twisted.internet.ssl.CertificateOptions

_options =

Any option flags to set on the OpenSSL.SSL.Context object that will be created. (type: int)

_cipherString =

An OpenSSL-specific cipher string. (type: unicode)

_defaultMinimumTLSVersion =

The default TLS version that will be negotiated. This should be a "safe default", with wide client and server support, vs an optimally secure one that excludes a large number of users. As of late 2016, TLSv1.0 is that safe default. (type: TLSVersion constant)

@_mutuallyExclusiveArguments([['trustRoot', 'requireCertificate'], ['trustRoot', 'verify'], ['trustRoot', 'caCerts'], ['method', 'insecurelyLowerMinimumTo'], ['method', 'raiseMinimumTo'], ['raiseMinimumTo', 'insecurelyLowerMinimumTo'], ['method', 'lowerMaximumSecurityTo']])
def __init__(self, privateKey=None, certificate=None, method=None, verify=False, caCerts=None, verifyDepth=9, requireCertificate=True, verifyOnce=True, enableSingleUseKeys=True, enableSessions=True, fixBrokenPeers=False, enableSessionTickets=False, extraCertChain=None, acceptableCiphers=None, dhParameters=None, trustRoot=None, acceptableProtocols=None, raiseMinimumTo=None, insecurelyLowerMinimumTo=None, lowerMaximumSecurityTo=None):

Create an OpenSSL context SSL connection context factory.

