core/homeassistant/util/ssl.py

"""Helper to create SSL contexts."""
import contextlib
from enum import StrEnum
from functools import cache
from os import environ
import ssl

import certifi


class SSLCipherList(StrEnum):
    """SSL cipher lists."""

    PYTHON_DEFAULT = "python_default"
    INTERMEDIATE = "intermediate"
    MODERN = "modern"


SSL_CIPHER_LISTS = {
    SSLCipherList.INTERMEDIATE: (
        "ECDHE-ECDSA-CHACHA20-POLY1305:"
        "ECDHE-RSA-CHACHA20-POLY1305:"
        "ECDHE-ECDSA-AES128-GCM-SHA256:"
        "ECDHE-RSA-AES128-GCM-SHA256:"
        "ECDHE-ECDSA-AES256-GCM-SHA384:"
        "ECDHE-RSA-AES256-GCM-SHA384:"
        "DHE-RSA-AES128-GCM-SHA256:"
        "DHE-RSA-AES256-GCM-SHA384:"
        "ECDHE-ECDSA-AES128-SHA256:"
        "ECDHE-RSA-AES128-SHA256:"
        "ECDHE-ECDSA-AES128-SHA:"
        "ECDHE-RSA-AES256-SHA384:"
        "ECDHE-RSA-AES128-SHA:"
        "ECDHE-ECDSA-AES256-SHA384:"
        "ECDHE-ECDSA-AES256-SHA:"
        "ECDHE-RSA-AES256-SHA:"
        "DHE-RSA-AES128-SHA256:"
        "DHE-RSA-AES128-SHA:"
        "DHE-RSA-AES256-SHA256:"
        "DHE-RSA-AES256-SHA:"
        "ECDHE-ECDSA-DES-CBC3-SHA:"
        "ECDHE-RSA-DES-CBC3-SHA:"
        "EDH-RSA-DES-CBC3-SHA:"
        "AES128-GCM-SHA256:"
        "AES256-GCM-SHA384:"
        "AES128-SHA256:"
        "AES256-SHA256:"
        "AES128-SHA:"
        "AES256-SHA:"
        "DES-CBC3-SHA:"
        "!DSS"
    ),
    SSLCipherList.MODERN: (
        "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:"
        "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"
        "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:"
        "ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:"
        "ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
    ),
}


@cache
def create_no_verify_ssl_context(
    ssl_cipher_list: SSLCipherList = SSLCipherList.PYTHON_DEFAULT,
) -> ssl.SSLContext:
    """Return an SSL context that does not verify the server certificate.

    This is a copy of aiohttp's create_default_context() function, with the
    ssl verify turned off.

    https://github.com/aio-libs/aiohttp/blob/33953f110e97eecc707e1402daa8d543f38a189b/aiohttp/connector.py#L911
    """
    sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    sslcontext.check_hostname = False
    sslcontext.verify_mode = ssl.CERT_NONE
    with contextlib.suppress(AttributeError):
        # This only works for OpenSSL >= 1.0.0
        sslcontext.options |= ssl.OP_NO_COMPRESSION
    sslcontext.set_default_verify_paths()
    if ssl_cipher_list != SSLCipherList.PYTHON_DEFAULT:
        sslcontext.set_ciphers(SSL_CIPHER_LISTS[ssl_cipher_list])

    return sslcontext


@cache
def client_context(
    ssl_cipher_list: SSLCipherList = SSLCipherList.PYTHON_DEFAULT,
) -> ssl.SSLContext:
    """Return an SSL context for making requests."""

    # Reuse environment variable definition from requests, since it's already a
    # requirement. If the environment variable has no value, fall back to using
    # certs from certifi package.
    cafile = environ.get("REQUESTS_CA_BUNDLE", certifi.where())

    sslcontext = ssl.create_default_context(
        purpose=ssl.Purpose.SERVER_AUTH, cafile=cafile
    )
    if ssl_cipher_list != SSLCipherList.PYTHON_DEFAULT:
        sslcontext.set_ciphers(SSL_CIPHER_LISTS[ssl_cipher_list])

    return sslcontext


# Create this only once and reuse it
_DEFAULT_SSL_CONTEXT = client_context()
_DEFAULT_NO_VERIFY_SSL_CONTEXT = create_no_verify_ssl_context()


def get_default_context() -> ssl.SSLContext:
    """Return the default SSL context."""
    return _DEFAULT_SSL_CONTEXT


def get_default_no_verify_context() -> ssl.SSLContext:
    """Return the default SSL context that does not verify the server certificate."""
    return _DEFAULT_NO_VERIFY_SSL_CONTEXT


def server_context_modern() -> ssl.SSLContext:
    """Return an SSL context following the Mozilla recommendations.

