Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 1 | .. _openssl-ssl: |
| 2 | |
| 3 | :py:mod:`SSL` --- An interface to the SSL-specific parts of OpenSSL |
| 4 | =================================================================== |
| 5 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 6 | .. py:module:: OpenSSL.SSL |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 7 | :synopsis: An interface to the SSL-specific parts of OpenSSL |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 8 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 9 | |
| 10 | This module handles things specific to SSL. There are two objects defined: |
| 11 | Context, Connection. |
| 12 | |
| 13 | .. py:data:: SSLv2_METHOD |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 14 | SSLv3_METHOD |
| 15 | SSLv23_METHOD |
| 16 | TLSv1_METHOD |
Jean-Paul Calderone | 1461c49 | 2013-10-03 16:05:00 -0400 | [diff] [blame] | 17 | TLSv1_1_METHOD |
| 18 | TLSv1_2_METHOD |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 19 | |
| 20 | These constants represent the different SSL methods to use when creating a |
Jean-Paul Calderone | 1461c49 | 2013-10-03 16:05:00 -0400 | [diff] [blame] | 21 | context object. If the underlying OpenSSL build is missing support for any |
| 22 | of these protocols, constructing a :py:class:`Context` using the |
| 23 | corresponding :py:const:`*_METHOD` will raise an exception. |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 24 | |
| 25 | |
| 26 | .. py:data:: VERIFY_NONE |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 27 | VERIFY_PEER |
| 28 | VERIFY_FAIL_IF_NO_PEER_CERT |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 29 | |
| 30 | These constants represent the verification mode used by the Context |
| 31 | object's :py:meth:`set_verify` method. |
| 32 | |
| 33 | |
| 34 | .. py:data:: FILETYPE_PEM |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 35 | FILETYPE_ASN1 |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 36 | |
| 37 | File type constants used with the :py:meth:`use_certificate_file` and |
| 38 | :py:meth:`use_privatekey_file` methods of Context objects. |
| 39 | |
| 40 | |
| 41 | .. py:data:: OP_SINGLE_DH_USE |
Jean-Paul Calderone | 1461c49 | 2013-10-03 16:05:00 -0400 | [diff] [blame] | 42 | |
| 43 | Constant used with :py:meth:`set_options` of Context objects. |
| 44 | |
| 45 | When this option is used, a new key will always be created when using |
| 46 | ephemeral Diffie-Hellman. |
| 47 | |
| 48 | |
| 49 | .. py:data:: OP_EPHEMERAL_RSA |
| 50 | |
| 51 | Constant used with :py:meth:`set_options` of Context objects. |
| 52 | |
| 53 | When this option is used, ephemeral RSA keys will always be used when doing |
| 54 | RSA operations. |
| 55 | |
| 56 | |
| 57 | .. py:data:: OP_NO_TICKET |
| 58 | |
| 59 | Constant used with :py:meth:`set_options` of Context objects. |
| 60 | |
| 61 | When this option is used, the session ticket extension will not be used. |
| 62 | |
| 63 | |
| 64 | .. py:data:: OP_NO_COMPRESSION |
| 65 | |
| 66 | Constant used with :py:meth:`set_options` of Context objects. |
| 67 | |
| 68 | When this option is used, compression will not be used. |
| 69 | |
| 70 | |
| 71 | .. py:data:: OP_NO_SSLv2 |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 72 | OP_NO_SSLv3 |
| 73 | OP_NO_TLSv1 |
Jean-Paul Calderone | 1461c49 | 2013-10-03 16:05:00 -0400 | [diff] [blame] | 74 | OP_NO_TLSv1_1 |
| 75 | OP_NO_TLSv1_2 |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 76 | |
| 77 | Constants used with :py:meth:`set_options` of Context objects. |
| 78 | |
Jean-Paul Calderone | 1461c49 | 2013-10-03 16:05:00 -0400 | [diff] [blame] | 79 | Each of these options disables one version of the SSL/TLS protocol. This |
| 80 | is interesting if you're using e.g. :py:const:`SSLv23_METHOD` to get an |
| 81 | SSLv2-compatible handshake, but don't want to use SSLv2. If the underlying |
| 82 | OpenSSL build is missing support for any of these protocols, the |
| 83 | :py:const:`OP_NO_*` constant may be undefined. |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 84 | |
| 85 | |
| 86 | .. py:data:: SSLEAY_VERSION |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 87 | SSLEAY_CFLAGS |
| 88 | SSLEAY_BUILT_ON |
| 89 | SSLEAY_PLATFORM |
| 90 | SSLEAY_DIR |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 91 | |
