimumTLSVersion: TLSVersion = .tlsv1,
maximumTLSVersion: TLSVersion? = nil,
certificateVerification: CertificateVerification = .fullVerification,
trustRoots: NIOSSLTrustRoots = .default,
certificateChain: [NIOSSLCertificateSource] = [],
privateKey: NIOSSLPrivateKeySource? = nil,
applicationProtocols: [String] = [],
shutdownTimeout: TimeAmount = .seconds(5),
keyLogCallback: NIOSSLKeyLogCallback? = nil,
renegotiationSupport: NIORenegotiationSupport = .none,
additionalTrustRoots: [NIOSSLAdditionalTrustRoots]) -> TLSConfiguration {
return TLSConfiguration(cipherSuites: cipherSuites,
verifySignatureAlgorithms: verifySignatureAlgorithms,
signingSignatureAlgorithms: signingSignatureAlgorithms,
minimumTLSVersion: minimumTLSVersion,
maximumTLSVersion: maximumTLSVersion,
certificateVerification: certificateVerification,
trustRoots: trustRoots,
certificateChain: certificateChain,
privateKey: privateKey,
applicationProtocols: applicationProtocols,
shutdownTimeout: shutdownTimeout,
keyLogCallback: keyLogCallback,
renegotiationSupport: renegotiationSupport,
additionalTrustRoots: additionalTrustRoots)
}
}
|
