Part of twisted.internet.ssl View Source View In Hierarchy
CertificateOptions
specifies the security properties for a client or server TLS connection
used with OpenSSL.Method | __init__ | Create an OpenSSL context SSL connection context factory. |
Method | __getstate__ | Undocumented |
Method | __setstate__ | Undocumented |
Method | getContext | Return an OpenSSL.SSL.Context object. |
Instance Variable | _options | Any option flags to set on the OpenSSL.SSL.Context object that
will be created. (type: int ) |
Instance Variable | _cipherString | An OpenSSL-specific cipher string. (type: unicode ) |
Method | _makeContext | Undocumented |
OpenSSL.SSL.Context
object that
will be created. (type: int
)
Parameters | privateKey | A PKey object holding the private key. |
certificate | An X509 object holding the certificate. | |
method | The SSL protocol to use, one of SSLv23_METHOD, SSLv2_METHOD, SSLv3_METHOD, TLSv1_METHOD (or any other method constants provided by pyOpenSSL). By default, a setting will be used which allows TLSv1.0, TLSv1.1, and TLSv1.2. | |
verify | Please use a trustRoot keyword argument instead, since it
provides the same functionality in a less error-prone way. By default this
is False .
If | |
caCerts | Please use a trustRoot keyword argument instead, since it
provides the same functionality in a less error-prone way.
List of certificate authority certificate objects to use to verify the
peer's certificate. Only used if verify is list of OpenSSL.crypto.X509 ) | |
verifyDepth | Depth in certificate chain down to which to verify. If unspecified, use the underlying default (9). | |
requireCertificate | Please use a trustRoot keyword argument instead, since it
provides the same functionality in a less error-prone way.
| |
verifyOnce | If True, do not re-verify the certificate on session resumption. | |
enableSingleUseKeys | If True ,
generate a new key whenever ephemeral DH and ECDH parameters are used to
prevent small subgroup attacks and to ensure perfect forward secrecy. | |
enableSessions | If True, set a session ID on each context. This allows a shortened handshake to be used when a known client reconnects. | |
fixBrokenPeers | If True, enable various non-spec protocol fixes for broken SSL implementations. This should be entirely safe, according to the OpenSSL documentation, but YMMV. This option is now off by default, because it causes problems with connections between peers using OpenSSL 0.9.8a. | |
enableSessionTickets | If True ,
enable session ticket extension for session resumption per RFC 5077. Note
there is no support for controlling session tickets. This option is off by
default, as some server implementations don't correctly process incoming
empty session ticket extensions in the hello. | |
extraCertChain | List of certificates that complete your verification chain if the
certificate authority that signed your certificate isn't
widely supported. Do not add certificate to it. (type: list of OpenSSL.crypto.X509 ) | |
acceptableCiphers | Ciphers that are acceptable for connections. Uses a secure default if left
None . (type: IAcceptableCiphers ) | |
dhParameters | Key generation parameters that are required for Diffie-Hellman key
exchange. If this argument is left None ,
EDH ciphers are disabled regardless of
acceptableCiphers . (type: DiffieHellmanParameters ) | |
trustRoot | Specification of trust requirements of peers. If this argument is
specified, the peer is verified. It requires a certificate, and that
certificate must be signed by one of the certificate authorities specified
by this object.
Note that since this option specifies the same information as
IOpenSSLTrustRoot ) | |
Raises | ValueError | when privateKey or certificate are set without
setting the respective other. |
ValueError | when verify is True
but caCerts doesn't specify any CA certificates. | |
ValueError | when extraCertChain is passed without specifying
privateKey or certificate . | |
ValueError | when acceptableCiphers doesn't yield any usable ciphers for
the current platform. | |
TypeError | if trustRoot is passed in combination with
caCert , verify , or
requireCertificate . Please prefer trustRoot in
new code, as its semantics are less tricky. |