| 92 | Constants used with :py:meth:`SSLeay_version` to specify what OpenSSL version |
| 93 | information to retrieve. See the man page for the :py:func:`SSLeay_version` C |
| 94 | API for details. |
| 95 | |
Jean-Paul Calderone | 1461c49 | 2013-10-03 16:05:00 -0400 | [diff] [blame] | 96 | |
Jean-Paul Calderone | 8e8f90c | 2012-02-08 13:16:26 -0500 | [diff] [blame] | 97 | .. py:data:: SESS_CACHE_OFF |
| 98 | SESS_CACHE_CLIENT |
| 99 | SESS_CACHE_SERVER |
| 100 | SESS_CACHE_BOTH |
| 101 | SESS_CACHE_NO_AUTO_CLEAR |
| 102 | SESS_CACHE_NO_INTERNAL_LOOKUP |
| 103 | SESS_CACHE_NO_INTERNAL_STORE |
| 104 | SESS_CACHE_NO_INTERNAL |
| 105 | |
| 106 | Constants used with :py:meth:`Context.set_session_cache_mode` to specify |
| 107 | the behavior of the session cache and potential session reuse. See the man |
| 108 | page for the :py:func:`SSL_CTX_set_session_cache_mode` C API for details. |
| 109 | |
| 110 | .. versionadded:: 0.14 |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 111 | |
Jean-Paul Calderone | 1461c49 | 2013-10-03 16:05:00 -0400 | [diff] [blame] | 112 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 113 | .. py:data:: OPENSSL_VERSION_NUMBER |
| 114 | |
| 115 | An integer giving the version number of the OpenSSL library used to build this |
| 116 | version of pyOpenSSL. See the man page for the :py:func:`SSLeay_version` C API |
| 117 | for details. |
| 118 | |
| 119 | |
| 120 | .. py:function:: SSLeay_version(type) |
| 121 | |
| 122 | Retrieve a string describing some aspect of the underlying OpenSSL version. The |
| 123 | type passed in should be one of the :py:const:`SSLEAY_*` constants defined in |
| 124 | this module. |
| 125 | |
| 126 | |
| 127 | .. py:data:: ContextType |
| 128 | |
| 129 | See :py:class:`Context`. |
| 130 | |
| 131 | |
| 132 | .. py:class:: Context(method) |
| 133 | |
| 134 | A class representing SSL contexts. Contexts define the parameters of one or |
| 135 | more SSL connections. |
| 136 | |
| 137 | *method* should be :py:const:`SSLv2_METHOD`, :py:const:`SSLv3_METHOD`, |
Jean-Paul Calderone | 1461c49 | 2013-10-03 16:05:00 -0400 | [diff] [blame] | 138 | :py:const:`SSLv23_METHOD`, :py:const:`TLSv1_METHOD`, :py:const:`TLSv1_1_METHOD`, |
| 139 | or :py:const:`TLSv1_2_METHOD`. |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 140 | |
| 141 | |
Jean-Paul Calderone | 6c896fe | 2012-02-16 08:10:04 -0500 | [diff] [blame] | 142 | .. py:class:: Session() |
| 143 | |
| 144 | A class representing an SSL session. A session defines certain connection |
| 145 | parameters which may be re-used to speed up the setup of subsequent |
| 146 | connections. |
| 147 | |
| 148 | .. versionadded:: 0.14 |
| 149 | |
| 150 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 151 | .. py:data:: ConnectionType |
| 152 | |
| 153 | See :py:class:`Connection`. |
| 154 | |
| 155 | |
| 156 | .. py:class:: Connection(context, socket) |
| 157 | |
| 158 | A class representing SSL connections. |
| 159 | |
| 160 | *context* should be an instance of :py:class:`Context` and *socket* |
| 161 | should be a socket [#connection-context-socket]_ object. *socket* may be |
| 162 | *None*; in this case, the Connection is created with a memory BIO: see |
| 163 | the :py:meth:`bio_read`, :py:meth:`bio_write`, and :py:meth:`bio_shutdown` |
| 164 | methods. |
| 165 | |
| 166 | .. py:exception:: Error |
| 167 | |
| 168 | This exception is used as a base class for the other SSL-related |
| 169 | exceptions, but may also be raised directly. |
| 170 | |
| 171 | Whenever this exception is raised directly, it has a list of error messages |
| 172 | from the OpenSSL error queue, where each item is a tuple *(lib, function, |
| 173 | reason)*. Here *lib*, *function* and *reason* are all strings, describing |
| 174 | where and what the problem is. See :manpage:`err(3)` for more information. |
| 175 | |
| 176 | |
| 177 | .. py:exception:: ZeroReturnError |
| 178 | |
| 179 | This exception matches the error return code |
| 180 | :py:data:`SSL_ERROR_ZERO_RETURN`, and is raised when the SSL Connection has |
| 181 | been closed. In SSL 3.0 and TLS 1.0, this only occurs if a closure alert has |
| 182 | occurred in the protocol, i.e. the connection has been closed cleanly. Note |
| 183 | that this does not necessarily mean that the transport layer (e.g. a socket) |
| 184 | has been closed. |
| 185 | |
| 186 | It may seem a little strange that this is an exception, but it does match an |
