Lines Matching +full:dns +full:- +full:root +full:- +full:data
1 :mod:`ssl` --- TLS/SSL wrapper for socket objects
19 --------------
23 sockets, both client-side and server-side. This module uses the OpenSSL
38 Don't use this module without reading the :ref:`ssl-security`. Doing so
48 :class:`socket.socket` type, and provides a socket-like wrapper that also
49 encrypts and decrypts the data going over the socket with SSL. It supports
60 ------------------------------------
66 higher-level encryption and authentication layer that's superimposed on the
98 A subclass of :exc:`SSLError` raised by a :ref:`non-blocking SSL socket
99 <ssl-nonblocking>` when trying to read or write data, but more data needs
107 A subclass of :exc:`SSLError` raised by a :ref:`non-blocking SSL socket
108 <ssl-nonblocking>` when trying to read or write data, but more data needs
149 :data:`~socket.SOCK_STREAM` socket; other socket types are unsupported.
151 For client-side sockets, the context construction is lazy; if the
154 server-side sockets, if the socket has no remote peer, it is assumed
155 to be a listening socket, and the server-side SSL wrapping is
161 connection. See the discussion of :ref:`ssl-certificates` for more
165 server-side or client-side behavior is desired from this socket.
178 :ref:`ssl-certificates` for more information about how to arrange the
185 :data:`PROTOCOL_SSLv23`; it provides the most compatibility with other
195 … ------------------------ --------- --------- ---------- --------- ----------- -----------
205 .. [1] TLS 1.3 protocol will be available with :data:`PROTOCOL_SSLv23` in
256 The settings are: :data:`PROTOCOL_SSLv23`, :data:`OP_NO_SSLv2`, and
257 :data:`OP_NO_SSLv3` with high encryption cipher suites without RC4 and
258 without unauthenticated cipher suites. Passing :data:`~Purpose.SERVER_AUTH`
259 as *purpose* sets :data:`~SSLContext.verify_mode` to :data:`CERT_REQUIRED`
277 :data:`OP_NO_SSLv3`. SSL3.0 is widely considered to be `completely broken
279 use this function but still allow SSL 3.0 connections you can re-enable
319 servers using self-signed certificates, servers using certificates signed
327 on a case-by-case basis by explicitly passing in a suitably configured SSL
335 * `CVE-2014-9365 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365>`_
336 -- HTTPS man-in-the-middle attack against Python clients using default settings
337 * :pep:`476` -- Enabling certificate verification by default for HTTPS
338 * :pep:`493` -- HTTPS verification migration tools for Python 2.7
352 Return ``True`` if the SSL pseudo-random number generator has been seeded
355 the pseudo-random number generator.
359 If you are running an entropy-gathering daemon (EGD) somewhere, and *path*
361 of randomness from the socket, and add it to the SSL pseudo-random number
366 of entropy-gathering daemons.
372 Mix the given *bytes* into the SSL pseudo-random number generator. The
387 checking the identity of servers in various SSL-based protocols such as
421 2018-01-05 09:34:43
433 Given the address ``addr`` of an SSL-protected server, as a (*hostname*,
434 *port-number*) pair, fetches the server's certificate, and returns it as a
435 PEM-encoded string. If ``ssl_version`` is specified, uses that version of
437 specified, it should be a file containing a list of root certificates, the
439 will attempt to validate the server certificate against that set of root
444 This function is now IPv6-compatible, and the default *ssl_version* is
445 changed from :data:`PROTOCOL_SSLv3` to :data:`PROTOCOL_SSLv23` for
450 Given a certificate as a DER-encoded blob of bytes, returns a PEM-encoded
455 Given a certificate as an ASCII PEM string, returns a DER-encoded sequence of
465 * :attr:`cafile` - resolved path to cafile or ``None`` if the file doesn't exist,
466 * :attr:`capath` - resolved path to capath or ``None`` if the directory doesn't exist,
467 * :attr:`openssl_cafile_env` - OpenSSL's environment key that points to a cafile,
468 * :attr:`openssl_cafile` - hard coded path to a cafile,
469 * :attr:`openssl_capath_env` - OpenSSL's environment key that points to a capath,
470 * :attr:`openssl_capath` - hard coded path to a capath directory
480 one of ``CA``, ``ROOT`` or ``MY``. Windows may provide additional cert
485 :const:`x509_asn` for X.509 ASN.1 data or :const:`pkcs_7_asn` for
486 PKCS#7 ASN.1 data. Trust specifies the purpose of the certificate as a set
493 [(b'data...', 'x509_asn', {'1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2'}),
494 (b'data...', 'x509_asn', True)]
