Bases: M2Crypto.SSL.SSLError, socket.timeout
SSL peer certificate checking routines
Copyright (c) 2004-2007 Open Source Applications Foundation. All rights reserved.
Copyright 2008 Heikki Toivonen. All rights reserved.
An SSL connection.
Accept an SSL connection.
The return value is a pair (ssl, addr) where ssl is a new SSL connection object and addr is the address bound to the other end of the SSL connection.
Returns: | tuple of Connection and addr. Address can take very various forms (see socket documentation), for IPv4 it is tuple(str, int), for IPv6 a tuple of four (host, port, flowinfo, scopeid), where the last two are optional ints. |
---|
Waits for a TLS/SSL client to initiate the TLS/SSL handshake.
The communication channel must already have been set and assigned to the ssl by setting an underlying BIO.
Returns: |
|
---|
If there were errors in this connection, call clear() rather than close() to end it, so that bad sessions will be cleared from cache.
Overloading socket.connect()
Parameters: | addr – addresses have various depending on their type |
---|
:return:status of ssl_connect()
Return an M2Crypto.SSL.Cipher object for this connection; if the connection has not been initialised with a cipher suite, return None.
Return an M2Crypto.SSL.Cipher_Stack object for this connection; if the connection has not been initialised with cipher suites, return None.
Return the peer certificate.
If the peer did not provide a certificate, return None.
Return the peer certificate chain; if the peer did not provide a certificate chain, return None.
Warning : | The returned chain will be valid only for as long as the connection object is alive. Once the connection object gets freed, the chain will be freed as well. |
---|
Return the SSL state of this connection.
During its use, an SSL objects passes several states. The state is internally maintained. Querying the state information is not very informative before or when a connection has been established. It however can be of significant interest during the handshake.
Returns: | 6 letter string indicating the current state of the SSL object ssl. |
---|
Return the remote address to which the socket is connected.
This is useful to find out the port number of a remote IPv4/v6 socket, for instance. On some systems this function is not supported.
Returns: |
---|
Return the socket’s own address.
This is useful to find out the port number of an IPv4/v6 socket, for instance. (The format of the address returned depends on the address family – see above.)
:return:socket’s address as addr type
Get the value of the given socket option.
Parameters: |
|
---|---|
Returns: | Either integer or bytes value of the option. It is up to the caller to decode the contents of the buffer (see the optional built-in module struct for a way to decode C structures encoded as byte strings). |
Explicitly set read and write bios
Connects the BIOs for the read and write operations of the TLS/SSL (encrypted) side of ssl.
The SSL engine inherits the behaviour of both BIO objects, respectively. If a BIO is non-blocking, the Connection will also have non-blocking behaviour.
If there was already a BIO connected to Connection, BIO_free() will be called (for both the reading and writing side, if different).
Parameters: |
|
---|
Set the acceptable client CA list. If the client returns a certificate, it must have been issued by one of the CAs listed in context.
Makes sense only for servers.
Set the acceptable client CA list.
If the client returns a certificate, it must have been issued by one of the CAs listed in cafile.
Makes sense only for servers.
Parameters: | cafile – Filename from which to load the CA list. |
---|---|
Returns: |
1 The operation succeeded. |
Sets the shutdown state of the Connection to mode.
The shutdown state of an ssl connection is a bitmask of (use m2.SSL_* constants):
0 No shutdown setting, yet.
SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN can be set at the same time.
Parameters: | mode – set the mode bitmask. |
---|
By default, SSL struct will be freed in __del__. Call with m2.bio_close to override this default.
Parameters: | flag – either m2.bio_close or m2.bio_noclose |
---|
Set the requested hostname for the SNI (Server Name Indication) extension.
Set this connection’s underlying socket to _mode_.