| 187 | :py:data:`SSL_ERROR` code, and is very convenient. |
| 188 | |
| 189 | |
| 190 | .. py:exception:: WantReadError |
| 191 | |
| 192 | The operation did not complete; the same I/O method should be called again |
| 193 | later, with the same arguments. Any I/O method can lead to this since new |
| 194 | handshakes can occur at any time. |
| 195 | |
| 196 | The wanted read is for **dirty** data sent over the network, not the |
| 197 | **clean** data inside the tunnel. For a socket based SSL connection, |
| 198 | **read** means data coming at us over the network. Until that read |
| 199 | succeeds, the attempted :py:meth:`OpenSSL.SSL.Connection.recv`, |
| 200 | :py:meth:`OpenSSL.SSL.Connection.send`, or |
| 201 | :py:meth:`OpenSSL.SSL.Connection.do_handshake` is prevented or incomplete. You |
| 202 | probably want to :py:meth:`select()` on the socket before trying again. |
| 203 | |
| 204 | |
| 205 | .. py:exception:: WantWriteError |
| 206 | |
| 207 | See :py:exc:`WantReadError`. The socket send buffer may be too full to |
| 208 | write more data. |
| 209 | |
| 210 | |
| 211 | .. py:exception:: WantX509LookupError |
| 212 | |
| 213 | The operation did not complete because an application callback has asked to be |
| 214 | called again. The I/O method should be called again later, with the same |
| 215 | arguments. |
| 216 | |
| 217 | .. note:: This won't occur in this version, as there are no such |
| 218 | callbacks in this version. |
| 219 | |
| 220 | |
| 221 | .. py:exception:: SysCallError |
| 222 | |
| 223 | The :py:exc:`SysCallError` occurs when there's an I/O error and OpenSSL's |
| 224 | error queue does not contain any information. This can mean two things: An |
| 225 | error in the transport protocol, or an end of file that violates the protocol. |
| 226 | The parameter to the exception is always a pair *(errnum, |
| 227 | errstr)*. |
| 228 | |
| 229 | |
| 230 | |
| 231 | .. _openssl-context: |
| 232 | |
| 233 | Context objects |
| 234 | --------------- |
| 235 | |
| 236 | Context objects have the following methods: |
| 237 | |
| 238 | .. :py:class:: OpenSSL.SSL.Context |
| 239 | |
| 240 | .. py:method:: Context.check_privatekey() |
| 241 | |
| 242 | Check if the private key (loaded with :py:meth:`use_privatekey`) matches the |
| 243 | certificate (loaded with :py:meth:`use_certificate`). Returns |
| 244 | :py:data:`None` if they match, raises :py:exc:`Error` otherwise. |
| 245 | |
| 246 | |
| 247 | .. py:method:: Context.get_app_data() |
| 248 | |
| 249 | Retrieve application data as set by :py:meth:`set_app_data`. |
| 250 | |
| 251 | |
| 252 | .. py:method:: Context.get_cert_store() |
| 253 | |
| 254 | Retrieve the certificate store (a X509Store object) that the context uses. |
Alex Gaynor | 6b5028d | 2014-03-31 14:23:57 -0700 | [diff] [blame] | 255 | This can be used to add "trusted" certificates without using the |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 256 | :py:meth:`load_verify_locations` method. |
| 257 | |
| 258 | |
| 259 | .. py:method:: Context.get_timeout() |
| 260 | |
| 261 | Retrieve session timeout, as set by :py:meth:`set_timeout`. The default is 300 |
| 262 | seconds. |
| 263 | |
| 264 | |
| 265 | .. py:method:: Context.get_verify_depth() |
| 266 | |
| 267 | Retrieve the Context object's verify depth, as set by |
| 268 | :py:meth:`set_verify_depth`. |
| 269 | |
| 270 | |
| 271 | .. py:method:: Context.get_verify_mode() |
| 272 | |
| 273 | Retrieve the Context object's verify mode, as set by :py:meth:`set_verify`. |
| 274 | |
| 275 | |
| 276 | .. py:method:: Context.load_client_ca(pemfile) |
| 277 | |
| 278 | Read a file with PEM-formatted certificates that will be sent to the client |
| 279 | when requesting a client certificate. |
| 280 | |
| 281 | |
| 282 | .. py:method:: Context.set_client_ca_list(certificate_authorities) |
| 283 | |
| 284 | Replace the current list of preferred certificate signers that would be |
| 285 | sent to the client when requesting a client certificate with the |
| 286 | *certificate_authorities* sequence of :py:class:`OpenSSL.crypto.X509Name`'s. |
| 287 | |
| 288 | .. versionadded:: 0.10 |
| 289 | |
| 290 | |
| 291 | .. py:method:: Context.add_client_ca(certificate_authority) |
| 292 | |
| 293 | Extract a :py:class:`OpenSSL.crypto.X509Name` from the *certificate_authority* |
