Fix Cypher Order, Extension Order and Groups Order gone wrong

README

@@ -42,6 +42,8 @@ Functionality implemented include:
  - TLS Certificate Compression (RFC 8879)
  - Hybrid ML-KEM key exchage groups (draft-kwiatkowski-tls-ecdhe-mlkem-02)
  - support for Brainpool curves in TLS 1.2 and TLS 1.3
+ - Delegated Credentials (RFC 9345)
+ - ML-DSA certificates suppport (draft-ietf-tls-mldsa-00)
 
 
 tlslite-ng aims to be a drop-in replacement for tlslite while providing more

README.md

@@ -1,4 +1,4 @@
-tlslite-ng version 0.8.2 (2025-01-22)
+tlslite-ng version 0.9.0b2 (2025-09-26)
 
 [![GitHub CI](https://github.com/tlsfuzzer/tlslite-ng/actions/workflows/ci.yml/badge.svg)](https://github.com/tlsfuzzer/tlslite-ng/actions/workflows/ci.yml)
 [![Read the Docs](https://img.shields.io/readthedocs/tlslite-ng)](https://tlslite-ng.readthedocs.io/en/latest/)
@@ -61,7 +61,7 @@ Implemented TLS features include:
 * Extended master secret
 * padding extension
 * keying material exporter
-* RSA, RSA-PSS, DSA, ECDSA, and EdDSA certificates
+* RSA, RSA-PSS, DSA, ECDSA, EdDSA, and ML-DSA certificates
 * ticket based session resumption
 * 1-RTT handshake, Hello Retry Request, middlebox compatibility mode,
   cookie extension, post-handshake authentication and KeyUpdate
@@ -622,6 +622,10 @@ Similarly, while delegated credentials have a valid time option, it is not enfor
 12 History
 ===========
 
+0.9.0b2 - 2025-09-26
+* support for Delegated Credentials (Ganna Starovoytova)
+* (Experimental) support for ML-DSA certificates in TLS
+
 0.8.2 - 2025-01-22
 * additional test vectors for the RSA implicit rejection mechanism
 * fix negotiation of TLS 1.2 Brainpool key exchanges in TLS 1.3, only

docs/conf.py

@@ -32,9 +32,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = u'0.8'
+version = u'0.9'
 # The full version, including alpha/beta/rc tags.
-release = u'0.8.2'
+release = u'0.9.0b2'
 
 
 # -- General configuration ---------------------------------------------------

setup.py

@@ -11,7 +11,7 @@
     README = f.read()
 
 setup(name="tlslite-ng",
-      version="0.8.2",
+      version="0.9.0b2",
       author="Alicja Kario",
       author_email="[email protected]",
       url="https://github.com/tlsfuzzer/tlslite-ng",
@@ -24,7 +24,7 @@
                     'package1': ['LICENSE', 'README.md']},
       install_requires=['ecdsa>=0.18.0b1'],
       obsoletes=["tlslite"],
-      python_requires=">=2.6, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*, !=3.6.*",
+      python_requires=">=2.6, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*",
       classifiers=[
             'Development Status :: 5 - Production/Stable',
             'Intended Audience :: Developers',
@@ -35,12 +35,14 @@
             'Programming Language :: Python :: 2.6',
             'Programming Language :: Python :: 2.7',
             'Programming Language :: Python :: 3',
+            'Programming Language :: Python :: 3.6',
             'Programming Language :: Python :: 3.7',
             'Programming Language :: Python :: 3.8',
             'Programming Language :: Python :: 3.9',
             'Programming Language :: Python :: 3.10',
             'Programming Language :: Python :: 3.11',
             'Programming Language :: Python :: 3.12',
+            'Programming Language :: Python :: 3.13',
             'Topic :: Security :: Cryptography',
             'Topic :: Software Development :: Libraries :: Python Modules',
             'Topic :: System :: Networking'

tlslite/api.py

@@ -4,7 +4,7 @@
 #
 # See the LICENSE file for legal information regarding use of this file.
 
