ssl.rst - OpenGrok cross reference for /external/python/cpython2/Doc/library/ssl.rst

Lines Matching +full:libressl +full:- +full:portable
1 :mod:`ssl` --- TLS/SSL wrapper for socket objects
19 --------------
23 sockets, both client-side and server-side.  This module uses the OpenSSL
38    Don't use this module without reading the :ref:`ssl-security`.  Doing so
48 :class:`socket.socket` type, and provides a socket-like wrapper that also
60 ------------------------------------
66    higher-level encryption and authentication layer that's superimposed on the
98    A subclass of :exc:`SSLError` raised by a :ref:`non-blocking SSL socket
99    <ssl-nonblocking>` when trying to read or write data, but more data needs
107    A subclass of :exc:`SSLError` raised by a :ref:`non-blocking SSL socket
108    <ssl-nonblocking>` when trying to read or write data, but more data needs
151    For client-side sockets, the context construction is lazy; if the
154    server-side sockets, if the socket has no remote peer, it is assumed
155    to be a listening socket, and the server-side SSL wrapping is
161    connection.  See the discussion of :ref:`ssl-certificates` for more
165    server-side or client-side behavior is desired from this socket.
178    :ref:`ssl-certificates` for more information about how to arrange the
195 …    ------------------------  ---------  ---------  ----------  ---------  -----------  -----------
279       use this function but still allow SSL 3.0 connections you can re-enable
319    servers using self-signed certificates, servers using certificates signed
325    Python 2.7 implementations. The portable approach to bypassing certificate
327    on a case-by-case basis by explicitly passing in a suitably configured SSL
335       * `CVE-2014-9365 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365>`_
336         -- HTTPS man-in-the-middle attack against Python clients using default settings
337       * :pep:`476` -- Enabling certificate verification by default for HTTPS
338       * :pep:`493` -- HTTPS verification migration tools for Python 2.7
352    Return ``True`` if the SSL pseudo-random number generator has been seeded
355    the pseudo-random number generator.
359    If you are running an entropy-gathering daemon (EGD) somewhere, and *path*
361    of randomness from the socket, and add it to the SSL pseudo-random number
366    of entropy-gathering daemons.
368    Availability: not available with LibreSSL and OpenSSL > 1.1.0
372    Mix the given *bytes* into the SSL pseudo-random number generator.  The
387    checking the identity of servers in various SSL-based protocols such as
421       2018-01-05 09:34:43
433    Given the address ``addr`` of an SSL-protected server, as a (*hostname*,
434    *port-number*) pair, fetches the server's certificate, and returns it as a
435    PEM-encoded string.  If ``ssl_version`` is specified, uses that version of
444       This function is now IPv6-compatible, and the default *ssl_version* is
450    Given a certificate as a DER-encoded blob of bytes, returns a PEM-encoded
455    Given a certificate as an ASCII PEM string, returns a DER-encoded sequence of
465    * :attr:`cafile` - resolved path to cafile or ``None`` if the file doesn't exist,
466    * :attr:`capath` - resolved path to capath or ``None`` if the directory doesn't exist,
467    * :attr:`openssl_cafile_env` - OpenSSL's environment key that points to a cafile,
468    * :attr:`openssl_cafile` - hard coded path to a cafile,
469    * :attr:`openssl_capath_env` - OpenSSL's environment key that points to a capath,
470    * :attr:`openssl_capath` - hard coded path to a capath directory
472    Availability: LibreSSL ignores the environment vars
527    See the discussion of :ref:`ssl-security` below.
736    Prevents re-use of the same DH key for distinct SSL sessions.  This
744    Prevents re-use of the same ECDH key for distinct SSL sessions.  This
761    Whether the OpenSSL library has built-in support for the *Application-Layer
768    Whether the OpenSSL library has built-in support for Elliptic Curve-based
769    Diffie-Hellman key exchange.  This should be true unless the feature was
776    Whether the OpenSSL library has built-in support for the *Server Name
783    Whether the OpenSSL library has built-in support for *Next Protocol
785    <https://tools.ietf.org/html/draft-agl-tls-nextprotoneg>`_. When true,
793    Whether the OpenSSL library has built-in support for the TLS 1.3 protocol.
839    <https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6>`_
852    be used to create client-side sockets).
861    be used to create server-side sockets).
867 -----------
869 SSL sockets provide the following methods of :ref:`socket-objects`:
871 - :meth:`~socket.socket.accept()`
872 - :meth:`~socket.socket.bind()`
873 - :meth:`~socket.socket.close()`
874 - :meth:`~socket.socket.connect()`
875 - :meth:`~socket.socket.fileno()`
876 - :meth:`~socket.socket.getpeername()`, :meth:`~socket.socket.getsockname()`
877 - :meth:`~socket.socket.getsockopt()`, :meth:`~socket.socket.setsockopt()`
878 - :meth:`~socket.socket.gettimeout()`, :meth:`~socket.socket.settimeout()`,
880 - :meth:`~socket.socket.listen()`
881 - :meth:`~socket.socket.makefile()`
882 - :meth:`~socket.socket.recv()`, :meth:`~socket.socket.recv_into()`
883   (but passing a non-zero ``flags`` argument is not allowed)
884 - :meth:`~socket.socket.send()`, :meth:`~socket.socket.sendall()` (with
886 - :meth:`~socket.socket.shutdown()`
890 the specification of normal, OS-level sockets.  See especially the
891 :ref:`notes on non-blocking sockets <ssl-nonblocking>`.