| 294 | :py:class:`OpenSSL.crypto.X509` certificate and add it to the list of preferred |
| 295 | certificate signers sent to the client when requesting a client certificate. |
| 296 | |
| 297 | .. versionadded:: 0.10 |
| 298 | |
| 299 | |
| 300 | .. py:method:: Context.load_verify_locations(pemfile, capath) |
| 301 | |
| 302 | Specify where CA certificates for verification purposes are located. These |
| 303 | are trusted certificates. Note that the certificates have to be in PEM |
| 304 | format. If capath is passed, it must be a directory prepared using the |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 305 | ``c_rehash`` tool included with OpenSSL. Either, but not both, of |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 306 | *pemfile* or *capath* may be :py:data:`None`. |
| 307 | |
| 308 | |
| 309 | .. py:method:: Context.set_default_verify_paths() |
| 310 | |
| 311 | Specify that the platform provided CA certificates are to be used for |
| 312 | verification purposes. This method may not work properly on OS X. |
| 313 | |
| 314 | |
| 315 | .. py:method:: Context.load_tmp_dh(dhfile) |
| 316 | |
| 317 | Load parameters for Ephemeral Diffie-Hellman from *dhfile*. |
| 318 | |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 319 | |
| 320 | .. py:method:: Context.set_tmp_ecdh_curve(curve) |
Alex Gaynor | d5419e2 | 2014-01-19 21:03:36 -0600 | [diff] [blame] | 321 | |
Andy Lutomirski | f05a273 | 2014-03-13 17:22:25 -0700 | [diff] [blame] | 322 | Select a curve to use for ECDHE key exchange. |
Alex Gaynor | d5419e2 | 2014-01-19 21:03:36 -0600 | [diff] [blame] | 323 | |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 324 | The valid values of *curve* are the objects returned by |
| 325 | :py:func:`OpenSSL.crypto.get_elliptic_curves` or |
| 326 | :py:func:`OpenSSL.crypto.get_elliptic_curve`. |
Alex Gaynor | d5419e2 | 2014-01-19 21:03:36 -0600 | [diff] [blame] | 327 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 328 | |
| 329 | .. py:method:: Context.set_app_data(data) |
| 330 | |
| 331 | Associate *data* with this Context object. *data* can be retrieved |
| 332 | later using the :py:meth:`get_app_data` method. |
| 333 | |
| 334 | |
| 335 | .. py:method:: Context.set_cipher_list(ciphers) |
| 336 | |
| 337 | Set the list of ciphers to be used in this context. See the OpenSSL manual for |
| 338 | more information (e.g. :manpage:`ciphers(1)`) |
| 339 | |
| 340 | |
| 341 | .. py:method:: Context.set_info_callback(callback) |
| 342 | |
| 343 | Set the information callback to *callback*. This function will be called |
| 344 | from time to time during SSL handshakes. |
| 345 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 346 | *callback* should take three arguments: a Connection object and two integers. |
| 347 | The first integer specifies where in the SSL handshake the function was |
| 348 | called, and the other the return code from a (possibly failed) internal |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 349 | function call. |
| 350 | |
| 351 | |
| 352 | .. py:method:: Context.set_options(options) |
| 353 | |
| 354 | Add SSL options. Options you have set before are not cleared! |
| 355 | This method should be used with the :py:const:`OP_*` constants. |
| 356 | |
| 357 | |
Jean-Paul Calderone | 2164154 | 2011-09-11 09:18:14 -0400 | [diff] [blame] | 358 | .. py:method:: Context.set_mode(mode) |
| 359 | |
| 360 | Add SSL mode. Modes you have set before are not cleared! This method should |
| 361 | be used with the :py:const:`MODE_*` constants. |
| 362 | |
| 363 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 364 | .. py:method:: Context.set_passwd_cb(callback[, userdata]) |
| 365 | |
| 366 | Set the passphrase callback to *callback*. This function will be called |
| 367 | when a private key with a passphrase is loaded. *callback* must accept |
| 368 | three positional arguments. First, an integer giving the maximum length of |
| 369 | the passphrase it may return. If the returned passphrase is longer than |
| 370 | this, it will be truncated. Second, a boolean value which will be true if |
| 371 | the user should be prompted for the passphrase twice and the callback should |
| 372 | verify that the two values supplied are equal. Third, the value given as the |
| 373 | *userdata* parameter to :py:meth:`set_passwd_cb`. If an error occurs, |
| 374 | *callback* should return a false value (e.g. an empty string). |
