Class | SimpleVerificationError | Not a very useful verification error. |
Function | simpleVerifyHostname | Check only the common name in the certificate presented by the peer and only for an exact match. |
Function | simpleVerifyIPAddress | Always fails validation of IP addresses |
Class | CertBase | Base class for public (certificate only) and private (certificate + key pair) certificates. |
Class | PublicKey | A PublicKey
is a representation of the public part of a key pair. |
Interface | IOpenSSLTrustRoot | Trust settings for an OpenSSL context. |
Class | OpenSSLCertificateAuthorities | Trust an explicitly specified set of certificates, represented by a list
of OpenSSL.crypto.X509 objects. |
Class | ClientTLSOptions | Client creator for TLS. |
Class | OpenSSLCipher | A representation of an OpenSSL cipher. |
Function | _getExcludedTLSProtocols | Given a pair of TLSVersion
constants, figure out what versions we want to disable (as OpenSSL is an
exclusion based API). |
Function | _usablePyOpenSSL | Check pyOpenSSL version string whether we can use it for host verification. |
Function | _selectVerifyImplementation | Determine if service_identity is installed. If so, use it.
If not, use simplistic and incorrect checking as implemented in simpleVerifyHostname . |
Function | _handleattrhelper | No summary |
Function | _tolerateErrors | Wrap up an info_callback for pyOpenSSL so that if something
goes wrong the error is immediately logged and the connection is dropped if
possible. |
Function | _expandCipherString | Expand cipherString according to method and
options to a list of explicit ciphers that are supported by
the current platform. |
Class | _ChooseDiffieHellmanEllipticCurve | Chooses the best elliptic curve for Elliptic Curve Diffie-Hellman key
exchange, and provides a configureECDHCurve method to set the
curve, when appropriate, on a new OpenSSL.SSL.Context . |
Function | _setAcceptableProtocols | Called to set up the OpenSSL.SSL.Context for doing NPN
and/or ALPN negotiation. |
Given a pair of TLSVersion
constants, figure out what versions we want to disable (as OpenSSL is an
exclusion based API).
Parameters | oldest | The oldest TLSVersion we
want to allow. (type: TLSVersion
constant) |
newest | The newest TLSVersion we
want to allow, or None
for no upper limit. (type: TLSVersion
constant or None ) | |
Returns | The versions we want to disable. (type: list
of TLSVersion
constants.) |
Check only the common name in the certificate presented by the peer and only for an exact match.
This is to provide something in the way of hostname verification
to users who haven't installed service_identity
. This check is
overly strict, relies on a deprecated TLS feature (you're supposed to
ignore the commonName if the subjectAlternativeName extensions are present,
I believe), and lots of valid certificates will fail.
Parameters | connection | the OpenSSL connection to verify. (type: OpenSSL.SSL.Connection ) |
hostname | The hostname expected by the user. (type: unicode ) | |
Raises | twisted.internet.ssl.VerificationError | if the common name and hostname don't match. |
Always fails validation of IP addresses
Parameters | connection | the OpenSSL connection to verify. (type: OpenSSL.SSL.Connection ) |
hostname | The hostname expected by the user. (type: unicode ) | |
Raises | twisted.internet.ssl.VerificationError | Always raised |
Determine if service_identity
is installed. If so, use it.
If not, use simplistic and incorrect checking as implemented in simpleVerifyHostname
.
Returns | 2-tuple of (verify_hostname , VerificationError ) (type: tuple ) |
(private) Helper for Certificate.peerFromTransport
and Certificate.hostFromTransport
which checks for incompatible handle types and null certificates and raises
the appropriate exception or returns the appropriate certificate
object.
Wrap up an info_callback
for pyOpenSSL so that if something
goes wrong the error is immediately logged and the connection is dropped if
possible.
This wrapper exists because some versions of pyOpenSSL don't handle errors from callbacks at all, and those which do write tracebacks directly to stderr rather than to a supplied logging system. This reports unexpected errors to the Twisted logging system.
Also, this terminates the connection immediately if possible because if you've got bugs in your verification logic it's much safer to just give up.
Parameters | wrapped | A valid info_callback for pyOpenSSL. (type: callable ) |
Returns | A valid info_callback for pyOpenSSL that handles any errors in
wrapped . (type: callable ) |
Expand cipherString
according to method
and
options
to a list of explicit ciphers that are supported by
the current platform.
Parameters | cipherString | An OpenSSL cipher string to expand. (type: unicode ) |
method | An OpenSSL method like SSL.TLSv1_METHOD used for determining
the effective ciphers. | |
options | OpenSSL options like SSL.OP_NO_SSLv3 ORed together. (type: int ) | |
Returns | The effective list of explicit ciphers that results from the arguments on
the current platform. (type: list
of ICipher ) |
Called to set up the OpenSSL.SSL.Context
for doing NPN
and/or ALPN negotiation.
Parameters | context | The context which is set up. (type: OpenSSL.SSL.Context ) |
acceptableProtocols | The protocols this peer is willing to speak after the TLS negotiation has
completed, advertised over both ALPN and NPN. If this argument is
specified, and no overlap can be found with the other peer, the connection
will fail to be established. If the remote peer does not offer NPN or ALPN,
the connection will be established, but no protocol wil be negotiated.
Protocols earlier in the list are preferred over those later in the list. (type: list
of bytes ) |