t.i._sslverify : module documentation

Part of twisted.internet View Source

No module docstring
Class SimpleVerificationError Not a very useful verification error.
Function simpleVerifyHostname Check only the common name in the certificate presented by the peer and only for an exact match.
Class CertBase Base class for public (certificate only) and private (certificate + key pair) certificates.
Class PublicKey A PublicKey is a representation of the public part of a key pair.
Interface IOpenSSLTrustRoot Trust settings for an OpenSSL context.
Class OpenSSLCertificateAuthorities Trust an explicitly specified set of certificates, represented by a list of OpenSSL.crypto.X509 objects.
Class ClientTLSOptions Client creator for TLS.
Class OpenSSLCipher A representation of an OpenSSL cipher.
Function _cantSetHostnameIndication The option to set SNI is not available, so do nothing.
Function _setHostNameIndication Set the server name indication on the given client connection to the given value.
Function _idnaBytes Convert some text typed by a human into some ASCII bytes.
Function _idnaText Convert some IDNA-encoded octets into some human-readable text.
Function _selectVerifyImplementation No summary
Function _sessionCounter Private - shared between all OpenSSLCertificateOptions, counts up to provide a unique session id for each context.
Function _handleattrhelper No summary
Function _tolerateErrors Wrap up an info_callback for pyOpenSSL so that if something goes wrong the error is immediately logged and the connection is dropped if possible.
Class _OpenSSLECCurve A private representation of an OpenSSL ECC curve.
Function _expandCipherString Expand cipherString according to method and options to a list of explicit ciphers that are supported by the current platform.
def _cantSetHostnameIndication(connection, hostname): (source)
The option to set SNI is not available, so do nothing.
Parametersconnectionthe connection (type: OpenSSL.SSL.Connection)
hostnamethe server's host name
def _setHostNameIndication(connection, hostname): (source)
Set the server name indication on the given client connection to the given value.
Parametersconnectionthe connection (type: OpenSSL.SSL.Connection)
hostnamethe server's host name
def _idnaBytes(text): (source)
Convert some text typed by a human into some ASCII bytes.

This is provided to allow us to use the partially-broken IDNA implementation in the standard library if the more-correct idna package is not available; service_identity is somewhat stricter about this.

ParameterstextA domain name, hopefully. (type: unicode)
ReturnsThe domain name's IDNA representation, encoded as bytes. (type: bytes)
def _idnaText(octets): (source)
Convert some IDNA-encoded octets into some human-readable text.

Currently only used by the tests.

ParametersoctetsSome bytes representing a hostname. (type: bytes)
ReturnsA human-readable domain name. (type: unicode)
def simpleVerifyHostname(connection, hostname): (source)
Check only the common name in the certificate presented by the peer and only for an exact match.

This is to provide something in the way of hostname verification to users who haven't upgraded past OpenSSL 0.12 or installed service_identity. This check is overly strict, relies on a deprecated TLS feature (you're supposed to ignore the commonName if the subjectAlternativeName extensions are present, I believe), and lots of valid certificates will fail.

Parametersconnectionthe OpenSSL connection to verify. (type: OpenSSL.SSL.Connection)
hostnameThe hostname expected by the user. (type: unicode)
Raisestwisted.internet.ssl.VerificationErrorif the common name and hostname don't match.
def _selectVerifyImplementation(lib): (source)
service_identity requires pyOpenSSL 0.12 or better but our dependency is still back at 0.10. Determine if pyOpenSSL has the requisite feature, and whether service_identity is installed. If so, use it. If not, use simplistic and incorrect checking as implemented in simpleVerifyHostname.
ParameterslibThe OpenSSL module. This is necessary to determine whether certain fallback implementation strategies will be necessary. (type: types.ModuleType)
Returns2-tuple of (verify_hostname, VerificationError) (type: tuple)
def _sessionCounter(counter=itertools.count()): (source)
Private - shared between all OpenSSLCertificateOptions, counts up to provide a unique session id for each context.
def _handleattrhelper(Class, transport, methodName): (source)
(private) Helper for Certificate.peerFromTransport and Certificate.hostFromTransport which checks for incompatible handle types and null certificates and raises the appropriate exception or returns the appropriate certificate object.
def _tolerateErrors(wrapped): (source)
Wrap up an info_callback for pyOpenSSL so that if something goes wrong the error is immediately logged and the connection is dropped if possible.

This wrapper exists because some versions of pyOpenSSL don't handle errors from callbacks at all, and those which do write tracebacks directly to stderr rather than to a supplied logging system. This reports unexpected errors to the Twisted logging system.

Also, this terminates the connection immediately if possible because if you've got bugs in your verification logic it's much safer to just give up.

ParameterswrappedA valid info_callback for pyOpenSSL. (type: callable)
ReturnsA valid info_callback for pyOpenSSL that handles any errors in wrapped. (type: callable)
def _expandCipherString(cipherString, method, options): (source)
Expand cipherString according to method and options to a list of explicit ciphers that are supported by the current platform.
ParameterscipherStringAn OpenSSL cipher string to expand. (type: unicode)
methodAn OpenSSL method like SSL.TLSv1_METHOD used for determining the effective ciphers.
optionsOpenSSL options like SSL.OP_NO_SSLv3 ORed together. (type: int)
ReturnsThe effective list of explicit ciphers that results from the arguments on the current platform. (type: list of ICipher)
API Documentation for Twisted, generated by pydoctor at 2015-01-30 14:14:53.