| 375 | |
| 376 | |
Jean-Paul Calderone | 8e8f90c | 2012-02-08 13:16:26 -0500 | [diff] [blame] | 377 | .. py:method:: Context.set_session_cache_mode(mode) |
| 378 | |
| 379 | Set the behavior of the session cache used by all connections using this |
| 380 | Context. The previously set mode is returned. See :py:const:`SESS_CACHE_*` |
| 381 | for details about particular modes. |
| 382 | |
| 383 | .. versionadded:: 0.14 |
| 384 | |
| 385 | |
| 386 | .. py:method:: Context.get_session_cache_mode() |
| 387 | |
| 388 | Get the current session cache mode. |
| 389 | |
| 390 | .. versionadded:: 0.14 |
| 391 | |
| 392 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 393 | .. py:method:: Context.set_session_id(name) |
| 394 | |
| 395 | Set the context *name* within which a session can be reused for this |
| 396 | Context object. This is needed when doing session resumption, because there is |
| 397 | no way for a stored session to know which Context object it is associated with. |
| 398 | *name* may be any binary data. |
| 399 | |
| 400 | |
| 401 | .. py:method:: Context.set_timeout(timeout) |
| 402 | |
| 403 | Set the timeout for newly created sessions for this Context object to |
| 404 | *timeout*. *timeout* must be given in (whole) seconds. The default |
| 405 | value is 300 seconds. See the OpenSSL manual for more information (e.g. |
| 406 | :manpage:`SSL_CTX_set_timeout(3)`). |
| 407 | |
| 408 | |
| 409 | .. py:method:: Context.set_verify(mode, callback) |
| 410 | |
| 411 | Set the verification flags for this Context object to *mode* and specify |
| 412 | that *callback* should be used for verification callbacks. *mode* should be |
| 413 | one of :py:const:`VERIFY_NONE` and :py:const:`VERIFY_PEER`. If |
| 414 | :py:const:`VERIFY_PEER` is used, *mode* can be OR:ed with |
| 415 | :py:const:`VERIFY_FAIL_IF_NO_PEER_CERT` and :py:const:`VERIFY_CLIENT_ONCE` |
| 416 | to further control the behaviour. |
| 417 | |
| 418 | *callback* should take five arguments: A Connection object, an X509 object, |
| 419 | and three integer variables, which are in turn potential error number, error |
| 420 | depth and return code. *callback* should return true if verification passes |
| 421 | and false otherwise. |
| 422 | |
| 423 | |
| 424 | .. py:method:: Context.set_verify_depth(depth) |
| 425 | |
| 426 | Set the maximum depth for the certificate chain verification that shall be |
| 427 | allowed for this Context object. |
| 428 | |
| 429 | |
| 430 | .. py:method:: Context.use_certificate(cert) |
| 431 | |
| 432 | Use the certificate *cert* which has to be a X509 object. |
| 433 | |
| 434 | |
| 435 | .. py:method:: Context.add_extra_chain_cert(cert) |
| 436 | |
| 437 | Adds the certificate *cert*, which has to be a X509 object, to the |
| 438 | certificate chain presented together with the certificate. |
| 439 | |
| 440 | |
| 441 | .. py:method:: Context.use_certificate_chain_file(file) |
| 442 | |
| 443 | Load a certificate chain from *file* which must be PEM encoded. |
| 444 | |
| 445 | |
| 446 | .. py:method:: Context.use_privatekey(pkey) |
| 447 | |
| 448 | Use the private key *pkey* which has to be a PKey object. |
| 449 | |
| 450 | |
| 451 | .. py:method:: Context.use_certificate_file(file[, format]) |
| 452 | |
| 453 | Load the first certificate found in *file*. The certificate must be in the |
| 454 | format specified by *format*, which is either :py:const:`FILETYPE_PEM` or |
| 455 | :py:const:`FILETYPE_ASN1`. The default is :py:const:`FILETYPE_PEM`. |
| 456 | |
| 457 | |
| 458 | .. py:method:: Context.use_privatekey_file(file[, format]) |
| 459 | |
| 460 | Load the first private key found in *file*. The private key must be in the |
| 461 | format specified by *format*, which is either :py:const:`FILETYPE_PEM` or |
| 462 | :py:const:`FILETYPE_ASN1`. The default is :py:const:`FILETYPE_PEM`. |
| 463 | |
| 464 | |
| 465 | .. py:method:: Context.set_tlsext_servername_callback(callback) |
| 466 | |
| 467 | Specify a one-argument callable to use as the TLS extension server name |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 468 | callback. When a connection using the server name extension is made using |
| 469 | this context, the callback will be invoked with the :py:class:`Connection` |
| 470 | instance. |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 471 | |
