Lines Matching +full:libressl +full:- +full:version
1 :mod:`ssl` --- TLS/SSL wrapper for socket objects
19 --------------
23 sockets, both client-side and server-side. This module uses the OpenSSL
33 operating system socket APIs. The installed version of OpenSSL may also
35 openssl version 1.0.1.
38 Don't use this module without reading the :ref:`ssl-security`. Doing so
48 :class:`socket.socket` type, and provides a socket-like wrapper that also
60 ------------------------------------
66 higher-level encryption and authentication layer that's superimposed on the
76 values depends on the OpenSSL version.
84 values depends on the OpenSSL version.
98 A subclass of :exc:`SSLError` raised by a :ref:`non-blocking SSL socket
99 <ssl-nonblocking>` when trying to read or write data, but more data needs
107 A subclass of :exc:`SSLError` raised by a :ref:`non-blocking SSL socket
108 <ssl-nonblocking>` when trying to read or write data, but more data needs
151 For client-side sockets, the context construction is lazy; if the
154 server-side sockets, if the socket has no remote peer, it is assumed
155 to be a listening socket, and the server-side SSL wrapping is
161 connection. See the discussion of :ref:`ssl-certificates` for more
165 server-side or client-side behavior is desired from this socket.
178 :ref:`ssl-certificates` for more information about how to arrange the
181 The parameter ``ssl_version`` specifies which version of the SSL protocol to
182 use. Typically, the server chooses a particular protocol version, and the
195 … ------------------------ --------- --------- ---------- --------- ----------- -----------
211 Which connections succeed will vary depending on the version of
279 use this function but still allow SSL 3.0 connections you can re-enable
319 servers using self-signed certificates, servers using certificates signed
327 on a case-by-case basis by explicitly passing in a suitably configured SSL
335 * `CVE-2014-9365 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365>`_
336 -- HTTPS man-in-the-middle attack against Python clients using default settings
337 * :pep:`476` -- Enabling certificate verification by default for HTTPS
338 * :pep:`493` -- HTTPS verification migration tools for Python 2.7
352 Return ``True`` if the SSL pseudo-random number generator has been seeded
355 the pseudo-random number generator.
359 If you are running an entropy-gathering daemon (EGD) somewhere, and *path*
361 of randomness from the socket, and add it to the SSL pseudo-random number
366 of entropy-gathering daemons.
368 Availability: not available with LibreSSL and OpenSSL > 1.1.0
372 Mix the given *bytes* into the SSL pseudo-random number generator. The
387 checking the identity of servers in various SSL-based protocols such as
421 2018-01-05 09:34:43
433 Given the address ``addr`` of an SSL-protected server, as a (*hostname*,
434 *port-number*) pair, fetches the server's certificate, and returns it as a
435 PEM-encoded string. If ``ssl_version`` is specified, uses that version of
444 This function is now IPv6-compatible, and the default *ssl_version* is
450 Given a certificate as a DER-encoded blob of bytes, returns a PEM-encoded
451 string version of the same certificate.
455 Given a certificate as an ASCII PEM string, returns a DER-encoded sequence of
465 * :attr:`cafile` - resolved path to cafile or ``None`` if the file doesn't exist,
466 * :attr:`capath` - resolved path to capath or ``None`` if the directory doesn't exist,
467 * :attr:`openssl_cafile_env` - OpenSSL's environment key that points to a cafile,
468 * :attr:`openssl_cafile` - hard coded path to a cafile,
469 * :attr:`openssl_capath_env` - OpenSSL's environment key that points to a capath,
470 * :attr:`openssl_capath` - hard coded path to a capath directory
472 Availability: LibreSSL ignores the environment vars
527 See the discussion of :ref:`ssl-security` below.
594 Selects the highest protocol version that both the client and server support.
607 Selects SSL version 2 as the channel encryption protocol.
614 SSL version 2 is insecure. Its use is highly discouraged.
620 Selects SSL version 3 as the channel encryption protocol.
627 SSL version 3 is insecure. Its use is highly discouraged.
631 OpenSSL has deprecated all version specific protocols. Use the default
636 Selects TLS version 1.0 as the channel encryption protocol.
640 OpenSSL has deprecated all version specific protocols. Use the default
645 Selects TLS version 1.1 as the channel encryption protocol.
646 Available only with openssl version 1.0.1+.
652 OpenSSL has deprecated all version specific protocols. Use the default
657 Selects TLS version 1.2 as the channel encryption protocol. This is the
658 most modern version, and probably the best choice for maximum protection,
659 if both sides can speak it. Available only with openssl version 1.0.1+.
