ssl¶
This module provides some more Pythonic support for SSL.
Object types:
SSLSocket – subtype of socket.socket which does SSL over the socket
Exceptions:
SSLError – exception raised for I/O errors
Functions:
- cert_time_to_seconds – convert time string used for certificate
- notBefore and notAfter functions to integer seconds past the Epoch (the time values returned from time.time())
- fetch_server_certificate (HOST, PORT) – fetch the certificate provided
- by the server running on HOST at port PORT. No validation of the certificate is performed.
Integer constants:
SSL_ERROR_ZERO_RETURN SSL_ERROR_WANT_READ SSL_ERROR_WANT_WRITE SSL_ERROR_WANT_X509_LOOKUP SSL_ERROR_SYSCALL SSL_ERROR_SSL SSL_ERROR_WANT_CONNECT
SSL_ERROR_EOF SSL_ERROR_INVALID_ERROR_CODE
The following group define certificate requirements that one side is allowing/requiring from the other side:
- CERT_NONE - no certificates from the other side are required (or will
- be looked at if provided)
- CERT_OPTIONAL - certificates are not required, but if provided will be
- validated, and if validation fails, the connection will also fail
- CERT_REQUIRED - certificates are required, and will be validated, and
- if validation fails, the connection will also fail
The following constants identify various SSL protocol variants:
PROTOCOL_SSLv2 PROTOCOL_SSLv3 PROTOCOL_SSLv23 PROTOCOL_TLSv1 PROTOCOL_TLSv1_1 PROTOCOL_TLSv1_2
The following constants identify various SSL alert message descriptions as per http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
ALERT_DESCRIPTION_CLOSE_NOTIFY ALERT_DESCRIPTION_UNEXPECTED_MESSAGE ALERT_DESCRIPTION_BAD_RECORD_MAC ALERT_DESCRIPTION_RECORD_OVERFLOW ALERT_DESCRIPTION_DECOMPRESSION_FAILURE ALERT_DESCRIPTION_HANDSHAKE_FAILURE ALERT_DESCRIPTION_BAD_CERTIFICATE ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE ALERT_DESCRIPTION_CERTIFICATE_REVOKED ALERT_DESCRIPTION_CERTIFICATE_EXPIRED ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN ALERT_DESCRIPTION_ILLEGAL_PARAMETER ALERT_DESCRIPTION_UNKNOWN_CA ALERT_DESCRIPTION_ACCESS_DENIED ALERT_DESCRIPTION_DECODE_ERROR ALERT_DESCRIPTION_DECRYPT_ERROR ALERT_DESCRIPTION_PROTOCOL_VERSION ALERT_DESCRIPTION_INSUFFICIENT_SECURITY ALERT_DESCRIPTION_INTERNAL_ERROR ALERT_DESCRIPTION_USER_CANCELLED ALERT_DESCRIPTION_NO_RENEGOTIATION ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE ALERT_DESCRIPTION_UNRECOGNIZED_NAME ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY
Functions¶
DER_cert_to_PEM_cert(der_cert_bytes) |
Takes a certificate in binary DER format and returns the PEM version of it as a string. |
PEM_cert_to_DER_cert(pem_cert_string) |
Takes a certificate in ASCII PEM format and returns the |
RAND_add(string, entropy) |
Mix string into the OpenSSL PRNG state. |
RAND_egd((path) -> bytes) |
Queries the entropy gather daemon (EGD) on the socket named by ‘path’. |
RAND_status(() -> 0 or 1) |
Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not. |
cert_time_to_seconds(cert_time) |
Return the time in seconds since the Epoch, given the timestring representing the “notBefore” or “notAfter” date from a certificate in "%b %d %H:%M:%S %Y %Z" strptime format (C locale). |
create_connection(address[, timeout, ...]) |
Connect to address and return the socket object. |
create_default_context([purpose, shortname, ...]) |
Create a SSLContext object with default settings. |
get_default_verify_paths() |
Return paths to default cafile and capath. |
get_protocol_name(protocol_code) |
|
get_server_certificate(addr[, ssl_version, ...]) |
Retrieve the certificate from the server at the specified address, and return it as a PEM-encoded string. |
match_hostname(cert, hostname) |
Verify that cert (in decoded format as returned by SSLSocket.getpeercert()) matches the hostname. |
namedtuple(typename, field_names[, verbose, ...]) |
Returns a new subclass of tuple with named fields. |
sslwrap_simple(sock[, keyfile, certfile]) |
A replacement for the old socket.ssl function. |
wrap_socket(sock[, keyfile, certfile, ...]) |
Classes¶
DefaultVerifyPaths |
|
Purpose |
SSLContext purpose flags with X509v3 Extended Key Usage objects |
SSLContext(protocol) |
An SSLContext holds various SSL-related configuration options and data, such as certificates and possibly a private key. |
SSLSocket([sock, keyfile, certfile, ...]) |
This class implements a subtype of socket.socket that wraps the underlying OS socket in an SSL context when necessary, and provides read and write methods over that channel. |
closing(thing) |
Context to automatically close something at the end of a block. |
socket |
alias of _socketobject |
Exceptions¶
CertificateError |
|
SSLEOFError |
SSL/TLS connection terminated abruptly. |
SSLError |
An error occurred in the SSL implementation. |
SSLSyscallError |
System error when attempting SSL operation. |
SSLWantReadError |
Non-blocking SSL socket needs to read more data before the requested operation can be completed. |
SSLWantWriteError |
Non-blocking SSL socket needs to write more data before the requested operation can be completed. |
SSLZeroReturnError |
SSL/TLS session closed cleanly. |
socket_error |
alias of error |