Set blocking or non-blocking mode of the socket: if flag is 0, the socket is set to non-blocking, else to blocking mode. Initially all sockets are in blocking mode. In non-blocking mode, if a recv() call doesn’t find any data, or if a send() call can’t immediately dispose of the data, a error exception is raised; in blocking mode, the calls block until they can proceed. s.setblocking(0) is equivalent to s.settimeout(0.0); s.setblocking(1) is equivalent to s.settimeout(None).
Parameters: | mode – new mode to be set |
---|
Set the value of the given socket option.
Parameters: |
|
---|---|
Returns: | None for success or the error handler for failure. |
‘Context’ for SSL connections.
Add the session to the context.
Parameters: | session – the session to be added. |
---|---|
Returns: |
1 The operation succeeded. |
Get the context’s setting that accepts/rejects a peer certificate if the certificate’s CA is unknown.
FIXME 2Bconverted to bool
Get the certificate store associated with this context.
Warning : | The store is NOT refcounted, and as such can not be relied to be valid once the context goes away or is changed. |
---|
Gets the current session caching.
The mode is set to m2.SSL_SESS_CACHE_* constants.
Returns: | the previously set cache mode value. |
---|
Get current session timeout.
Whenever a new session is created, it is assigned a maximum lifetime. This lifetime is specified by storing the creation time of the session and the timeout value valid at this time. If the actual time is later than creation time plus timeout, the session is not reused.
Due to this realization, all sessions behave according to the timeout value valid at the time of the session negotiation. Changes of the timeout value do not affect already established sessions.
Expired sessions are removed from the internal session cache, whenever SSL_CTX_flush_sessions(3) is called, either directly by the application or automatically (see SSL_CTX_set_session_cache_mode(3))
The default value for session timeout is decided on a per protocol basis, see SSL_get_default_timeout(3). All currently supported protocols have the same default timeout value of 300 seconds.
SSL_CTX_set_timeout() returns the previously set timeout value.
Returns: | the currently set timeout value. |
---|
Load certificate and private key into the context.
Parameters: |
|
---|
Load certificate chain and private key into the context.
Parameters: |
|
---|
Load CA certs into the context. These CA certs are sent to the peer during SSLv3 certificate request.
Parameters: | cafile – File object containing one or more PEM-encoded CA certificates concatenated together. |
---|
Load CA certs into the context. These CA certs are sent to the peer during SSLv3 certificate request.
Parameters: | cafile – File object containing one or more PEM-encoded CA certificates concatenated together. |
---|
Load CA certs into the context.
These CA certs are used during verification of the peer’s certificate.
Parameters: |
|
---|---|
Returns: |
1 The operation succeeded. |
Load CA certs into the context.
These CA certs are used during verification of the peer’s certificate.
Parameters: |
|
---|---|
Returns: |
1 The operation succeeded. |
Remove the session from the context.
Parameters: | session – the session to be removed. |
---|---|
Returns: |
1 The operation succeeded. |
Set the context to accept/reject a peer certificate if the certificate’s CA is unknown.
Parameters: | ok – True to accept, False to reject. |
---|
Sets the list of available ciphers.
Parameters: | cipher_list – The format of the string is described in ciphers(1). |
---|---|
Returns: | 1 if any cipher could be selected and 0 on complete failure. |
Load CA certs into the context. These CA certs are sent to the peer during SSLv3 certificate request.
Parameters: | cafile – File object containing one or more PEM-encoded CA certificates concatenated together. |
---|
Specifies that the default locations from which CA certs are loaded should be used.
There is one default directory and one default file. The default CA certificates directory is called “certs” in the default OpenSSL directory. Alternatively the SSL_CERT_DIR environment variable can be defined to override this location. The default CA certificates file is called “cert.pem” in the default OpenSSL directory. Alternatively the SSL_CERT_FILE environment variable can be defined to override this location.
still treated as a success. No error code is set.
1 The operation succeeded.
Set a callback function to get state information.
It can be used to get state information about the SSL connections that are created from this context.
Parameters: | callback – Callback function. The default prints information to stderr. |
---|
Adds the options set via bitmask in options to the Context.