    TLS configuration follows the best-practice guidelines specified here:
    https://wiki.mozilla.org/Security/Server_Side_TLS
    Modern guidelines are followed.
    """
    context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)

    context.options |= (
        ssl.OP_NO_SSLv2
        | ssl.OP_NO_SSLv3
        | ssl.OP_NO_TLSv1
        | ssl.OP_NO_TLSv1_1
        | ssl.OP_CIPHER_SERVER_PREFERENCE
    )
    if hasattr(ssl, "OP_NO_COMPRESSION"):
        context.options |= ssl.OP_NO_COMPRESSION

    context.set_ciphers(SSL_CIPHER_LISTS[SSLCipherList.MODERN])

    return context


def server_context_intermediate() -> ssl.SSLContext:
    """Return an SSL context following the Mozilla recommendations.

    TLS configuration follows the best-practice guidelines specified here:
    https://wiki.mozilla.org/Security/Server_Side_TLS
    Intermediate guidelines are followed.
    """
    context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)

    context.options |= (
        ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_CIPHER_SERVER_PREFERENCE
    )
    if hasattr(ssl, "OP_NO_COMPRESSION"):
        context.options |= ssl.OP_NO_COMPRESSION

    context.set_ciphers(SSL_CIPHER_LISTS[SSLCipherList.INTERMEDIATE])

    return context
Extract SSL context creation to helper (#15483) * Extract SSL context creation to helper * Lint 2018-07-16 08:32:07 +00:00			`"""Helper to create SSL contexts."""`
Fix httpx client creating a new ssl context with each client (memory leak) (#90191) * Fix httpx client creating a new ssl context with each client While working on https://github.com/home-assistant/core/issues/83524 it was discovered that each new httpx client creates a new ssl context https://github.com/encode/httpx/blob/f1157dbc4102ac8e227a0a0bb12a877f592eff58/httpx/_transports/default.py#L261 If an ssl context is passed in creating a new one is avoided here https://github.com/encode/httpx/blob/f1157dbc4102ac8e227a0a0bb12a877f592eff58/httpx/_config.py#L110 This change makes httpx ssl no-verify behavior match aiohttp ssl no-verify behavior https://github.com/aio-libs/aiohttp/blob/6da04694fd87a39af9c3856048c9ff23ca815f88/aiohttp/connector.py#L892 aiohttp solved this by wrapping the code that generates the ssl context in an lru_cache * compact 2023-03-24 07:40:47 +00:00			`import contextlib`
Migrate backported StrEnum to built-in StrEnum (#97101) 2023-07-23 21:19:24 +00:00			`from enum import StrEnum`
Add option to select list of accepted ssl ciphers in httpx client (#91389) 2023-04-15 19:32:30 +00:00			`from functools import cache`
Allow using environment cacert file (#38816) 2020-09-04 11:54:20 +00:00			`from os import environ`
Extract SSL context creation to helper (#15483) * Extract SSL context creation to helper * Lint 2018-07-16 08:32:07 +00:00			`import ssl`

			`import certifi`

Add option to select list of accepted ssl ciphers in httpx client (#91389) 2023-04-15 19:32:30 +00:00
			`class SSLCipherList(StrEnum):`
			`"""SSL cipher lists."""`

			`PYTHON_DEFAULT = "python_default"`
			`INTERMEDIATE = "intermediate"`
			`MODERN = "modern"`


