twisted.internet._sslverify module documentationtwisted.internet
View Source
| Class | SimpleVerificationError | Not a very useful verification error. |
| Function | simpleVerifyHostname | Check only the common name in the certificate presented by the peer and only for an exact match. |
| Class | CertBase | Base class for public (certificate only) and private (certificate + key pair) certificates. |
| Class | PublicKey | A PublicKey
is a representation of the public part of a key pair. |
| Interface | IOpenSSLTrustRoot | Trust settings for an OpenSSL context. |
| Class | OpenSSLCertificateAuthorities | Trust an explicitly specified set of certificates, represented by a list
of OpenSSL.crypto.X509 objects. |
| Class | ClientTLSOptions | Client creator for TLS. |
| Class | OpenSSLCipher | A representation of an OpenSSL cipher. |
| Function | _cantSetHostnameIndication | The option to set SNI is not available, so do nothing. |
| Function | _setHostNameIndication | Set the server name indication on the given client connection to the given value. |
| Function | _idnaBytes | Convert some text typed by a human into some ASCII bytes. |
| Function | _idnaText | Convert some IDNA-encoded octets into some human-readable text. |
| Function | _usablePyOpenSSL | Check pyOpenSSL version string whether we can use it for host verification. |
| Function | _selectVerifyImplementation | No summary |
| Function | _sessionCounter | Private - shared between all OpenSSLCertificateOptions, counts up to provide a unique session id for each context. |
| Function | _handleattrhelper | No summary |
| Function | _tolerateErrors | Wrap up an info_callback for pyOpenSSL so that if something
goes wrong the error is immediately logged and the connection is dropped if
possible. |
| Class | _OpenSSLECCurve | A private representation of an OpenSSL ECC curve. |
| Function | _expandCipherString | Expand cipherString according to method and
options to a list of explicit ciphers that are supported by
the current platform. |
The option to set SNI is not available, so do nothing.
| Parameters | connection | the connection (type: OpenSSL.SSL.Connection) |
| hostname | the server's host name |
Set the server name indication on the given client connection to the given value.
| Parameters | connection | the connection (type: OpenSSL.SSL.Connection) |
| hostname | the server's host name |
Convert some text typed by a human into some ASCII bytes.
This is provided to allow us to use the partially-broken
IDNA implementation in the standard library if the more-correct idna package is
not available; service_identity is somewhat stricter about
this.
| Parameters | text | A domain name, hopefully. (type: unicode) |
| Returns | The domain name's IDNA representation, encoded as bytes. (type: bytes) | |
Check only the common name in the certificate presented by the peer and only for an exact match.
This is to provide something in the way of hostname verification
to users who haven't upgraded past OpenSSL 0.12 or installed
service_identity. This check is overly strict, relies on a
deprecated TLS feature (you're supposed to ignore the commonName if the
subjectAlternativeName extensions are present, I believe), and lots of
valid certificates will fail.
| Parameters | connection | the OpenSSL connection to verify. (type: OpenSSL.SSL.Connection) |
| hostname | The hostname expected by the user. (type: unicode) | |
| Raises | twisted.internet.ssl.VerificationError | if the common name and hostname don't match. |
service_identity requires pyOpenSSL 0.12 or better but
our dependency is still back at 0.10. Determine if pyOpenSSL has the
requisite feature, and whether service_identity is installed.
If so, use it. If not, use simplistic and incorrect checking as
implemented in simpleVerifyHostname.
| Parameters | lib | The OpenSSL module. This is necessary to determine whether
certain fallback implementation strategies will be necessary. (type: types.ModuleType) |
| Returns | 2-tuple of (verify_hostname, VerificationError) (type: tuple) | |
Private - shared between all OpenSSLCertificateOptions, counts up to provide a unique session id for each context.
(private) Helper for Certificate.peerFromTransport
and Certificate.hostFromTransport
which checks for incompatible handle types and null certificates and raises
the appropriate exception or returns the appropriate certificate
object.
Wrap up an info_callback for pyOpenSSL so that if something
goes wrong the error is immediately logged and the connection is dropped if
possible.
This wrapper exists because some versions of pyOpenSSL don't handle errors from callbacks at all, and those which do write tracebacks directly to stderr rather than to a supplied logging system. This reports unexpected errors to the Twisted logging system.
Also, this terminates the connection immediately if possible because if you've got bugs in your verification logic it's much safer to just give up.
| Parameters | wrapped | A valid info_callback for pyOpenSSL. (type: callable) |
| Returns | A valid info_callback for pyOpenSSL that handles any errors in
wrapped. (type: callable) | |
Expand cipherString according to method and
options to a list of explicit ciphers that are supported by
the current platform.
| Parameters | cipherString | An OpenSSL cipher string to expand. (type: unicode) |
| method | An OpenSSL method like SSL.TLSv1_METHOD used for determining
the effective ciphers. | |
| options | OpenSSL options like SSL.OP_NO_SSLv3 ORed together. (type: int) | |
| Returns | The effective list of explicit ciphers that results from the arguments on
the current platform. (type: list
of ICipher) | |