Skip to content

TLSVersion Validator

certmonitor.validators.tls_version.TLSVersionValidator

Bases: BaseCipherValidator

Checks if the negotiated TLS version is in the allowed list.

name class-attribute instance-attribute 

name: str = 'tls_version'

validate 

validate(cipher_info: Dict[str, Any], host: str, port: int) -> Dict[str, Any]

Validates the TLS protocol version used by the connection.

Parameters:

Name Type Description Default
cipher_info dict

The cipher information for the connection.

 required
host str

The hostname.

 required
port int

The port number.

 required

Returns:

Name Type Description
dict Dict[str, Any]

A dictionary containing the validation results, including whether the TLS version is acceptable, the protocol version, and any warnings.

Examples:

Example output (success): This example shows a connection using TLSv1.3, which is considered secure, so validation passes and no warnings are present.

```json
{
    "is_valid": true,
    "protocol_version": "TLSv1.3",
    "warnings": []
}
```

Example output (failure): This example shows a connection using TLSv1.0, which is considered insecure, so validation fails and a warning is included.

```json
{
    "is_valid": false,
    "protocol_version": "TLSv1.0",
    "warnings": [
        "TLS version TLSv1.0 is considered insecure."
    ]
}
```
Source code in certmonitor/validators/tls_version.py 
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
def validate(
    self, cipher_info: Dict[str, Any], host: str, port: int
) -> Dict[str, Any]:
    """
    Validates the TLS protocol version used by the connection.

    Args:
        cipher_info (dict): The cipher information for the connection.
        host (str): The hostname.
        port (int): The port number.

    Returns:
        dict: A dictionary containing the validation results, including whether the TLS version is acceptable,
              the protocol version, and any warnings.

    Examples:
        Example output (success):
            This example shows a connection using TLSv1.3, which is considered secure, so validation passes and no warnings are present.

            ```json
            {
                "is_valid": true,
                "protocol_version": "TLSv1.3",
                "warnings": []
            }
            ```

        Example output (failure):
            This example shows a connection using TLSv1.0, which is considered insecure, so validation fails and a warning is included.

            ```json
            {
                "is_valid": false,
                "protocol_version": "TLSv1.0",
                "warnings": [
                    "TLS version TLSv1.0 is considered insecure."
                ]
            }
            ```
    """
    protocol_version = cipher_info.get("protocol_version")
    result = {
        "is_valid": True,
        "protocol_version": protocol_version,
    }

    if protocol_version not in ALLOWED_TLS_VERSIONS:
        result["is_valid"] = False
        result["reason"] = (
            f"TLS version {protocol_version} is not allowed. "
            "Update your allowed TLS versions or negotiate a supported version."
        )

    return result