|Class||SimpleVerificationError||Not a very useful verification error.|
|Function||simpleVerifyHostname||Check only the common name in the certificate presented by the peer and only for an exact match.|
|Function||simpleVerifyIPAddress||Always fails validation of IP addresses|
|Class||CertBase||Base class for public (certificate only) and private (certificate + key pair) certificates.|
|Interface||IOpenSSLTrustRoot||Trust settings for an OpenSSL context.|
|Class||OpenSSLCertificateAuthorities||Trust an explicitly specified set of certificates, represented by a list
|Class||ClientTLSOptions||Client creator for TLS.|
|Class||OpenSSLCipher||A representation of an OpenSSL cipher.|
|Function||_getExcludedTLSProtocols||Given a pair of
|Function||_usablePyOpenSSL||Check pyOpenSSL version string whether we can use it for host verification.|
|Function||_tolerateErrors||Wrap up an
|Class||_ChooseDiffieHellmanEllipticCurve||Chooses the best elliptic curve for Elliptic Curve Diffie-Hellman key
exchange, and provides a
|Function||_setAcceptableProtocols||Called to set up the
Given a pair of
constants, figure out what versions we want to disable (as OpenSSL is an
exclusion based API).
|Parameters||oldest||The oldest |
|newest||The newest |
|Returns||The versions we want to disable. (type: |
Check only the common name in the certificate presented by the peer and only for an exact match.
This is to provide something in the way of hostname verification
to users who haven't installed
service_identity. This check is
overly strict, relies on a deprecated TLS feature (you're supposed to
ignore the commonName if the subjectAlternativeName extensions are present,
I believe), and lots of valid certificates will fail.
|Parameters||connection||the OpenSSL connection to verify. (type: |
|hostname||The hostname expected by the user. (type: |
|Raises||twisted.internet.ssl.VerificationError||if the common name and hostname don't match.|
Wrap up an
info_callback for pyOpenSSL so that if something
goes wrong the error is immediately logged and the connection is dropped if
This wrapper exists because some versions of pyOpenSSL don't handle errors from callbacks at all, and those which do write tracebacks directly to stderr rather than to a supplied logging system. This reports unexpected errors to the Twisted logging system.
Also, this terminates the connection immediately if possible because if you've got bugs in your verification logic it's much safer to just give up.
|Parameters||wrapped||A valid |
|Returns||A valid |
cipherString according to
options to a list of explicit ciphers that are supported by
the current platform.
|Parameters||cipherString||An OpenSSL cipher string to expand. (type: |
|method||An OpenSSL method like |
|options||OpenSSL options like |
|Returns||The effective list of explicit ciphers that results from the arguments on
the current platform. (type: |
Called to set up the
for doing NPN and/or ALPN negotiation.
|Parameters||context||The context which is set up. (type: |
|acceptableProtocols||The protocols this peer is willing to speak after the TLS negotiation has
completed, advertised over both ALPN and NPN. If this argument is
specified, and no overlap can be found with the other peer, the connection
will fail to be established. If the remote peer does not offer NPN or ALPN,
the connection will be established, but no protocol wil be negotiated.
Protocols earlier in the list are preferred over those later in the list. (type: |