TLS 1.2 support for RASA

Hello,

Does RASA support TLS 1.2? I know we can enable SSL in RASA as I read at https://rasa.com/docs/rasa/user-guide/running-the-server/#server-ssl I want to know if the same end point can support TLS1.2 handshake. Or what are the protocols currently supported?

Regards!

1 Like

Any updates in this? Can someone help.

Hi,

Was there any resolution to this?

I can see that Rasa is using this method to create a ssl context. It doesnt seem like it supports TLVv1.2.

    ssl_context = ssl.create_default_context(
        purpose=ssl.Purpose.CLIENT_AUTH, cafile=ssl_ca_file
    )

Does anyone have any suggestions on how to enable/force TLSv1.2 in rasa?

Thanks, Thusitha

@arjun007 @thusithaC coming back to this super late I know - No, TLS is not supported, only SSL at this point.

I ended up hacking the server start file. Overall, I think there are couple of pain points on how Rasa server is being started. (lacking the ability to customize Sanic logging, change SSL context settings a couple of them). Hope something could be done to support advanced use cases.

def create_ssl_context_custom(
    ssl_certificate: Optional[Text],
    ssl_keyfile: Optional[Text],
    ssl_ca_file: Optional[Text] = None,
    ssl_password: Optional[Text] = None,
) -> Optional["SSLContext"]:
    """Create an SSL context if a proper certificate is passed
    We patch the original function to enable TLSv1.2.

    Args:
        ssl_certificate: path to the SSL client certificate
        ssl_keyfile: path to the SSL key file
        ssl_ca_file: path to the SSL CA file for verification (optional)
        ssl_password: SSL private key password (optional)

    Returns:
        SSL context if a valid certificate chain can be loaded, `None` otherwise.
    """
    ENABLE_TLS_V1_2 = True if 1 == int(os.getenv("ENABLE_TLS_V1_2", "0")) else False
    if ssl_certificate:
        if ENABLE_TLS_V1_2:
            protocol = PROTOCOL_TLSv1_2
            logger.info("SSL with protocol PROTOCOL_TLSv1_2")
        else:
            protocol = PROTOCOL_TLS
            logger.info("SSL with protocol PROTOCOL_TLS")

        ssl_context = SSLContext(protocol)
        ssl_context.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
        if ssl_ca_file:
            ssl_context.load_verify_locations(cafile=ssl_ca_file)
        elif ssl_context.verify_mode != CERT_NONE:
            ssl_context.load_default_certs(purpose=Purpose.CLIENT_AUTH)
        ssl_context.load_cert_chain(
            ssl_certificate, keyfile=ssl_keyfile, password=ssl_password
        )
        return ssl_context
    else:
        return None