| 472 | .. versionadded:: 0.13 |
| 473 | |
| 474 | |
Jean-Paul Calderone | 6c896fe | 2012-02-16 08:10:04 -0500 | [diff] [blame] | 475 | .. _openssl-session: |
| 476 | |
| 477 | Session objects |
| 478 | --------------- |
| 479 | |
| 480 | Session objects have no methods. |
| 481 | |
| 482 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 483 | .. _openssl-connection: |
| 484 | |
| 485 | Connection objects |
| 486 | ------------------ |
| 487 | |
| 488 | Connection objects have the following methods: |
| 489 | |
| 490 | .. py:method:: Connection.accept() |
| 491 | |
| 492 | Call the :py:meth:`accept` method of the underlying socket and set up SSL on the |
| 493 | returned socket, using the Context object supplied to this Connection object at |
| 494 | creation. Returns a pair *(conn, address)*. where *conn* is the new |
| 495 | Connection object created, and *address* is as returned by the socket's |
| 496 | :py:meth:`accept`. |
| 497 | |
| 498 | |
| 499 | .. py:method:: Connection.bind(address) |
| 500 | |
| 501 | Call the :py:meth:`bind` method of the underlying socket. |
| 502 | |
| 503 | |
| 504 | .. py:method:: Connection.close() |
| 505 | |
| 506 | Call the :py:meth:`close` method of the underlying socket. Note: If you want |
| 507 | correct SSL closure, you need to call the :py:meth:`shutdown` method first. |
| 508 | |
| 509 | |
| 510 | .. py:method:: Connection.connect(address) |
| 511 | |
| 512 | Call the :py:meth:`connect` method of the underlying socket and set up SSL on the |
| 513 | socket, using the Context object supplied to this Connection object at |
| 514 | creation. |
| 515 | |
| 516 | |
| 517 | .. py:method:: Connection.connect_ex(address) |
| 518 | |
| 519 | Call the :py:meth:`connect_ex` method of the underlying socket and set up SSL on |
| 520 | the socket, using the Context object supplied to this Connection object at |
| 521 | creation. Note that if the :py:meth:`connect_ex` method of the socket doesn't |
| 522 | return 0, SSL won't be initialized. |
| 523 | |
| 524 | |
| 525 | .. py:method:: Connection.do_handshake() |
| 526 | |
| 527 | Perform an SSL handshake (usually called after :py:meth:`renegotiate` or one of |
| 528 | :py:meth:`set_accept_state` or :py:meth:`set_accept_state`). This can raise the |
| 529 | same exceptions as :py:meth:`send` and :py:meth:`recv`. |
| 530 | |
| 531 | |
| 532 | .. py:method:: Connection.fileno() |
| 533 | |
| 534 | Retrieve the file descriptor number for the underlying socket. |
| 535 | |
| 536 | |
| 537 | .. py:method:: Connection.listen(backlog) |
| 538 | |
| 539 | Call the :py:meth:`listen` method of the underlying socket. |
| 540 | |
| 541 | |
| 542 | .. py:method:: Connection.get_app_data() |
| 543 | |
| 544 | Retrieve application data as set by :py:meth:`set_app_data`. |
| 545 | |
| 546 | |
| 547 | .. py:method:: Connection.get_cipher_list() |
| 548 | |
| 549 | Retrieve the list of ciphers used by the Connection object. WARNING: This API |
| 550 | has changed. It used to take an optional parameter and just return a string, |
| 551 | but not it returns the entire list in one go. |
| 552 | |
| 553 | |
| 554 | .. py:method:: Connection.get_client_ca_list() |
| 555 | |
| 556 | Retrieve the list of preferred client certificate issuers sent by the server |
| 557 | as :py:class:`OpenSSL.crypto.X509Name` objects. |
| 558 | |
| 559 | If this is a client :py:class:`Connection`, the list will be empty until the |
| 560 | connection with the server is established. |
| 561 | |
| 562 | If this is a server :py:class:`Connection`, return the list of certificate |
| 563 | authorities that will be sent or has been sent to the client, as controlled |
| 564 | by this :py:class:`Connection`'s :py:class:`Context`. |
| 565 | |
| 566 | .. versionadded:: 0.10 |
| 567 | |
| 568 | |
| 569 | .. py:method:: Connection.get_context() |
| 570 | |
| 571 | Retrieve the Context object associated with this Connection. |
| 572 | |
| 573 | |
| 574 | .. py:method:: Connection.set_context(context) |
| 575 | |
| 576 | Specify a replacement Context object for this Connection. |
| 577 | |
| 578 | |
| 579 | .. py:method:: Connection.get_peer_certificate() |
| 580 | |
| 581 | Retrieve the other side's certificate (if any) |
| 582 | |
| 583 | |
| 584 | .. py:method:: Connection.get_peer_cert_chain() |
| 585 | |
| 586 | Retrieve the tuple of the other side's certificate chain (if any) |
