Add TLSv1.2 protocol support (#665)

dpetzold · Derrick Petzold · gi0baro · web-flow · commit 82391291920b · 2025-10-26T16:41:33.000+01:00
---------

Co-authored-by: Derrick Petzold &lt;derrick.petzold@collecticevoice.com&gt;
Co-authored-by: Giovanni Barillari &lt;giovanni.barillari@sentry.io&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -53,7 +53,7 @@ rustls-pemfile = "2.2"
 socket2 = { version = "=0.6", features = ["all"] }
 sysinfo = "=0.36"
 tikv-jemallocator = { version = "0.6.0", default-features = false, features = ["disable_initial_exec_tls"], optional = true }
-tls-listener = { version = "=0.11", features = ["rustls-ring"] }
+tls-listener = { version = "=0.11", git = "https://github.com/gi0baro/tls-listener.git", branch = "0.11.x", features = ["rustls-ring", "rustls-tls12"] }
 tokio = { version = "1.45", features = ["full"] }
 tokio-stream = "0.1"
 tokio-tungstenite = "=0.28"
diff --git a/README.md b/README.md
@@ -268,13 +268,21 @@ Options:
   --ssl-keyfile FILE              SSL key file  [env var: GRANIAN_SSL_KEYFILE]
   --ssl-keyfile-password TEXT     SSL key password  [env var:
                                   GRANIAN_SSL_KEYFILE_PASSWORD]
+  --ssl-protocol-min [tls1.2|tls1.3]
+                                  Set the minimum supported protocol for SSL
+                                  connections.  [env var:
+                                  GRANIAN_SSL_PROTOCOL_MIN; default: (tls1.3)]
   --ssl-ca FILE                   Root SSL cerificate file for client
                                   verification  [env var: GRANIAN_SSL_CA]
   --ssl-crl FILE                  SSL CRL file(s)  [env var: GRANIAN_SSL_CRL]
   --ssl-client-verify / --no-ssl-client-verify
                                   Verify clients SSL certificates  [env var:
                                   GRANIAN_SSL_CLIENT_VERIFY; default:
                                   (disabled)]
+  --ssl-protocol-version [auto|1.2|1.3]
+                                  Override the supported ssl protocol versions
+                                  and pin to the one specified.  [env var:
+                                  GRANIAN_SSL_PROTOCOL_VERSION; default: auto]
   --url-path-prefix TEXT          URL path prefix the app is mounted on  [env
                                   var: GRANIAN_URL_PATH_PREFIX]
   --respawn-failed-workers / --no-respawn-failed-workers
diff --git a/granian/_granian.pyi b/granian/_granian.pyi
@@ -72,6 +72,8 @@ class ASGIWorker:
         ssl_enabled: bool,
         ssl_cert: Optional[str],
         ssl_key: Optional[str],
+        ssl_key_password: Optional[str],
+        ssl_protocol_min: str,
         ssl_ca: Optional[str],
         ssl_crl: List[str],
         ssl_client_verify: bool,
@@ -94,6 +96,8 @@ class WSGIWorker:
         ssl_enabled: bool,
         ssl_cert: Optional[str],
         ssl_key: Optional[str],
+        ssl_key_password: Optional[str],
+        ssl_protocol_min: str,
         ssl_ca: Optional[str],
         ssl_crl: List[str],
         ssl_client_verify: bool,
@@ -117,6 +121,8 @@ class RSGIWorker:
         ssl_enabled: bool,
         ssl_cert: Optional[str],
         ssl_key: Optional[str],
+        ssl_key_password: Optional[str],
+        ssl_protocol_min: str,
         ssl_ca: Optional[str],
         ssl_crl: List[str],
         ssl_client_verify: bool,
diff --git a/granian/_types.py b/granian/_types.py
@@ -6,4 +6,4 @@ class WebsocketMessage:
     data: Union[bytes, str]
 
 
-SSLCtx = Tuple[bool, Optional[str], Optional[str], Optional[str], Optional[str], List[str], bool]
+SSLCtx = Tuple[bool, Optional[str], Optional[str], Optional[str], str, Optional[str], List[str], bool]
diff --git a/granian/cli.py b/granian/cli.py
@@ -6,7 +6,7 @@
 