			`SSL_CIPHER_LISTS = {`
			`SSLCipherList.INTERMEDIATE: (`
			`"ECDHE-ECDSA-CHACHA20-POLY1305:"`
			`"ECDHE-RSA-CHACHA20-POLY1305:"`
			`"ECDHE-ECDSA-AES128-GCM-SHA256:"`
			`"ECDHE-RSA-AES128-GCM-SHA256:"`
			`"ECDHE-ECDSA-AES256-GCM-SHA384:"`
			`"ECDHE-RSA-AES256-GCM-SHA384:"`
			`"DHE-RSA-AES128-GCM-SHA256:"`
			`"DHE-RSA-AES256-GCM-SHA384:"`
			`"ECDHE-ECDSA-AES128-SHA256:"`
			`"ECDHE-RSA-AES128-SHA256:"`
			`"ECDHE-ECDSA-AES128-SHA:"`
			`"ECDHE-RSA-AES256-SHA384:"`
			`"ECDHE-RSA-AES128-SHA:"`
			`"ECDHE-ECDSA-AES256-SHA384:"`
			`"ECDHE-ECDSA-AES256-SHA:"`
			`"ECDHE-RSA-AES256-SHA:"`
			`"DHE-RSA-AES128-SHA256:"`
			`"DHE-RSA-AES128-SHA:"`
			`"DHE-RSA-AES256-SHA256:"`
			`"DHE-RSA-AES256-SHA:"`
			`"ECDHE-ECDSA-DES-CBC3-SHA:"`
			`"ECDHE-RSA-DES-CBC3-SHA:"`
			`"EDH-RSA-DES-CBC3-SHA:"`
			`"AES128-GCM-SHA256:"`
			`"AES256-GCM-SHA384:"`
			`"AES128-SHA256:"`
			`"AES256-SHA256:"`
			`"AES128-SHA:"`
			`"AES256-SHA:"`
			`"DES-CBC3-SHA:"`
			`"!DSS"`
			`),`
			`SSLCipherList.MODERN: (`
			`"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:"`
			`"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"`
			`"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:"`
			`"ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:"`
			`"ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"`
			`),`
			`}`


			`@cache`
			`def create_no_verify_ssl_context(`
			`ssl_cipher_list: SSLCipherList = SSLCipherList.PYTHON_DEFAULT,`
			`) -> ssl.SSLContext:`
Fix httpx client creating a new ssl context with each client (memory leak) (#90191) * Fix httpx client creating a new ssl context with each client While working on https://github.com/home-assistant/core/issues/83524 it was discovered that each new httpx client creates a new ssl context https://github.com/encode/httpx/blob/f1157dbc4102ac8e227a0a0bb12a877f592eff58/httpx/_transports/default.py#L261 If an ssl context is passed in creating a new one is avoided here https://github.com/encode/httpx/blob/f1157dbc4102ac8e227a0a0bb12a877f592eff58/httpx/_config.py#L110 This change makes httpx ssl no-verify behavior match aiohttp ssl no-verify behavior https://github.com/aio-libs/aiohttp/blob/6da04694fd87a39af9c3856048c9ff23ca815f88/aiohttp/connector.py#L892 aiohttp solved this by wrapping the code that generates the ssl context in an lru_cache * compact 2023-03-24 07:40:47 +00:00			`"""Return an SSL context that does not verify the server certificate.`

			`This is a copy of aiohttp's create_default_context() function, with the`
			`ssl verify turned off.`

			`https://github.com/aio-libs/aiohttp/blob/33953f110e97eecc707e1402daa8d543f38a189b/aiohttp/connector.py#L911`
			`"""`
			`sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)`
			`sslcontext.check_hostname = False`
			`sslcontext.verify_mode = ssl.CERT_NONE`
			`with contextlib.suppress(AttributeError):`
			`# This only works for OpenSSL >= 1.0.0`
			`sslcontext.options \|= ssl.OP_NO_COMPRESSION`
			`sslcontext.set_default_verify_paths()`
Add option to select list of accepted ssl ciphers in httpx client (#91389) 2023-04-15 19:32:30 +00:00			`if ssl_cipher_list != SSLCipherList.PYTHON_DEFAULT:`
			`sslcontext.set_ciphers(SSL_CIPHER_LISTS[ssl_cipher_list])`

Fix httpx client creating a new ssl context with each client (memory leak) (#90191) * Fix httpx client creating a new ssl context with each client While working on https://github.com/home-assistant/core/issues/83524 it was discovered that each new httpx client creates a new ssl context https://github.com/encode/httpx/blob/f1157dbc4102ac8e227a0a0bb12a877f592eff58/httpx/_transports/default.py#L261 If an ssl context is passed in creating a new one is avoided here https://github.com/encode/httpx/blob/f1157dbc4102ac8e227a0a0bb12a877f592eff58/httpx/_config.py#L110 This change makes httpx ssl no-verify behavior match aiohttp ssl no-verify behavior https://github.com/aio-libs/aiohttp/blob/6da04694fd87a39af9c3856048c9ff23ca815f88/aiohttp/connector.py#L892 aiohttp solved this by wrapping the code that generates the ssl context in an lru_cache * compact 2023-03-24 07:40:47 +00:00			`return sslcontext`