| 587 | |
| 588 | |
| 589 | .. py:method:: Connection.getpeername() |
| 590 | |
| 591 | Call the :py:meth:`getpeername` method of the underlying socket. |
| 592 | |
| 593 | |
| 594 | .. py:method:: Connection.getsockname() |
| 595 | |
| 596 | Call the :py:meth:`getsockname` method of the underlying socket. |
| 597 | |
| 598 | |
| 599 | .. py:method:: Connection.getsockopt(level, optname[, buflen]) |
| 600 | |
| 601 | Call the :py:meth:`getsockopt` method of the underlying socket. |
| 602 | |
| 603 | |
| 604 | .. py:method:: Connection.pending() |
| 605 | |
| 606 | Retrieve the number of bytes that can be safely read from the SSL buffer |
| 607 | (**not** the underlying transport buffer). |
| 608 | |
| 609 | |
| 610 | .. py:method:: Connection.recv(bufsize) |
| 611 | |
| 612 | Receive data from the Connection. The return value is a string representing the |
| 613 | data received. The maximum amount of data to be received at once, is specified |
| 614 | by *bufsize*. |
| 615 | |
| 616 | |
| 617 | .. py:method:: Connection.bio_write(bytes) |
| 618 | |
| 619 | If the Connection was created with a memory BIO, this method can be used to add |
| 620 | bytes to the read end of that memory BIO. The Connection can then read the |
| 621 | bytes (for example, in response to a call to :py:meth:`recv`). |
| 622 | |
| 623 | |
| 624 | .. py:method:: Connection.renegotiate() |
| 625 | |
| 626 | Renegotiate the SSL session. Call this if you wish to change cipher suites or |
| 627 | anything like that. |
| 628 | |
| 629 | |
| 630 | .. py:method:: Connection.send(string) |
| 631 | |
| 632 | Send the *string* data to the Connection. |
| 633 | |
| 634 | |
| 635 | .. py:method:: Connection.bio_read(bufsize) |
| 636 | |
| 637 | If the Connection was created with a memory BIO, this method can be used to |
| 638 | read bytes from the write end of that memory BIO. Many Connection methods will |
| 639 | add bytes which must be read in this manner or the buffer will eventually fill |
| 640 | up and the Connection will be able to take no further actions. |
| 641 | |
| 642 | |
| 643 | .. py:method:: Connection.sendall(string) |
| 644 | |
| 645 | Send all of the *string* data to the Connection. This calls :py:meth:`send` |
| 646 | repeatedly until all data is sent. If an error occurs, it's impossible to tell |
| 647 | how much data has been sent. |
| 648 | |
| 649 | |
| 650 | .. py:method:: Connection.set_accept_state() |
| 651 | |
| 652 | Set the connection to work in server mode. The handshake will be handled |
| 653 | automatically by read/write. |
| 654 | |
| 655 | |
| 656 | .. py:method:: Connection.set_app_data(data) |
| 657 | |
| 658 | Associate *data* with this Connection object. *data* can be retrieved |
| 659 | later using the :py:meth:`get_app_data` method. |
| 660 | |
| 661 | |
| 662 | .. py:method:: Connection.set_connect_state() |
| 663 | |
| 664 | Set the connection to work in client mode. The handshake will be handled |
| 665 | automatically by read/write. |
| 666 | |
| 667 | |
| 668 | .. py:method:: Connection.setblocking(flag) |
| 669 | |
| 670 | Call the :py:meth:`setblocking` method of the underlying socket. |
| 671 | |
| 672 | |
| 673 | .. py:method:: Connection.setsockopt(level, optname, value) |
| 674 | |
| 675 | Call the :py:meth:`setsockopt` method of the underlying socket. |
| 676 | |
| 677 | |
| 678 | .. py:method:: Connection.shutdown() |
| 679 | |
| 680 | Send the shutdown message to the Connection. Returns true if the shutdown |
| 681 | message exchange is completed and false otherwise (in which case you call |
| 682 | :py:meth:`recv` or :py:meth:`send` when the connection becomes |
| 683 | readable/writeable. |
| 684 | |
| 685 | |
| 686 | .. py:method:: Connection.get_shutdown() |
| 687 | |
| 688 | Get the shutdown state of the Connection. Returns a bitvector of either or |
| 689 | both of *SENT_SHUTDOWN* and *RECEIVED_SHUTDOWN*. |
| 690 | |
| 691 | |
| 692 | .. py:method:: Connection.set_shutdown(state) |
| 693 | |
| 694 | Set the shutdown state of the Connection. *state* is a bitvector of |
| 695 | either or both of *SENT_SHUTDOWN* and *RECEIVED_SHUTDOWN*. |
| 696 | |
| 697 | |
| 698 | .. py:method:: Connection.sock_shutdown(how) |
| 699 | |
| 700 | Call the :py:meth:`shutdown` method of the underlying socket. |
| 701 | |
| 702 | |
| 703 | .. py:method:: Connection.bio_shutdown() |
| 704 | |