 import click
 
-from .constants import HTTPModes, Interfaces, Loops, RuntimeModes, TaskImpl
+from .constants import HTTPModes, Interfaces, Loops, RuntimeModes, SSLProtocols, TaskImpl
 from .errors import FatalError
 from .http import HTTP1Settings, HTTP2Settings
 from .log import LogLevels
@@ -266,6 +266,12 @@ def option(*param_decls: str, cls: Optional[Type[click.Option]] = None, **attrs:
     help='SSL key file',
 )
 @option('--ssl-keyfile-password', help='SSL key password')
+@option(
+    '--ssl-protocol-min',
+    type=EnumType(SSLProtocols),
+    default=SSLProtocols.tls13,
+    help='Set the minimum supported protocol for SSL connections.',
+)
 @option(
     '--ssl-ca',
     type=click.Path(exists=True, file_okay=True, dir_okay=False, readable=True, path_type=pathlib.Path),
@@ -442,6 +448,7 @@ def cli(
     ssl_certificate: Optional[pathlib.Path],
     ssl_keyfile: Optional[pathlib.Path],
     ssl_keyfile_password: Optional[str],
+    ssl_protocol_min: SSLProtocols,
     ssl_ca: Optional[pathlib.Path],
     ssl_crl: Optional[List[pathlib.Path]],
     ssl_client_verify: bool,
@@ -525,6 +532,7 @@ def cli(
         ssl_cert=ssl_certificate,
         ssl_key=ssl_keyfile,
         ssl_key_password=ssl_keyfile_password,
+        ssl_protocol_min=ssl_protocol_min,
         ssl_ca=ssl_ca,
         ssl_crl=ssl_crl,
         ssl_client_verify=ssl_client_verify,
diff --git a/granian/constants.py b/granian/constants.py
@@ -35,3 +35,8 @@ class Loops(StrEnum):
 class TaskImpl(StrEnum):
     asyncio = 'asyncio'
     rust = 'rust'
+
+
+class SSLProtocols(StrEnum):
+    tls12 = 'tls1.2'
+    tls13 = 'tls1.3'
diff --git a/granian/server/common.py b/granian/server/common.py
@@ -15,7 +15,7 @@
 from .._imports import dotenv, setproctitle, watchfiles
 from .._internal import build_env_loader, load_target
 from .._signals import set_main_signals
-from ..constants import HTTPModes, Interfaces, Loops, RuntimeModes, TaskImpl
+from ..constants import HTTPModes, Interfaces, Loops, RuntimeModes, SSLProtocols, TaskImpl
 from ..errors import ConfigurationError, PidFileError
 from ..http import HTTP1Settings, HTTP2Settings
 from ..log import DEFAULT_ACCESSLOG_FMT, LogLevels, configure_logging, logger
@@ -108,6 +108,7 @@ def __init__(
         ssl_cert: Optional[Path] = None,
         ssl_key: Optional[Path] = None,
         ssl_key_password: Optional[str] = None,
+        ssl_protocol_min: SSLProtocols = SSLProtocols.tls13,
         ssl_ca: Optional[Path] = None,
         ssl_crl: Optional[List[Path]] = None,
         ssl_client_verify: bool = False,
@@ -200,7 +201,9 @@ def __init__(
 
         configure_logging(self.log_level, self.log_config, self.log_enabled)
 