665 OpenSSL has deprecated all version specific protocols. Use the default
681 choosing SSLv2 as the protocol version.
689 choosing SSLv3 as the protocol version.
697 choosing TLSv1 as the protocol version.
705 the protocol version. Available only with openssl version 1.0.1+.
713 the protocol version. Available only with openssl version 1.0.1+.
721 the protocol version. TLS 1.3 is available with OpenSSL 1.1.1 or later.
722 When Python has been compiled against an older version of OpenSSL, the
736 Prevents re-use of the same DH key for distinct SSL sessions. This
744 Prevents re-use of the same ECDH key for distinct SSL sessions. This
761 Whether the OpenSSL library has built-in support for the *Application-Layer
768 Whether the OpenSSL library has built-in support for Elliptic Curve-based
769 Diffie-Hellman key exchange. This should be true unless the feature was
776 Whether the OpenSSL library has built-in support for the *Server Name
783 Whether the OpenSSL library has built-in support for *Next Protocol
785 <https://tools.ietf.org/html/draft-agl-tls-nextprotoneg>`_. When true,
793 Whether the OpenSSL library has built-in support for the TLS 1.3 protocol.
806 The version string of the OpenSSL library loaded by the interpreter::
815 A tuple of five integers representing version information about the
825 The raw version number of the OpenSSL library, as a single integer::
839 <https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6>`_
852 be used to create client-side sockets).
861 be used to create server-side sockets).
867 -----------
869 SSL sockets provide the following methods of :ref:`socket-objects`:
871 - :meth:`~socket.socket.accept()`
872 - :meth:`~socket.socket.bind()`
873 - :meth:`~socket.socket.close()`
874 - :meth:`~socket.socket.connect()`
875 - :meth:`~socket.socket.fileno()`
876 - :meth:`~socket.socket.getpeername()`, :meth:`~socket.socket.getsockname()`
877 - :meth:`~socket.socket.getsockopt()`, :meth:`~socket.socket.setsockopt()`
878 - :meth:`~socket.socket.gettimeout()`, :meth:`~socket.socket.settimeout()`,
880 - :meth:`~socket.socket.listen()`
881 - :meth:`~socket.socket.makefile()`
882 - :meth:`~socket.socket.recv()`, :meth:`~socket.socket.recv_into()`
883 (but passing a non-zero ``flags`` argument is not allowed)
884 - :meth:`~socket.socket.send()`, :meth:`~socket.socket.sendall()` (with
886 - :meth:`~socket.socket.shutdown()`
890 the specification of normal, OS-level sockets. See especially the
891 :ref:`notes on non-blocking sockets <ssl-nonblocking>`.
923 name-value pairs. Here is a real-world example::
934 'subject': ((('description', '571208-SLe257oHY9fVQ07Z'),),
942 'version': 3}
950 provided, this method returns the DER-encoded form of the entire certificate
971 Returns a three-value tuple containing the name of the cipher being used, the
972 version of the SSL protocol that defines its use, and the number of secret
980 If the higher-level protocol supports its own compression mechanism,
981 you can use :data:`OP_NO_COMPRESSION` to disable SSL-level compression.
985 .. method:: SSLSocket.get_channel_binding(cb_type="tls-unique")
992 :data:`CHANNEL_BINDING_TYPES` list. Currently only the 'tls-unique' channel
1010 Return the higher-level protocol that was selected during the TLS/SSL
1025 .. method:: SSLSocket.version()
1027 Return the actual SSL protocol version negotiated by the connection
1038 socket was created using the top-level :func:`wrap_socket` function
1046 ------------
1050 An SSL context holds various data longer-lived than single SSL connections,
1052 It also manages a cache of SSL sessions for server-side sockets, in order
1089 :ref:`ssl-certificates` for more information on how the certificate
1096 a string it will be encoded as UTF-8 before using it to decrypt the key.
1102 OpenSSL's built-in password prompting mechanism will be used to
1134 :ref:`ssl-certificates` for more information about how to arrange the
1143 PEM-encoded certificates or a bytes-like object of DER-encoded
1144 certificates. Like with *capath* extra lines around PEM-encoded
1152 the method returns a list of DER-encoded certificates. The returned list
1174 If no cipher can be selected (because compile-time options or other
1189 return the agreed-upon protocol.
1206 <https://tools.ietf.org/html/draft-agl-tls-nextprotoneg>`_. After a
1208 return the agreed-upon protocol.