Add option to select list of accepted ssl ciphers in httpx client (#91389) 2023-04-15 19:32:30 +00:00			`@cache`
			`def client_context(`
			`ssl_cipher_list: SSLCipherList = SSLCipherList.PYTHON_DEFAULT,`
			`) -> ssl.SSLContext:`
Extract SSL context creation to helper (#15483) * Extract SSL context creation to helper * Lint 2018-07-16 08:32:07 +00:00			`"""Return an SSL context for making requests."""`
Allow using environment cacert file (#38816) 2020-09-04 11:54:20 +00:00
Code styling tweaks to core utils & YAML loader (#85433) Code styling tweaks to core utils 2023-01-09 06:01:55 +00:00			`# Reuse environment variable definition from requests, since it's already a`
			`# requirement. If the environment variable has no value, fall back to using`
			`# certs from certifi package.`
Allow using environment cacert file (#38816) 2020-09-04 11:54:20 +00:00			`cafile = environ.get("REQUESTS_CA_BUNDLE", certifi.where())`

Add option to select list of accepted ssl ciphers in httpx client (#91389) 2023-04-15 19:32:30 +00:00			`sslcontext = ssl.create_default_context(`
			`purpose=ssl.Purpose.SERVER_AUTH, cafile=cafile`
			`)`
			`if ssl_cipher_list != SSLCipherList.PYTHON_DEFAULT:`
			`sslcontext.set_ciphers(SSL_CIPHER_LISTS[ssl_cipher_list])`

			`return sslcontext`
Extract SSL context creation to helper (#15483) * Extract SSL context creation to helper * Lint 2018-07-16 08:32:07 +00:00

Fix ssl context being recreated frequently in httpx (#89932) * Fix ssl context being created every time in httpx * its expensive, only do it once 2023-03-19 09:13:48 +00:00			`# Create this only once and reuse it`
			`_DEFAULT_SSL_CONTEXT = client_context()`
Fix httpx client creating a new ssl context with each client (memory leak) (#90191) * Fix httpx client creating a new ssl context with each client While working on https://github.com/home-assistant/core/issues/83524 it was discovered that each new httpx client creates a new ssl context https://github.com/encode/httpx/blob/f1157dbc4102ac8e227a0a0bb12a877f592eff58/httpx/_transports/default.py#L261 If an ssl context is passed in creating a new one is avoided here https://github.com/encode/httpx/blob/f1157dbc4102ac8e227a0a0bb12a877f592eff58/httpx/_config.py#L110 This change makes httpx ssl no-verify behavior match aiohttp ssl no-verify behavior https://github.com/aio-libs/aiohttp/blob/6da04694fd87a39af9c3856048c9ff23ca815f88/aiohttp/connector.py#L892 aiohttp solved this by wrapping the code that generates the ssl context in an lru_cache * compact 2023-03-24 07:40:47 +00:00			`_DEFAULT_NO_VERIFY_SSL_CONTEXT = create_no_verify_ssl_context()`
Fix ssl context being recreated frequently in httpx (#89932) * Fix ssl context being created every time in httpx * its expensive, only do it once 2023-03-19 09:13:48 +00:00

			`def get_default_context() -> ssl.SSLContext:`
			`"""Return the default SSL context."""`
			`return _DEFAULT_SSL_CONTEXT`


Fix httpx client creating a new ssl context with each client (memory leak) (#90191) * Fix httpx client creating a new ssl context with each client While working on https://github.com/home-assistant/core/issues/83524 it was discovered that each new httpx client creates a new ssl context https://github.com/encode/httpx/blob/f1157dbc4102ac8e227a0a0bb12a877f592eff58/httpx/_transports/default.py#L261 If an ssl context is passed in creating a new one is avoided here https://github.com/encode/httpx/blob/f1157dbc4102ac8e227a0a0bb12a877f592eff58/httpx/_config.py#L110 This change makes httpx ssl no-verify behavior match aiohttp ssl no-verify behavior https://github.com/aio-libs/aiohttp/blob/6da04694fd87a39af9c3856048c9ff23ca815f88/aiohttp/connector.py#L892 aiohttp solved this by wrapping the code that generates the ssl context in an lru_cache * compact 2023-03-24 07:40:47 +00:00			`def get_default_no_verify_context() -> ssl.SSLContext:`
			`"""Return the default SSL context that does not verify the server certificate."""`
			`return _DEFAULT_NO_VERIFY_SSL_CONTEXT`