-        self.build_ssl_context(ssl_cert, ssl_key, ssl_key_password, ssl_ca, ssl_crl or [], ssl_client_verify)
+        self.build_ssl_context(
+            ssl_cert, ssl_key, ssl_key_password, ssl_protocol_min, ssl_ca, ssl_crl or [], ssl_client_verify
+        )
         self._ssp = None
         self._shd = None
         self._sfd = None
@@ -220,12 +223,13 @@ def build_ssl_context(
         cert: Optional[Path],
         key: Optional[Path],
         password: Optional[str],
+        proto: SSLProtocols,
         ca: Optional[Path],
         crl: List[Path],
         client_verify: bool,
     ):
         if not (cert and key):
-            self.ssl_ctx = (False, None, None, None, None, [], False)
+            self.ssl_ctx = (False, None, None, None, str(proto), None, [], False)
             return
         # uneeded?
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
@@ -239,6 +243,7 @@ def build_ssl_context(
             str(cert.resolve()),
             str(key.resolve()),
             password,
+            str(proto),
             str(ca.resolve()) if ca else None,
             [str(item.resolve()) for item in crl],
             client_verify,
diff --git a/granian/server/embed.py b/granian/server/embed.py
@@ -24,6 +24,7 @@
     HTTPModes,
     Interfaces,
     LogLevels,
+    SSLProtocols,
     TaskImpl,
     logger,
 )
@@ -116,6 +117,7 @@ def __init__(
         ssl_cert: Optional[Path] = None,
         ssl_key: Optional[Path] = None,
         ssl_key_password: Optional[str] = None,
+        ssl_protocol_min: SSLProtocols = SSLProtocols.tls13,
         ssl_ca: Optional[Path] = None,
         ssl_crl: Optional[List[Path]] = None,
         ssl_client_verify: bool = False,
@@ -150,6 +152,7 @@ def __init__(
             ssl_cert=ssl_cert,
             ssl_key=ssl_key,
             ssl_key_password=ssl_key_password,
+            ssl_protocol_min=ssl_protocol_min,
             ssl_ca=ssl_ca,
             ssl_crl=ssl_crl,
             ssl_client_verify=ssl_client_verify,
diff --git a/src/asgi/serve.rs b/src/asgi/serve.rs
@@ -33,6 +33,7 @@ impl ASGIWorker {
             ssl_cert=None,
             ssl_key=None,
             ssl_key_password=None,
+            ssl_protocol_min="1.3",
             ssl_ca=None,
             ssl_crl=vec![],
             ssl_client_verify=false,
@@ -56,6 +57,7 @@ impl ASGIWorker {
         ssl_cert: Option<String>,
         ssl_key: Option<String>,
         ssl_key_password: Option<String>,
+        ssl_protocol_min: &str,
         ssl_ca: Option<String>,
         ssl_crl: Vec<String>,
         ssl_client_verify: bool,
@@ -78,6 +80,7 @@ impl ASGIWorker {
                 ssl_cert,
                 ssl_key,
                 ssl_key_password,
+                ssl_protocol_min,
                 ssl_ca,
                 ssl_crl,
                 ssl_client_verify,
diff --git a/src/rsgi/serve.rs b/src/rsgi/serve.rs
@@ -33,6 +33,7 @@ impl RSGIWorker {
             ssl_cert=None,
             ssl_key=None,
             ssl_key_password=None,
+            ssl_protocol_min="1.3",
             ssl_ca=None,
             ssl_crl=vec![],
             ssl_client_verify=false,
@@ -56,6 +57,7 @@ impl RSGIWorker {
         ssl_cert: Option<String>,
         ssl_key: Option<String>,
         ssl_key_password: Option<String>,
+        ssl_protocol_min: &str,
         ssl_ca: Option<String>,
         ssl_crl: Vec<String>,
         ssl_client_verify: bool,
@@ -78,6 +80,7 @@ impl RSGIWorker {
                 ssl_cert,
                 ssl_key,
                 ssl_key_password,
+                ssl_protocol_min,
                 ssl_ca,
                 ssl_crl,
                 ssl_client_verify,
diff --git a/src/tls.rs b/src/tls.rs
@@ -5,17 +5,27 @@ use tls_listener::{
     rustls::{
         TlsAcceptor,
         rustls::{
+            SupportedProtocolVersion,
             pki_types::{
                 CertificateDer as Certificate, CertificateRevocationListDer as CRL, PrivateKeyDer as PrivateKey,
                 pem::PemObject,
             },
             server::ServerConfig,
+            version as tls_version,
         },
     },
 };
 
 use crate::net::SockAddr;
 
+pub(crate) fn resolve_protocol_versions(min_version: &str) -> Vec<&'static SupportedProtocolVersion> {
+    match min_version {
+        "tls1.2" => vec![&tls_version::TLS12, &tls_version::TLS13],
+        "tls1.3" => vec![&tls_version::TLS13],
+        _ => unreachable!(),
+    }
+}
+
 pub(crate) fn tls_tcp_listener(
     config: Arc<ServerConfig>,
     tcp: std::net::TcpListener,
diff --git a/src/workers.rs b/src/workers.rs
@@ -7,7 +7,10 @@ use std::{
 
 use super::asgi::serve::ASGIWorker;
 use super::rsgi::serve::RSGIWorker;
-use super::tls::{load_certs as tls_load_certs, load_crls as tls_load_crls, load_private_key as tls_load_pkey};
+use super::tls::{
+    load_certs as tls_load_certs, load_crls as tls_load_crls, load_private_key as tls_load_pkey,
+    resolve_protocol_versions,
+};
 use super::wsgi::serve::WSGIWorker;
 
