twisted.internet.ssl.CertificateOptions(object) class documentationtwisted.internet.ssl
View Source
(View In Hierarchy)
A CertificateOptions
specifies the security properties for a client or server TLS connection
used with OpenSSL.
| Method | __init__ | Create an OpenSSL context SSL connection context factory. |
| Method | __getstate__ | Undocumented |
| Method | __setstate__ | Undocumented |
| Method | getContext | Return an OpenSSL.SSL.Context object. |
| Instance Variable | _options | Any option flags to set on the OpenSSL.SSL.Context object that
will be created. (type: int) |
| Instance Variable | _cipherString | An OpenSSL-specific cipher string. (type: unicode) |
| Method | _makeContext | Undocumented |
| Method | _setUpNextProtocolMechanisms | Called to set up the ctx for doing NPN and/or ALPN
negotiation. |
| Method | _protoSelectCallback | NPN client-side and ALPN server-side callback used to select the next
protocol. Prefers protocols found earlier in
_acceptableProtocols. |
OpenSSL.SSL.Context object that
will be created. (type: int)
Create an OpenSSL context SSL connection context factory.
| Parameters | privateKey | A PKey object holding the private key. |
| certificate | An X509 object holding the certificate. | |
| method | The SSL protocol to use, one of SSLv23_METHOD, SSLv2_METHOD, SSLv3_METHOD, TLSv1_METHOD (or any other method constants provided by pyOpenSSL). By default, a setting will be used which allows TLSv1.0, TLSv1.1, and TLSv1.2. | |
| verify | Please use a trustRoot keyword argument instead, since it
provides the same functionality in a less error-prone way. By default this
is False.
If | |
| caCerts | Please use a trustRoot keyword argument instead, since it
provides the same functionality in a less error-prone way.
List of certificate authority certificate objects to use to verify the
peer's certificate. Only used if verify is list of OpenSSL.crypto.X509) | |
| verifyDepth | Depth in certificate chain down to which to verify. If unspecified, use the underlying default (9). | |
| requireCertificate | Please use a trustRoot keyword argument instead, since it
provides the same functionality in a less error-prone way.
| |
| verifyOnce | If True, do not re-verify the certificate on session resumption. | |
| enableSingleUseKeys | If True,
generate a new key whenever ephemeral DH and ECDH parameters are used to
prevent small subgroup attacks and to ensure perfect forward secrecy. | |
| enableSessions | If True, set a session ID on each context. This allows a shortened handshake to be used when a known client reconnects. | |
| fixBrokenPeers | If True, enable various non-spec protocol fixes for broken SSL implementations. This should be entirely safe, according to the OpenSSL documentation, but YMMV. This option is now off by default, because it causes problems with connections between peers using OpenSSL 0.9.8a. | |
| enableSessionTickets | If True,
enable session ticket extension for session resumption per RFC 5077. Note
there is no support for controlling session tickets. This option is off by
default, as some server implementations don't correctly process incoming
empty session ticket extensions in the hello. | |
| extraCertChain | List of certificates that complete your verification chain if the
certificate authority that signed your certificate isn't
widely supported. Do not add certificate to it. (type: list of OpenSSL.crypto.X509) | |
| acceptableCiphers | Ciphers that are acceptable for connections. Uses a secure default if left
None. (type: IAcceptableCiphers) | |
| dhParameters | Key generation parameters that are required for Diffie-Hellman key
exchange. If this argument is left None,
EDH ciphers are disabled regardless of
acceptableCiphers. (type: DiffieHellmanParameters) | |
| trustRoot | Specification of trust requirements of peers. If this argument is
specified, the peer is verified. It requires a certificate, and that
certificate must be signed by one of the certificate authorities specified
by this object.
Note that since this option specifies the same information as
IOpenSSLTrustRoot) | |
| acceptableProtocols | The protocols this peer is willing to speak after the TLS negotation has
completed, advertised over both ALPN and NPN. If this argument is
specified, and no overlap can be found with the other peer, the connection
will fail to be established. If the remote peer does not offer NPN or ALPN,
the connection will be established, but no protocol wil be negotiated.
Protocols earlier in the list are preferred over those later in the list. (type: list of bytes) | |
| Raises | ValueError | when privateKey or certificate are set without
setting the respective other. |
| ValueError | when verify is True
but caCerts doesn't specify any CA certificates. | |
| ValueError | when extraCertChain is passed without specifying
privateKey or certificate. | |
| ValueError | when acceptableCiphers doesn't yield any usable ciphers for
the current platform. | |
| TypeError | if trustRoot is passed in combination with
caCert, verify, or
requireCertificate. Please prefer trustRoot in
new code, as its semantics are less tricky. | |
| NotImplementedError | If acceptableProtocols were provided but no negotiation mechanism is available. |
Called to set up the ctx for doing NPN and/or ALPN
negotiation.
| Parameters | ctx | The context which is set up. (type: OpenSSL.SSL.Context) |
NPN client-side and ALPN server-side callback used to select the next
protocol. Prefers protocols found earlier in
_acceptableProtocols.
| Parameters | conn | The context which is set up. (type: list of bytes) |
| conn | Protocols advertised by the other side. (type: list of bytes) |