Part of twisted.internet View Source
Class | SimpleVerificationError | Not a very useful verification error. |
Function | simpleVerifyHostname | Check only the common name in the certificate presented by the peer and only for an exact match. |
Class | CertBase | Base class for public (certificate only) and private (certificate + key pair) certificates. |
Class | PublicKey | No class docstring; 1/5 methods documented |
Interface | IOpenSSLTrustRoot | Trust settings for an OpenSSL context. |
Class | OpenSSLCertificateAuthorities | Trust an explicitly specified set of certificates, represented by a list
of OpenSSL.crypto.X509 objects. |
Class | ClientTLSOptions | Client creator for TLS. |
Class | OpenSSLCipher | A representation of an OpenSSL cipher. |
Function | _cantSetHostnameIndication | The option to set SNI is not available, so do nothing. |
Function | _setHostNameIndication | Set the server name indication on the given client connection to the given value. |
Function | _idnaBytes | Convert some text typed by a human into some ASCII bytes. |
Function | _idnaText | Convert some IDNA-encoded octets into some human-readable text. |
Function | _selectVerifyImplementation | No summary |
Function | _sessionCounter | Private - shared between all OpenSSLCertificateOptions, counts up to provide a unique session id for each context. |
Function | _handleattrhelper | No summary |
Function | _tolerateErrors | Wrap up an info_callback for pyOpenSSL so that if something
goes wrong the error is immediately logged and the connection is dropped if
possible. |
Class | _OpenSSLECCurve | A private representation of an OpenSSL ECC curve. |
Function | _expandCipherString | Expand cipherString according to method and
options to a list of explicit ciphers that are supported by
the current platform. |
Parameters | connection | the connection (type: OpenSSL.SSL.Connection ) |
hostname | the server's host name |
Parameters | connection | the connection (type: OpenSSL.SSL.Connection ) |
hostname | the server's host name |
This is provided to allow us to use the partially-broken
IDNA implementation in the standard library if the more-correct idna package is
not available; service_identity
is somewhat stricter about
this.
Parameters | text | A domain name, hopefully. (type: unicode ) |
Returns | The domain name's IDNA representation, encoded as bytes. (type: bytes ) |
This is to provide something in the way of hostname verification
to users who haven't upgraded past OpenSSL 0.12 or installed
service_identity
. This check is overly strict, relies on a
deprecated TLS feature (you're supposed to ignore the commonName if the
subjectAlternativeName extensions are present, I believe), and lots of
valid certificates will fail.
Parameters | connection | the OpenSSL connection to verify.@ (type: OpenSSL.SSL.Connection ) |
hostname | The hostname expected by the user. (type: unicode ) | |
Raises | twisted.internet.ssl.VerificationError | if the common name and hostname don't match. |
service_identity
is installed.
If so, use it. If not, use simplistic and incorrect checking as
implemented in simpleVerifyHostname
.Returns | 2-tuple of (verify_hostname , VerificationError ) (type: tuple ) |
Certificate.peerFromTransport
and Certificate.hostFromTransport
which checks for incompatible handle types and null certificates and raises
the appropriate exception or returns the appropriate certificate
object.info_callback
for pyOpenSSL so that if something
goes wrong the error is immediately logged and the connection is dropped if
possible.
This wrapper exists because some versions of pyOpenSSL don't handle errors from callbacks at all, and those which do write tracebacks directly to stderr rather than to a supplied logging system. This reports unexpected errors to the Twisted logging system.
Also, this terminates the connection immediately if possible because if you've got bugs in your verification logic it's much safer to just give up.
Parameters | wrapped | A valid info_callback for pyOpenSSL. (type: callable ) |
Returns | A valid info_callback for pyOpenSSL that handles any errors in
wrapped . (type: callable ) |
cipherString
according to method
and
options
to a list of explicit ciphers that are supported by
the current platform.Parameters | cipherString | An OpenSSL cipher string to expand. (type: unicode ) |
method | An OpenSSL method like SSL.TLSv1_METHOD used for determining
the effective ciphers. | |
options | OpenSSL options like SSL.OP_NO_SSLv3 ORed together. (type: int ) | |
Returns | The effective list of explicit ciphers that results from the arguments on
the current platform. (type: list
of ICipher ) |