OpenSSL cipher spec need to specify @SECLEVEL for old TLS versions to work, see https://github.com/pyca/cryptography/issues/9523.
(self, side: Literal["client", "server"])
| 558 | ) |
| 559 | |
| 560 | def _warn_seclevel_missing(self, side: Literal["client", "server"]) -> None: |
| 561 | """ |
| 562 | OpenSSL cipher spec need to specify @SECLEVEL for old TLS versions to work, |
| 563 | see https://github.com/pyca/cryptography/issues/9523. |
| 564 | """ |
| 565 | if side == "client": |
| 566 | custom_ciphers = ctx.options.ciphers_client |
| 567 | min_tls_version = ctx.options.tls_version_client_min |
| 568 | else: |
| 569 | custom_ciphers = ctx.options.ciphers_server |
| 570 | min_tls_version = ctx.options.tls_version_server_min |
| 571 | |
| 572 | if ( |
| 573 | custom_ciphers |
| 574 | and net_tls.Version[min_tls_version] in net_tls.INSECURE_TLS_MIN_VERSIONS |
| 575 | and "@SECLEVEL=0" not in custom_ciphers |
| 576 | ): |
| 577 | logger.warning( |
| 578 | f'With tls_version_{side}_min set to {min_tls_version}, ciphers_{side} must include "@SECLEVEL=0" ' |
| 579 | f"for insecure TLS versions to work." |
| 580 | ) |
| 581 | |
| 582 | def crl_path(self) -> str: |
| 583 | return f"/mitmproxy-{self.certstore.default_ca.serial}.crl" |