1218 is specified in :rfc:`6066` section 3 - Server Name Indication.
1263 Load the key generation parameters for Diffie-Helman (DH) key exchange.
1274 Set the curve name for Elliptic Curve-based Diffie-Hellman (ECDH) key
1277 a well-known elliptic curve, for example ``prime256v1`` for a widely
1286 …S & Perfect Forward Secrecy <http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.htm…
1299 and *suppress_ragged_eofs* have the same meaning as in the top-level
1304 single server to host multiple SSL-based services with distinct certificates,
1362 The protocol version chosen when constructing the context. This attribute
1363 is read-only.
1370 Available only with openssl version 0.9.8+.
1383 .. _ssl-certificates:
1386 ------------
1388 Certificates in general are part of a public-key / private-key system. In this
1390 organization) is assigned a unique two-part encryption key. One part of the key
1417 (see :rfc:`1422`), which is a base-64 encoded form wrapped with a header line
1420 -----BEGIN CERTIFICATE-----
1422 -----END CERTIFICATE-----
1432 you get to a certificate which is *self-signed*, that is, a certificate which
1440 -----BEGIN CERTIFICATE-----
1442 -----END CERTIFICATE-----
1443 -----BEGIN CERTIFICATE-----
1445 -----END CERTIFICATE-----
1446 -----BEGIN CERTIFICATE-----
1448 -----END CERTIFICATE-----
1470 -----BEGIN RSA PRIVATE KEY-----
1472 -----END RSA PRIVATE KEY-----
1473 -----BEGIN CERTIFICATE-----
1475 -----END CERTIFICATE-----
1477 Self-signed certificates
1480 If you are going to create a server that provides SSL-encrypted connection
1483 certification authority. Another common practice is to generate a self-signed
1487 % openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem
1492 -----
1499 -----
1501 State or Province Name (full name) [Some-State]:MyState
1509 The disadvantage of a self-signed certificate is that it is its own root
1515 --------
1530 Client-side operation
1545 >>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt")
1548 certificates in ``/etc/ssl/certs/ca-bundle.crt``; if not, you'll get an
1570 'crlDistributionPoints': ('http://crl3.digicert.com/sha2-ev-server-g1.crl',
1571 'http://crl4.digicert.com/sha2-ev-server-g1.crl'),
1584 (('postalCode', '03894-4801'),),
1605 'version': 3}
1615 b'Content-Type: text/html; charset=utf-8',
1616 b'X-Frame-Options: SAMEORIGIN',
1617 b'Content-Length: 45679',
1618 b'Accept-Ranges: bytes',
1621 b'X-Served-By: cache-lcy1134-LCY',
1622 b'X-Cache: HIT',
1623 b'X-Cache-Hits: 11',
1625 b'Strict-Transport-Security: max-age=63072000; includeSubDomains',
1630 See the discussion of :ref:`ssl-security` below.
1633 Server-side operation
1653 method to create a server-side SSL socket for the connection::
1680 the sockets in non-blocking mode and use an event loop).
1683 .. _ssl-nonblocking:
1685 Notes on non-blocking sockets
1686 -----------------------------
1688 When working with non-blocking sockets, there are several things you need
1691 - Calling :func:`~select.select` tells you that the OS-level socket can be
1698 - Conversely, since the SSL layer has its own framing, a SSL socket may
1707 - The SSL handshake itself will be non-blocking: the
1722 .. _ssl-security:
1725 -----------------------
1765 (rather than using a higher-level authentication mechanism), you'll also have
1779 recommended to use :const:`PROTOCOL_SSLv23` as the protocol version and then
1793 If you have advanced security requirements, fine-tuning of the ciphers
1798 about the `cipher list format <https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT>`_.
1802 Multi-processing
1805 If using this module as part of a multi-processed application (using,
1814 .. ssl-libressl:
1816 LibreSSL support
1817 ----------------
1819 LibreSSL is a fork of OpenSSL 1.0.1. The ssl module has limited support for
1820 LibreSSL. Some features are not available when the ssl module is compiled
1821 with LibreSSL.
1823 * LibreSSL >= 2.6.1 no longer supports NPN. The methods
1839 …`RFC 1422: Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Manage…
1849 Blake-Wilson et. al.
1851 …`RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2 <https://tools.ietf.org/html/rf…
1857 …ayer Security (TLS) Parameters <https://www.iana.org/assignments/tls-parameters/tls-parameters.xml…