-__version__ = "0.8.2"
+__version__ = "0.9.0b2"
 # the whole module is about importing most commonly used methods, for use
 # by other applications
 # pylint: disable=unused-import

tlslite/handshakesettings.py

@@ -478,7 +478,7 @@ def _init_misc_extensions(self):
         self.dc_sig_algs = []
         self.dc_valid_time = DC_VALID_TIME
 
-    def __init__(self):
+    def __init__(self, **kwargs):
         """Initialise default values for settings."""
         self._init_key_settings()
         self._init_misc_extensions()
@@ -490,6 +490,11 @@ def __init__(self):
         self.keyExchangeNames = list(KEY_EXCHANGE_NAMES)
         self.cipherImplementations = list(CIPHER_IMPLEMENTATIONS)
 
+        # Custom attributes for exact JA3 control (added for httpx-tls compatibility)
+        self.cipher_order = kwargs.get("cipher_order", None)
+        self.extension_order = kwargs.get("extension_order", None)
+        self.groups_order = kwargs.get("groups_order", None)
+
     @staticmethod
     def _sanityCheckKeySizes(other):
         """Check if key size limits are sane"""
@@ -869,6 +874,11 @@ def validate(self):
         other.pskConfigs = self.pskConfigs
         other.psk_modes = self.psk_modes
 
+        # Copy custom JA3 control attributes (added for httpx-tls compatibility)
+        other.cipher_order = getattr(self, 'cipher_order', None)
+        other.extension_order = getattr(self, 'extension_order', None)
+        other.groups_order = getattr(self, 'groups_order', None)
+
         if not other.certificateTypes:
             raise ValueError("No supported certificate types")
 

tlslite/tlsconnection.py

@@ -712,21 +712,27 @@ def _clientSendClientHello(self, settings, session, srpUsername,
                                 srpParams, certParams, anonParams,
                                 serverName, nextProtos, reqTack, alpn):
         # Initialize acceptable ciphersuites
-        cipherSuites = [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
-        if srpParams:
-            cipherSuites += CipherSuite.getSrpAllSuites(settings)
-        elif certParams:
-            cipherSuites += CipherSuite.getTLS13Suites(settings)
-            cipherSuites += CipherSuite.getEcdsaSuites(settings)
-            cipherSuites += CipherSuite.getEcdheCertSuites(settings)
-            cipherSuites += CipherSuite.getDheCertSuites(settings)
-            cipherSuites += CipherSuite.getCertSuites(settings)
-            cipherSuites += CipherSuite.getDheDsaSuites(settings)
-        elif anonParams:
-            cipherSuites += CipherSuite.getEcdhAnonSuites(settings)
-            cipherSuites += CipherSuite.getAnonSuites(settings)
+        # Check if exact cipher order is specified (for JA3 fingerprint control)
+        if hasattr(settings, 'cipher_order') and settings.cipher_order is not None:
+            # Use exact cipher order specified by httpx-tls for precise JA3 control
+            cipherSuites = list(settings.cipher_order)
         else:
-            assert False
+            # Default behavior: add renegotiation info and standard cipher suites
+            cipherSuites = [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
+            if srpParams:
+                cipherSuites += CipherSuite.getSrpAllSuites(settings)
+            elif certParams:
+                cipherSuites += CipherSuite.getTLS13Suites(settings)
+                cipherSuites += CipherSuite.getEcdsaSuites(settings)
+                cipherSuites += CipherSuite.getEcdheCertSuites(settings)
+                cipherSuites += CipherSuite.getDheCertSuites(settings)
+                cipherSuites += CipherSuite.getCertSuites(settings)
+                cipherSuites += CipherSuite.getDheDsaSuites(settings)
+            elif anonParams:
+                cipherSuites += CipherSuite.getEcdhAnonSuites(settings)
+                cipherSuites += CipherSuite.getAnonSuites(settings)
+            else:
+                assert False
 
         # Add any SCSVs. These are not real cipher suites, but signaling
         # values which reuse the cipher suite field in the ClientHello.