!!! Options already set before are not cleared!
The behaviour of the SSL library can be changed by setting several options. The options are coded as bitmasks and can be combined by a logical or operation (|).
SSL.Context.set_options() and SSL.set_options() affect the (external) protocol behaviour of the SSL library. The (internal) behaviour of the API can be changed by using the similar SSL.Context.set_mode() and SSL.set_mode() functions.
During a handshake, the option settings of the SSL object are used. When a new SSL object is created from a context using SSL(), the current option setting is copied. Changes to ctx do not affect already created SSL objects. SSL.clear() does not affect the settings.
Parameters: | op – bitmask of additional options specified in SSL_CTX_set_options(3) manpage. |
---|---|
Returns: | the new options bitmask after adding options. |
Enables/disables session caching.
The mode is set by using m2.SSL_SESS_CACHE_* constants.
Parameters: | mode – new mode value. |
---|---|
Returns: | the previously set cache mode value. |
Sets the session id for the SSL.Context w/in a session can be reused.
Parameters: | id – Sessions are generated within a certain context. When exporting/importing sessions with i2d_SSL_SESSION/d2i_SSL_SESSION it would be possible, to re-import a session generated from another context (e.g. another application), which might lead to malfunctions. Therefore each application must set its own session id context sid_ctx which is used to distinguish the contexts and is stored in exported sessions. The sid_ctx can be any kind of binary data with a given length, it is therefore possible to use e.g. the name of the application and/or the hostname and/or service name. |
---|
Set new session timeout.
See self.get_session_timeout() for explanation of the session timeouts.
Parameters: | timeout – new timeout value. |
---|---|
Returns: | the previously set timeout value. |
Load ephemeral DH parameters into the context.
Parameters: | dhpfile – Filename of the file containing the PEM-encoded DH parameters. |
---|
Sets the callback function for SSL.Context.
Parameters: | callback – Callable to be used when a DH parameters are required. |
---|
Load ephemeral RSA key into the context.
Parameters: | rsa – RSA.RSA instance. |
---|
Sets the callback function to be used when a temporary/ephemeral RSA key is required.
Set verify options. Most applications will need to call this method with the right options to make a secure SSL connection.
Parameters: |
|
---|
Bases: SocketServer.TCPServer
Bases: SocketServer.ForkingMixIn, M2Crypto.SSL.SSLServer.SSLServer
Bases: SocketServer.ThreadingMixIn, M2Crypto.SSL.SSLServer.SSLServer
SSL Session
Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved.
Make Twisted use M2Crypto for SSL
Copyright (c) 2004-2007 Open Source Applications Foundation. All rights reserved.
FIXME THIS HAS NOT BEEN FINISHED. NEITHER PEP484 NOR PORT PYTHON3 HAS BEEN FINISHED. THE FURTHER WORK WILL BE DONE WHEN THE STATUS OF TWISTED IN THE PYTHON 3 (AND ASYNCIO) WORLD WILL BE CLEAR.
A convenience function to start an SSL/TLS connection using Twisted.
See IReactorSSL interface in Twisted.
A convenience function to start a TCP connection using Twisted.
NOTE: You must call startTLS(ctx) to go into SSL/TLS mode.
See IReactorTCP interface in Twisted.
A convenience function to listen for SSL/TLS connections using Twisted.
See IReactorSSL interface in Twisted.
A convenience function to listen for TCP connections using Twisted.
NOTE: You must call startTLS(ctx) to go into SSL/TLS mode.
See IReactorTCP interface in Twisted.
Bases: twisted.protocols.policies.ProtocolWrapper
A SSL/TLS protocol wrapper to be used with Twisted. Typically you would not use this class directly. Use connectTCP, connectSSL, listenTCP, listenSSL functions defined above, which will hook in this class.
Support for SSL socket timeouts.
Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved.
Copyright 2008 Heikki Toivonen. All rights reserved.