923    name-value pairs.  Here is a real-world example::
934        'subject': ((('description', '571208-SLe257oHY9fVQ07Z'),),
950    provided, this method returns the DER-encoded form of the entire certificate
971    Returns a three-value tuple containing the name of the cipher being used, the
980    If the higher-level protocol supports its own compression mechanism,
981    you can use :data:`OP_NO_COMPRESSION` to disable SSL-level compression.
985 .. method:: SSLSocket.get_channel_binding(cb_type="tls-unique")
992    :data:`CHANNEL_BINDING_TYPES` list.  Currently only the 'tls-unique' channel
1010    Return the higher-level protocol that was selected during the TLS/SSL
1038    socket was created using the top-level :func:`wrap_socket` function
1046 ------------
1050 An SSL context holds various data longer-lived than single SSL connections,
1052 It also manages a cache of SSL sessions for server-side sockets, in order
1089    :ref:`ssl-certificates` for more information on how the certificate
1096    a string it will be encoded as UTF-8 before using it to decrypt the key.
1102    OpenSSL's built-in password prompting mechanism will be used to
1134    :ref:`ssl-certificates` for more information about how to arrange the
1143    PEM-encoded certificates or a bytes-like object of DER-encoded
1144    certificates. Like with *capath* extra lines around PEM-encoded
1152    the method returns a list of DER-encoded certificates. The returned list
1174    If no cipher can be selected (because compile-time options or other
1189    return the agreed-upon protocol.
1206    <https://tools.ietf.org/html/draft-agl-tls-nextprotoneg>`_. After a
1208    return the agreed-upon protocol.
1218    is specified in :rfc:`6066` section 3 - Server Name Indication.
1263    Load the key generation parameters for Diffie-Helman (DH) key exchange.
1274    Set the curve name for Elliptic Curve-based Diffie-Hellman (ECDH) key
1277    a well-known elliptic curve, for example ``prime256v1`` for a widely
1286 …S & Perfect Forward Secrecy <http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.htm…
1299    and *suppress_ragged_eofs* have the same meaning as in the top-level
1304    single server to host multiple SSL-based services with distinct certificates,
1363    is read-only.
1383 .. _ssl-certificates:
1386 ------------
1388 Certificates in general are part of a public-key / private-key system.  In this
1390 organization) is assigned a unique two-part encryption key.  One part of the key
1417 (see :rfc:`1422`), which is a base-64 encoded form wrapped with a header line
1420       -----BEGIN CERTIFICATE-----
1422       -----END CERTIFICATE-----
1432 you get to a certificate which is *self-signed*, that is, a certificate which
1440       -----BEGIN CERTIFICATE-----
1442       -----END CERTIFICATE-----
1443       -----BEGIN CERTIFICATE-----
1445       -----END CERTIFICATE-----
1446       -----BEGIN CERTIFICATE-----
1448       -----END CERTIFICATE-----
1470    -----BEGIN RSA PRIVATE KEY-----
1472    -----END RSA PRIVATE KEY-----
1473    -----BEGIN CERTIFICATE-----
1475    -----END CERTIFICATE-----
1477 Self-signed certificates
1480 If you are going to create a server that provides SSL-encrypted connection
1483 certification authority.  Another common practice is to generate a self-signed
1487   % openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem
1492   -----
1499   -----
1501   State or Province Name (full name) [Some-State]:MyState
1509 The disadvantage of a self-signed certificate is that it is its own root
1515 --------
1530 Client-side operation
1545    >>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt")
1548 certificates in ``/etc/ssl/certs/ca-bundle.crt``; if not, you'll get an
1570     'crlDistributionPoints': ('http://crl3.digicert.com/sha2-ev-server-g1.crl',
1571                               'http://crl4.digicert.com/sha2-ev-server-g1.crl'),
1584                 (('postalCode', '03894-4801'),),
1615     b'Content-Type: text/html; charset=utf-8',
1616     b'X-Frame-Options: SAMEORIGIN',
1617     b'Content-Length: 45679',
1618     b'Accept-Ranges: bytes',
1621     b'X-Served-By: cache-lcy1134-LCY',
1622     b'X-Cache: HIT',
1623     b'X-Cache-Hits: 11',
1625     b'Strict-Transport-Security: max-age=63072000; includeSubDomains',
1630 See the discussion of :ref:`ssl-security` below.
1633 Server-side operation
1653 method to create a server-side SSL socket for the connection::
1680 the sockets in non-blocking mode and use an event loop).
1683 .. _ssl-nonblocking:
1685 Notes on non-blocking sockets
1686 -----------------------------
1688 When working with non-blocking sockets, there are several things you need
1691 - Calling :func:`~select.select` tells you that the OS-level socket can be
1698 - Conversely, since the SSL layer has its own framing, a SSL socket may
1707 - The SSL handshake itself will be non-blocking: the
1722 .. _ssl-security:
1725 -----------------------
1765 (rather than using a higher-level authentication mechanism), you'll also have
1793 If you have advanced security requirements, fine-tuning of the ciphers
1798 about the `cipher list format <https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT>`_.
1802 Multi-processing
1805 If using this module as part of a multi-processed application (using,
1814 .. ssl-libressl:
1816 LibreSSL support
1817 ----------------
1819 LibreSSL is a fork of OpenSSL 1.0.1. The ssl module has limited support for
1820 LibreSSL. Some features are not available when the ssl module is compiled
1821 with LibreSSL.
1823 * LibreSSL >= 2.6.1 no longer supports NPN. The methods
1839 …`RFC 1422: Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Manage…
1849        Blake-Wilson et. al.
1857 …ayer Security (TLS) Parameters <https://www.iana.org/assignments/tls-parameters/tls-parameters.xml…