 #[pyclass(frozen, module = "granian._granian")]
@@ -104,6 +107,7 @@ pub(crate) struct WorkerConfig {
 pub(crate) struct WorkerTlsConfig {
     cert: String,
     key: (String, Option<String>),
+    proto: String,
     ca: Option<String>,
     crl: Vec<String>,
     client_verify: bool,
@@ -127,6 +131,7 @@ impl WorkerConfig {
         ssl_cert: Option<String>,
         ssl_key: Option<String>,
         ssl_key_password: Option<String>,
+        ssl_protocol_min: &str,
         ssl_ca: Option<String>,
         ssl_crl: Vec<String>,
         ssl_client_verify: bool,
@@ -135,6 +140,7 @@ impl WorkerConfig {
             true => Some(WorkerTlsConfig {
                 cert: ssl_cert.unwrap(),
                 key: (ssl_key.unwrap(), ssl_key_password),
+                proto: ssl_protocol_min.into(),
                 ca: ssl_ca,
                 crl: ssl_crl,
                 client_verify: ssl_client_verify,
@@ -174,6 +180,8 @@ impl WorkerConfig {
 
     pub fn tls_cfg(&self) -> tls_listener::rustls::rustls::ServerConfig {
         let opts = self.tls_opts.as_ref().unwrap();
+        let tls_protos = resolve_protocol_versions(&opts.proto);
+
         let cfg_builder = match &opts.ca {
             Some(ca) => {
                 let cas = tls_load_certs(ca.clone());
@@ -195,9 +203,11 @@ impl WorkerConfig {
                             .unwrap()
                     }
                 };
-                tls_listener::rustls::rustls::ServerConfig::builder().with_client_cert_verifier(verifier)
+                tls_listener::rustls::rustls::ServerConfig::builder_with_protocol_versions(&tls_protos)
+                    .with_client_cert_verifier(verifier)
             }
-            None => tls_listener::rustls::rustls::ServerConfig::builder().with_no_client_auth(),
+            None => tls_listener::rustls::rustls::ServerConfig::builder_with_protocol_versions(&tls_protos)
+                .with_no_client_auth(),
         };
         let mut cfg = cfg_builder
             .with_single_cert(
diff --git a/src/wsgi/serve.rs b/src/wsgi/serve.rs
@@ -37,6 +37,7 @@ impl WSGIWorker {
             ssl_cert=None,
             ssl_key=None,
             ssl_key_password=None,
+            ssl_protocol_min="1.3",
             ssl_ca=None,
             ssl_crl=vec![],
             ssl_client_verify=false,
@@ -59,6 +60,7 @@ impl WSGIWorker {
         ssl_cert: Option<String>,
         ssl_key: Option<String>,
         ssl_key_password: Option<String>,
+        ssl_protocol_min: &str,
         ssl_ca: Option<String>,
         ssl_crl: Vec<String>,
         ssl_client_verify: bool,
@@ -81,6 +83,7 @@ impl WSGIWorker {
                 ssl_cert,
                 ssl_key,
                 ssl_key_password,
+                ssl_protocol_min,
                 ssl_ca,
                 ssl_crl,
                 ssl_client_verify,
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -16,7 +16,9 @@ def _serve(**kwargs):
 
 
 @asynccontextmanager
-async def _server(interface, port, runtime_mode, ws=True, tls=False, task_impl='asyncio', static_mount=False):
+async def _server(
+    interface, port, runtime_mode, ws=True, tls=False, tls_proto=None, task_impl='asyncio', static_mount=False
+):
     certs_path = Path.cwd() / 'tests' / 'fixtures' / 'tls'
     kwargs = {
         'interface': interface,
@@ -35,6 +37,10 @@ async def _server(interface, port, runtime_mode, ws=True, tls=False, task_impl='
         else:
             kwargs['ssl_cert'] = certs_path / 'cert.pem'
             kwargs['ssl_key'] = certs_path / 'key.pem'
+
+        if tls_proto:
+            kwargs['ssl_protocol_min'] = tls_proto
+
     if static_mount:
         kwargs['static_path_mount'] = Path.cwd() / 'tests' / 'fixtures'
 
@@ -103,8 +109,8 @@ def server(server_port, request):
 
 
 @pytest.fixture(scope='function')
-def server_tls(server_port, request):
-    return partial(_server, request.param, server_port, tls=True)
+def server_tls(server_port, request, tls=True, **extras):
+    return partial(_server, request.param, server_port, tls=tls, **extras)
 
 
 @pytest.fixture(scope='function')
diff --git a/tests/test_https.py b/tests/test_https.py

Original file line number	Diff line number	Diff line change
`@@ -6,4 +6,4 @@ class WebsocketMessage:`
`6`	`6`	`data: Union[bytes, str]`
`7`	`7`
`8`	`8`
`9`		`-SSLCtx = Tuple[bool, Optional[str], Optional[str], Optional[str], Optional[str], List[str], bool]`
	`9`	`+SSLCtx = Tuple[bool, Optional[str], Optional[str], Optional[str], str, Optional[str], List[str], bool]`