Parameters	privateKey	A PKey object holding the private key.
	certificate	An X509 object holding the certificate.
	method	Deprecated, use a combination of `insecurelyLowerMinimumTo`, `raiseMinimumTo`, or `lowerMaximumSecurityTo` instead. The SSL protocol to use, one of `SSLv23_METHOD`, `SSLv2_METHOD`, `SSLv3_METHOD`, `TLSv1_METHOD` (or any other method constants provided by pyOpenSSL). By default, a setting will be used which allows TLSv1.0, TLSv1.1, and TLSv1.2. Can not be used with `insecurelyLowerMinimumTo`, `raiseMinimumTo`, or `lowerMaximumSecurityTo`
	verify	Please use a `trustRoot` keyword argument instead, since it provides the same functionality in a less error-prone way. By default this is `False`. If `True`, verify certificates received from the peer and fail the handshake if verification fails. Otherwise, allow anonymous sessions and sessions with certificates which fail validation.
	caCerts	Please use a `trustRoot` keyword argument instead, since it provides the same functionality in a less error-prone way. List of certificate authority certificate objects to use to verify the peer's certificate. Only used if verify is `True` and will be ignored otherwise. Since verify is `False` by default, this is `None` by default. (type: `list` of `OpenSSL.crypto.X509`)
	verifyDepth	Depth in certificate chain down to which to verify. If unspecified, use the underlying default (9).
	requireCertificate	Please use a `trustRoot` keyword argument instead, since it provides the same functionality in a less error-prone way. If `True`, do not allow anonymous sessions; defaults to `True`.
	verifyOnce	If True, do not re-verify the certificate on session resumption.
	enableSingleUseKeys	If `True`, generate a new key whenever ephemeral DH and ECDH parameters are used to prevent small subgroup attacks and to ensure perfect forward secrecy.
	enableSessions	If True, set a session ID on each context. This allows a shortened handshake to be used when a known client reconnects.
	fixBrokenPeers	If True, enable various non-spec protocol fixes for broken SSL implementations. This should be entirely safe, according to the OpenSSL documentation, but YMMV. This option is now off by default, because it causes problems with connections between peers using OpenSSL 0.9.8a.
	enableSessionTickets	If `True`, enable session ticket extension for session resumption per RFC 5077. Note there is no support for controlling session tickets. This option is off by default, as some server implementations don't correctly process incoming empty session ticket extensions in the hello.
	extraCertChain	List of certificates that complete your verification chain if the certificate authority that signed your `certificate` isn't widely supported. Do not add `certificate` to it. (type: `list` of `OpenSSL.crypto.X509`)
	acceptableCiphers	Ciphers that are acceptable for connections. Uses a secure default if left `None`. (type: `IAcceptableCiphers`)
	dhParameters	Key generation parameters that are required for Diffie-Hellman key exchange. If this argument is left `None`, `EDH` ciphers are disabled regardless of `acceptableCiphers`. (type: `DiffieHellmanParameters`)
	trustRoot	Specification of trust requirements of peers. If this argument is specified, the peer is verified. It requires a certificate, and that certificate must be signed by one of the certificate authorities specified by this object. Note that since this option specifies the same information as `caCerts`, `verify`, and `requireCertificate`, specifying any of those options in combination with this one will raise a `TypeError`. (type: `IOpenSSLTrustRoot`)
	acceptableProtocols	The protocols this peer is willing to speak after the TLS negotiation has completed, advertised over both ALPN and NPN. If this argument is specified, and no overlap can be found with the other peer, the connection will fail to be established. If the remote peer does not offer NPN or ALPN, the connection will be established, but no protocol wil be negotiated. Protocols earlier in the list are preferred over those later in the list. (type: `list` of `bytes`)
	raiseMinimumTo	The minimum TLS version that you want to use, or Twisted's default if it is higher. Use this if you want to make your client/server more secure than Twisted's default, but will accept Twisted's default instead if it moves higher than this value. You probably want to use this over `insecurelyLowerMinimumTo`. (type: `TLSVersion` constant)
	insecurelyLowerMinimumTo	The minimum TLS version to use, possibly lower than Twisted's default. If not specified, it is a generally considered safe default (TLSv1.0). If you want to raise your minimum TLS version to above that of this default, use `raiseMinimumTo`. DO NOT use this argument unless you are absolutely sure this is what you want. (type: `TLSVersion` constant)
	lowerMaximumSecurityTo	The maximum TLS version to use. If not specified, it is the most recent your OpenSSL supports. You only want to set this if the peer that you are communicating with has problems with more recent TLS versions, it lowers your security when communicating with newer peers. DO NOT use this argument unless you are absolutely sure this is what you want. (type: `TLSVersion` constant)
Raises	ValueError	when `privateKey` or `certificate` are set without setting the respective other.
	ValueError	when `verify` is `True` but `caCerts` doesn't specify any CA certificates.
	ValueError	when `extraCertChain` is passed without specifying `privateKey` or `certificate`.
	ValueError	when `acceptableCiphers` doesn't yield any usable ciphers for the current platform.
	TypeError	if `trustRoot` is passed in combination with `caCert`, `verify`, or `requireCertificate`. Please prefer `trustRoot` in new code, as its semantics are less tricky.
	TypeError	if `method` is passed in combination with `tlsProtocols`. Please prefer the more explicit `tlsProtocols` in new code.
	NotImplementedError	If acceptableProtocols were provided but no negotiation mechanism is available.

def __getstate__(self):

Undocumented

def __setstate__(self, state):

Undocumented

def getContext(self):

from twisted.internet.interfaces.IOpenSSLContextFactory

Return an OpenSSL.SSL.Context object.

def _makeContext(self):

Undocumented

Method	__init__	Create an OpenSSL context SSL connection context factory.
Method	__getstate__	Undocumented
Method	__setstate__	Undocumented
Method	getContext	Return an `OpenSSL.SSL.Context` object.
Instance Variable	_options	Any option flags to set on the `OpenSSL.SSL.Context` object that will be created. (type: `int`)
Instance Variable	_cipherString	An OpenSSL-specific cipher string. (type: `unicode`)
Instance Variable	_defaultMinimumTLSVersion	The default TLS version that will be negotiated. This should be a "safe default", with wide client and server support, vs an optimally secure one that excludes a large number of users. As of late 2016, TLSv1.0 is that safe default. (type: `TLSVersion` constant)
Method	_makeContext	Undocumented

twisted.internet.ssl.CertificateOptions(object) class documentation

`twisted.internet.ssl.CertificateOptions(object)` class documentation