503 one of ``CA``, ``ROOT`` or ``MY``. Windows may provide additional cert
508 :const:`x509_asn` for X.509 ASN.1 data or :const:`pkcs_7_asn` for
509 PKCS#7 ASN.1 data.
519 .. data:: CERT_NONE
527 See the discussion of :ref:`ssl-security` below.
529 .. data:: CERT_OPTIONAL
541 .. data:: CERT_REQUIRED
552 .. data:: VERIFY_DEFAULT
560 .. data:: VERIFY_CRL_CHECK_LEAF
570 .. data:: VERIFY_CRL_CHECK_CHAIN
577 .. data:: VERIFY_X509_STRICT
584 .. data:: VERIFY_X509_TRUSTED_FIRST
592 .. data:: PROTOCOL_TLS
599 .. data:: PROTOCOL_SSLv23
605 .. data:: PROTOCOL_SSLv2
618 .. data:: PROTOCOL_SSLv3
634 .. data:: PROTOCOL_TLSv1
643 .. data:: PROTOCOL_TLSv1_1
655 .. data:: PROTOCOL_TLSv1_2
669 .. data:: OP_ALL
677 .. data:: OP_NO_SSLv2
685 .. data:: OP_NO_SSLv3
693 .. data:: OP_NO_TLSv1
701 .. data:: OP_NO_TLSv1_1
709 .. data:: OP_NO_TLSv1_2
717 .. data:: OP_NO_TLSv1_3
727 .. data:: OP_CIPHER_SERVER_PREFERENCE
734 .. data:: OP_SINGLE_DH_USE
736 Prevents re-use of the same DH key for distinct SSL sessions. This
742 .. data:: OP_SINGLE_ECDH_USE
744 Prevents re-use of the same ECDH key for distinct SSL sessions. This
750 .. data:: OP_NO_COMPRESSION
759 .. data:: HAS_ALPN
761 Whether the OpenSSL library has built-in support for the *Application-Layer
766 .. data:: HAS_ECDH
768 Whether the OpenSSL library has built-in support for Elliptic Curve-based
769 Diffie-Hellman key exchange. This should be true unless the feature was
774 .. data:: HAS_SNI
776 Whether the OpenSSL library has built-in support for the *Server Name
781 .. data:: HAS_NPN
783 Whether the OpenSSL library has built-in support for *Next Protocol
785 <https://tools.ietf.org/html/draft-agl-tls-nextprotoneg>`_. When true,
791 .. data:: HAS_TLSv1_3
793 Whether the OpenSSL library has built-in support for the TLS 1.3 protocol.
797 .. data:: CHANNEL_BINDING_TYPES
804 .. data:: OPENSSL_VERSION
813 .. data:: OPENSSL_VERSION_INFO
823 .. data:: OPENSSL_VERSION_NUMBER
834 .. data:: ALERT_DESCRIPTION_HANDSHAKE_FAILURE
839 <https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6>`_
847 .. data:: Purpose.SERVER_AUTH
852 be used to create client-side sockets).
856 .. data:: Purpose.CLIENT_AUTH
861 be used to create server-side sockets).
867 -----------
869 SSL sockets provide the following methods of :ref:`socket-objects`:
871 - :meth:`~socket.socket.accept()`
872 - :meth:`~socket.socket.bind()`
873 - :meth:`~socket.socket.close()`
874 - :meth:`~socket.socket.connect()`
875 - :meth:`~socket.socket.fileno()`
876 - :meth:`~socket.socket.getpeername()`, :meth:`~socket.socket.getsockname()`
877 - :meth:`~socket.socket.getsockopt()`, :meth:`~socket.socket.setsockopt()`
878 - :meth:`~socket.socket.gettimeout()`, :meth:`~socket.socket.settimeout()`,
880 - :meth:`~socket.socket.listen()`
881 - :meth:`~socket.socket.makefile()`
882 - :meth:`~socket.socket.recv()`, :meth:`~socket.socket.recv_into()`
883 (but passing a non-zero ``flags`` argument is not allowed)
884 - :meth:`~socket.socket.send()`, :meth:`~socket.socket.sendall()` (with
886 - :meth:`~socket.socket.shutdown()`
890 the specification of normal, OS-level sockets. See especially the
891 :ref:`notes on non-blocking sockets <ssl-nonblocking>`.