| 705 | If the Connection was created with a memory BIO, this method can be used to |
| 706 | indicate that *end of file* has been reached on the read end of that memory |
| 707 | BIO. |
| 708 | |
| 709 | |
| 710 | .. py:method:: Connection.state_string() |
| 711 | |
| 712 | Retrieve a verbose string detailing the state of the Connection. |
| 713 | |
| 714 | |
| 715 | .. py:method:: Connection.client_random() |
| 716 | |
| 717 | Retrieve the random value used with the client hello message. |
| 718 | |
| 719 | |
| 720 | .. py:method:: Connection.server_random() |
| 721 | |
| 722 | Retrieve the random value used with the server hello message. |
| 723 | |
| 724 | |
| 725 | .. py:method:: Connection.master_key() |
| 726 | |
| 727 | Retrieve the value of the master key for this session. |
| 728 | |
| 729 | |
| 730 | .. py:method:: Connection.want_read() |
| 731 | |
| 732 | Checks if more data has to be read from the transport layer to complete an |
| 733 | operation. |
| 734 | |
| 735 | |
| 736 | .. py:method:: Connection.want_write() |
| 737 | |
| 738 | Checks if there is data to write to the transport layer to complete an |
| 739 | operation. |
| 740 | |
| 741 | |
| 742 | .. py:method:: Connection.set_tlsext_host_name(name) |
| 743 | |
| 744 | Specify the byte string to send as the server name in the client hello message. |
| 745 | |
| 746 | .. versionadded:: 0.13 |
| 747 | |
| 748 | |
| 749 | .. py:method:: Connection.get_servername() |
| 750 | |
| 751 | Get the value of the server name received in the client hello message. |
| 752 | |
| 753 | .. versionadded:: 0.13 |
| 754 | |
| 755 | |
Jean-Paul Calderone | 6c896fe | 2012-02-16 08:10:04 -0500 | [diff] [blame] | 756 | .. py:method:: Connection.get_session() |
| 757 | |
| 758 | Get a :py:class:`Session` instance representing the SSL session in use by |
| 759 | the connection, or :py:obj:`None` if there is no session. |
| 760 | |
| 761 | .. versionadded:: 0.14 |
| 762 | |
| 763 | |
| 764 | .. py:method:: Connection.set_session(session) |
| 765 | |
| 766 | Set a new SSL session (using a :py:class:`Session` instance) to be used by |
| 767 | the connection. |
| 768 | |
| 769 | .. versionadded:: 0.14 |
| 770 | |
| 771 | |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 772 | .. py:method:: Connection.get_finished() |
| 773 | |
| 774 | Obtain latest TLS Finished message that we sent, or :py:obj:`None` if |
| 775 | handshake is not completed. |
| 776 | |
| 777 | .. versionadded:: 0.15 |
| 778 | |
Jean-Paul Calderone | 7c556ef | 2014-03-30 10:45:00 -0400 | [diff] [blame] | 779 | |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 780 | .. py:method:: Connection.get_peer_finished() |
| 781 | |
| 782 | Obtain latest TLS Finished message that we expected from peer, or |
| 783 | :py:obj:`None` if handshake is not completed. |
| 784 | |
| 785 | .. versionadded:: 0.15 |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 786 | |
Jean-Paul Calderone | 7c556ef | 2014-03-30 10:45:00 -0400 | [diff] [blame] | 787 | |
Fedor Brunner | 2cffdbc | 2014-03-10 10:35:23 +0100 | [diff] [blame] | 788 | .. py:method:: Connection.get_cipher_name() |
| 789 | |
| 790 | Obtain the name of the currently used cipher. |
| 791 | |
| 792 | .. versionadded:: 0.15 |
| 793 | |
Jean-Paul Calderone | 7c556ef | 2014-03-30 10:45:00 -0400 | [diff] [blame] | 794 | |
Fedor Brunner | 2cffdbc | 2014-03-10 10:35:23 +0100 | [diff] [blame] | 795 | .. py:method:: Connection.get_cipher_bits() |
| 796 | |
| 797 | Obtain the number of secret bits of the currently used cipher. |
| 798 | |
| 799 | .. versionadded:: 0.15 |
| 800 | |
Jean-Paul Calderone | 7c556ef | 2014-03-30 10:45:00 -0400 | [diff] [blame] | 801 | |
Fedor Brunner | 2cffdbc | 2014-03-10 10:35:23 +0100 | [diff] [blame] | 802 | .. py:method:: Connection.get_cipher_version() |
| 803 | |
| 804 | Obtain the protocol name of the currently used cipher. |
| 805 | |
| 806 | .. versionadded:: 0.15 |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 807 | |
Jean-Paul Calderone | 7c556ef | 2014-03-30 10:45:00 -0400 | [diff] [blame] | 808 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 809 | .. Rubric:: Footnotes |
| 810 | |
| 811 | .. [#connection-context-socket] Actually, all that is required is an object that |
| 812 | **behaves** like a socket, you could even use files, even though it'd be |
| 813 | tricky to get the handshakes right! |