twisted.internet.ssl.CertificateOptions(object)
class documentationtwisted.internet.ssl
(View In Hierarchy)
Implements interfaces: twisted.internet.interfaces.IOpenSSLContextFactory
A CertificateOptions
specifies the security properties for a client or server TLS connection
used with OpenSSL.
Method | __init__ | Create an OpenSSL context SSL connection context factory. |
Method | __getstate__ | Undocumented |
Method | __setstate__ | Undocumented |
Method | getContext | Return an OpenSSL.SSL.Context object. |
Instance Variable | _options | Any option flags to set on the OpenSSL.SSL.Context object that
will be created. (type: int ) |
Instance Variable | _cipherString | An OpenSSL-specific cipher string. (type: unicode ) |
Instance Variable | _defaultMinimumTLSVersion | The default TLS version that will be negotiated. This should be a
"safe default", with wide client and server support, vs an
optimally secure one that excludes a large number of users. As of late
2016, TLSv1.0 is that safe default. (type: TLSVersion
constant) |
Method | _makeContext | Undocumented |
OpenSSL.SSL.Context
object that
will be created. (type: int
)
TLSVersion
constant)
Create an OpenSSL context SSL connection context factory.
Parameters | privateKey | A PKey object holding the private key. |
certificate | An X509 object holding the certificate. | |
method | Deprecated, use a combination of insecurelyLowerMinimumTo ,
raiseMinimumTo , or lowerMaximumSecurityTo
instead. The SSL protocol to use, one of SSLv23_METHOD ,
SSLv2_METHOD , SSLv3_METHOD ,
TLSv1_METHOD (or any other method constants provided by
pyOpenSSL). By default, a setting will be used which allows TLSv1.0,
TLSv1.1, and TLSv1.2. Can not be used with
insecurelyLowerMinimumTo , raiseMinimumTo , or
lowerMaximumSecurityTo | |
verify | Please use a trustRoot keyword argument instead, since it
provides the same functionality in a less error-prone way. By default this
is False .
If | |
caCerts | Please use a trustRoot keyword argument instead, since it
provides the same functionality in a less error-prone way.
List of certificate authority certificate objects to use to verify the
peer's certificate. Only used if verify is list
of OpenSSL.crypto.X509 ) | |
verifyDepth | Depth in certificate chain down to which to verify. If unspecified, use the underlying default (9). | |
requireCertificate | Please use a trustRoot keyword argument instead, since it
provides the same functionality in a less error-prone way.
| |
verifyOnce | If True, do not re-verify the certificate on session resumption. | |
enableSingleUseKeys | If True ,
generate a new key whenever ephemeral DH and ECDH parameters are used to
prevent small subgroup attacks and to ensure perfect forward secrecy. | |
enableSessions | If True, set a session ID on each context. This allows a shortened handshake to be used when a known client reconnects. | |
fixBrokenPeers | If True, enable various non-spec protocol fixes for broken SSL implementations. This should be entirely safe, according to the OpenSSL documentation, but YMMV. This option is now off by default, because it causes problems with connections between peers using OpenSSL 0.9.8a. | |
enableSessionTickets | If True ,
enable session ticket extension for session resumption per RFC 5077. Note
there is no support for controlling session tickets. This option is off by
default, as some server implementations don't correctly process incoming
empty session ticket extensions in the hello. | |
extraCertChain | List of certificates that complete your verification chain if the
certificate authority that signed your certificate isn't
widely supported. Do not add certificate to it. (type: list of OpenSSL.crypto.X509 ) | |
acceptableCiphers | Ciphers that are acceptable for connections. Uses a secure default if left
None . (type: IAcceptableCiphers ) | |
dhParameters | Key generation parameters that are required for Diffie-Hellman key
exchange. If this argument is left None ,
EDH ciphers are disabled regardless of
acceptableCiphers . (type: DiffieHellmanParameters ) | |
trustRoot | Specification of trust requirements of peers. If this argument is
specified, the peer is verified. It requires a certificate, and that
certificate must be signed by one of the certificate authorities specified
by this object.
Note that since this option specifies the same information as
IOpenSSLTrustRoot ) | |
acceptableProtocols | The protocols this peer is willing to speak after the TLS negotiation has
completed, advertised over both ALPN and NPN. If this argument is
specified, and no overlap can be found with the other peer, the connection
will fail to be established. If the remote peer does not offer NPN or
ALPN, the connection will be established, but no protocol wil be
negotiated. Protocols earlier in the list are preferred over those later in
the list. (type: list
of bytes ) | |
raiseMinimumTo | The minimum TLS version that you want to use, or Twisted's default if it is
higher. Use this if you want to make your client/server more secure than
Twisted's default, but will accept Twisted's default instead if it moves
higher than this value. You probably want to use this over
insecurelyLowerMinimumTo . (type: TLSVersion
constant) | |
insecurelyLowerMinimumTo | The minimum TLS version to use, possibly lower than Twisted's default. If
not specified, it is a generally considered safe default (TLSv1.0). If you
want to raise your minimum TLS version to above that of this default, use
raiseMinimumTo . DO NOT use this argument unless you are
absolutely sure this is what you want. (type: TLSVersion
constant) | |
lowerMaximumSecurityTo | The maximum TLS version to use. If not specified, it is the most recent
your OpenSSL supports. You only want to set this if the peer that you are
communicating with has problems with more recent TLS versions, it lowers
your security when communicating with newer peers. DO NOT use this
argument unless you are absolutely sure this is what you want. (type: TLSVersion
constant) | |
Raises | ValueError | when privateKey or certificate are set without
setting the respective other. |
ValueError | when verify is True
but caCerts doesn't specify any CA certificates. | |
ValueError | when extraCertChain is passed without specifying
privateKey or certificate . | |
ValueError | when acceptableCiphers doesn't yield any usable ciphers for
the current platform. | |
TypeError | if trustRoot is passed in combination with
caCert , verify , or
requireCertificate . Please prefer trustRoot in
new code, as its semantics are less tricky. | |
TypeError | if method is passed in combination with
tlsProtocols . Please prefer the more explicit
tlsProtocols in new code. | |
NotImplementedError | If acceptableProtocols were provided but no negotiation mechanism is available. |