921 of relative distinguished names (RDNs) given in the certificate's data
923 name-value pairs. Here is a real-world example::
934 'subject': ((('description', '571208-SLe257oHY9fVQ07Z'),),
941 'subjectAltName': (('DNS', '*.eff.org'), ('DNS', 'eff.org')),
950 provided, this method returns the DER-encoded form of the entire certificate
971 Returns a three-value tuple containing the name of the cipher being used, the
980 If the higher-level protocol supports its own compression mechanism,
981 you can use :data:`OP_NO_COMPRESSION` to disable SSL-level compression.
985 .. method:: SSLSocket.get_channel_binding(cb_type="tls-unique")
987 Get channel binding data for current connection, as a bytes object. Returns
992 :data:`CHANNEL_BINDING_TYPES` list. Currently only the 'tls-unique' channel
1010 Return the higher-level protocol that was selected during the TLS/SSL
1038 socket was created using the top-level :func:`wrap_socket` function
1046 ------------
1050 An SSL context holds various data longer-lived than single SSL connections,
1052 It also manages a cache of SSL sessions for server-side sockets, in order
1059 :data:`PROTOCOL_SSLv23` is currently recommended for maximum
1089 :ref:`ssl-certificates` for more information on how the certificate
1096 a string it will be encoded as UTF-8 before using it to decrypt the key.
1102 OpenSSL's built-in password prompting mechanism will be used to
1112 ``ROOT`` system stores. On other systems it calls
1117 default settings :data:`Purpose.SERVER_AUTH` loads certificates, that are
1119 sockets). :data:`Purpose.CLIENT_AUTH` loads CA certificates for client
1125 other peers' certificates when :data:`verify_mode` is other than
1126 :data:`CERT_NONE`. At least one of *cafile* or *capath* must be specified.
1134 :ref:`ssl-certificates` for more information about how to arrange the
1143 PEM-encoded certificates or a bytes-like object of DER-encoded
1144 certificates. Like with *capath* extra lines around PEM-encoded
1152 the method returns a list of DER-encoded certificates. The returned list
1174 If no cipher can be selected (because compile-time options or other
1189 return the agreed-upon protocol.
1191 This method will raise :exc:`NotImplementedError` if :data:`HAS_ALPN` is
1206 <https://tools.ietf.org/html/draft-agl-tls-nextprotoneg>`_. After a
1208 return the agreed-upon protocol.
1210 This method will raise :exc:`NotImplementedError` if :data:`HAS_NPN` is
1218 is specified in :rfc:`6066` section 3 - Server Name Indication.
1263 Load the key generation parameters for Diffie-Helman (DH) key exchange.
1270 :data:`OP_SINGLE_DH_USE` option to further improve security.
1274 Set the curve name for Elliptic Curve-based Diffie-Hellman (ECDH) key
1277 a well-known elliptic curve, for example ``prime256v1`` for a widely
1281 :data:`OP_SINGLE_ECDH_USE` option to further improve security.
1283 This method is not available if :data:`HAS_ECDH` is ``False``.
1286 …S & Perfect Forward Secrecy <http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.htm…
1294 object. *sock* must be a :data:`~socket.SOCK_STREAM` socket; other socket
1299 and *suppress_ragged_eofs* have the same meaning as in the top-level
1304 single server to host multiple SSL-based services with distinct certificates,
1328 :attr:`~SSLContext.verify_mode` must be set to :data:`CERT_OPTIONAL` or
1329 :data:`CERT_REQUIRED`, and you must pass *server_hostname* to
1352 The default value is :data:`OP_ALL`, but you can specify other options
1353 such as :data:`OP_NO_SSLv2` by ORing them together.
1363 is read-only.
1368 :data:`VERIFY_CRL_CHECK_LEAF` by ORing them together. By default OpenSSL
1376 :data:`CERT_NONE`, :data:`CERT_OPTIONAL` or :data:`CERT_REQUIRED`.