Switch to intermediate Mozilla cert profile (#15957) * Allow choosing intermediate SSL profile * Fix tests 2018-08-14 06:20:17 +00:00			`def server_context_modern() -> ssl.SSLContext:`
Extract SSL context creation to helper (#15483) * Extract SSL context creation to helper * Lint 2018-07-16 08:32:07 +00:00			`"""Return an SSL context following the Mozilla recommendations.`

			`TLS configuration follows the best-practice guidelines specified here:`
			`https://wiki.mozilla.org/Security/Server_Side_TLS`
			`Modern guidelines are followed.`
			`"""`
Replace deprecated SSLContext constant PROTOCOL_TLS in mqtt (#88214) Replace deprecated SSLContext constants 2023-02-16 18:01:28 +00:00			`context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)`
Extract SSL context creation to helper (#15483) * Extract SSL context creation to helper * Lint 2018-07-16 08:32:07 +00:00
			`context.options \|= (`
Black 2019-07-31 19:25:30 +00:00			`ssl.OP_NO_SSLv2`
			`\| ssl.OP_NO_SSLv3`
			`\| ssl.OP_NO_TLSv1`
			`\| ssl.OP_NO_TLSv1_1`
			`\| ssl.OP_CIPHER_SERVER_PREFERENCE`
Extract SSL context creation to helper (#15483) * Extract SSL context creation to helper * Lint 2018-07-16 08:32:07 +00:00			`)`
Black 2019-07-31 19:25:30 +00:00			`if hasattr(ssl, "OP_NO_COMPRESSION"):`
Extract SSL context creation to helper (#15483) * Extract SSL context creation to helper * Lint 2018-07-16 08:32:07 +00:00			`context.options \|= ssl.OP_NO_COMPRESSION`

Add option to select list of accepted ssl ciphers in httpx client (#91389) 2023-04-15 19:32:30 +00:00			`context.set_ciphers(SSL_CIPHER_LISTS[SSLCipherList.MODERN])`
Switch to intermediate Mozilla cert profile (#15957) * Allow choosing intermediate SSL profile * Fix tests 2018-08-14 06:20:17 +00:00
			`return context`


			`def server_context_intermediate() -> ssl.SSLContext:`
			`"""Return an SSL context following the Mozilla recommendations.`

			`TLS configuration follows the best-practice guidelines specified here:`
			`https://wiki.mozilla.org/Security/Server_Side_TLS`
			`Intermediate guidelines are followed.`
			`"""`
Replace deprecated SSLContext constant PROTOCOL_TLS in mqtt (#88214) Replace deprecated SSLContext constants 2023-02-16 18:01:28 +00:00			`context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)`
Switch to intermediate Mozilla cert profile (#15957) * Allow choosing intermediate SSL profile * Fix tests 2018-08-14 06:20:17 +00:00
			`context.options \|= (`
Black 2019-07-31 19:25:30 +00:00			`ssl.OP_NO_SSLv2 \| ssl.OP_NO_SSLv3 \| ssl.OP_CIPHER_SERVER_PREFERENCE`
Switch to intermediate Mozilla cert profile (#15957) * Allow choosing intermediate SSL profile * Fix tests 2018-08-14 06:20:17 +00:00			`)`
Black 2019-07-31 19:25:30 +00:00			`if hasattr(ssl, "OP_NO_COMPRESSION"):`
Switch to intermediate Mozilla cert profile (#15957) * Allow choosing intermediate SSL profile * Fix tests 2018-08-14 06:20:17 +00:00			`context.options \|= ssl.OP_NO_COMPRESSION`

Add option to select list of accepted ssl ciphers in httpx client (#91389) 2023-04-15 19:32:30 +00:00			`context.set_ciphers(SSL_CIPHER_LISTS[SSLCipherList.INTERMEDIATE])`
Switch to intermediate Mozilla cert profile (#15957) * Allow choosing intermediate SSL profile * Fix tests 2018-08-14 06:20:17 +00:00
Extract SSL context creation to helper (#15483) * Extract SSL context creation to helper * Lint 2018-07-16 08:32:07 +00:00			`return context`