1383 .. _ssl-certificates:
1386 ------------
1388 Certificates in general are part of a public-key / private-key system. In this
1390 organization) is assigned a unique two-part encryption key. One part of the key
1417 (see :rfc:`1422`), which is a base-64 encoded form wrapped with a header line
1420 -----BEGIN CERTIFICATE-----
1422 -----END CERTIFICATE-----
1432 you get to a certificate which is *self-signed*, that is, a certificate which
1433 has the same subject and issuer, sometimes called a *root certificate*. The
1437 certificate, to the root certificate of the agency which issued the
1440 -----BEGIN CERTIFICATE-----
1442 -----END CERTIFICATE-----
1443 -----BEGIN CERTIFICATE-----
1445 -----END CERTIFICATE-----
1446 -----BEGIN CERTIFICATE-----
1447 ... (the root certificate for the CA's issuer)...
1448 -----END CERTIFICATE-----
1470 -----BEGIN RSA PRIVATE KEY-----
1472 -----END RSA PRIVATE KEY-----
1473 -----BEGIN CERTIFICATE-----
1475 -----END CERTIFICATE-----
1477 Self-signed certificates
1480 If you are going to create a server that provides SSL-encrypted connection
1483 certification authority. Another common practice is to generate a self-signed
1487 % openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem
1492 -----
1499 -----
1501 State or Province Name (full name) [Some-State]:MyState
1509 The disadvantage of a self-signed certificate is that it is its own root
1511 root certificates.
1515 --------
1530 Client-side operation
1545 >>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt")
1548 certificates in ``/etc/ssl/certs/ca-bundle.crt``; if not, you'll get an
1570 'crlDistributionPoints': ('http://crl3.digicert.com/sha2-ev-server-g1.crl',
1571 'http://crl4.digicert.com/sha2-ev-server-g1.crl'),
1584 (('postalCode', '03894-4801'),),
1590 'subjectAltName': (('DNS', 'www.python.org'),
1591 ('DNS', 'python.org'),
1592 ('DNS', 'pypi.org'),
1593 ('DNS', 'docs.python.org'),
1594 ('DNS', 'testpypi.python.org'),
1595 ('DNS', 'bugs.python.org'),
1596 ('DNS', 'wiki.python.org'),
1597 ('DNS', 'hg.python.org'),
1598 ('DNS', 'mail.python.org'),
1599 ('DNS', 'packaging.python.org'),
1600 ('DNS', 'pythonhosted.org'),
1601 ('DNS', 'www.pythonhosted.org'),
1602 ('DNS', 'test.pythonhosted.org'),
1603 ('DNS', 'us.pycon.org'),
1604 ('DNS', 'id.python.org')),
1615 b'Content-Type: text/html; charset=utf-8',
1616 b'X-Frame-Options: SAMEORIGIN',
1617 b'Content-Length: 45679',
1618 b'Accept-Ranges: bytes',
1621 b'X-Served-By: cache-lcy1134-LCY',
1622 b'X-Cache: HIT',
1623 b'X-Cache-Hits: 11',
1625 b'Strict-Transport-Security: max-age=63072000; includeSubDomains',
1630 See the discussion of :ref:`ssl-security` below.
1633 Server-side operation
1653 method to create a server-side SSL socket for the connection::
1664 Then you'll read data from the ``connstream`` and do something with it till you
1668 data = connstream.read()
1669 # null data means the client is finished with us
1670 while data:
1671 if not do_something(connstream, data):
1675 data = connstream.read()
1680 the sockets in non-blocking mode and use an event loop).
1683 .. _ssl-nonblocking:
1685 Notes on non-blocking sockets
1686 -----------------------------
1688 When working with non-blocking sockets, there are several things you need
1691 - Calling :func:`~select.select` tells you that the OS-level socket can be
1693 data at the upper SSL layer. For example, only part of an SSL frame might
1698 - Conversely, since the SSL layer has its own framing, a SSL socket may
1699 still have data available for reading without :func:`~select.select`
1701 :meth:`SSLSocket.recv` to drain any potentially available data, and then
1707 - The SSL handshake itself will be non-blocking: the
1722 .. _ssl-security:
1725 -----------------------
1765 (rather than using a higher-level authentication mechanism), you'll also have
1780 disable SSLv2 and SSLv3 explicitly using the :data:`SSLContext.options`
1793 If you have advanced security requirements, fine-tuning of the ciphers
1798 about the `cipher list format <https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT>`_.
1802 Multi-processing
1805 If using this module as part of a multi-processed application (using,
1814 .. ssl-libressl:
1817 ----------------
1839 …`RFC 1422: Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Manage…
1849 Blake-Wilson et. al.
1857 …ayer Security (TLS) Parameters <https://www.iana.org/assignments/tls-parameters/tls-parameters.xml…