module documentation
(source)

Undocumented

Class SimpleVerificationError Not a very useful verification error.
Function simpleVerifyHostname Check only the common name in the certificate presented by the peer and only for an exact match.
Function simpleVerifyIPAddress Always fails validation of IP addresses
Variable verifyHostname Undocumented
Variable verifyIPAddress Undocumented
Class CertBase Base class for public (certificate only) and private (certificate + key pair) certificates.
Class PublicKey A PublicKey is a representation of the public part of a key pair.
Interface IOpenSSLTrustRoot Trust settings for an OpenSSL context.
Class OpenSSLCertificateAuthorities Trust an explicitly specified set of certificates, represented by a list of OpenSSL.crypto.X509 objects.
Class ClientTLSOptions Client creator for TLS.
Class OpenSSLCipher A representation of an OpenSSL cipher.
Variable defaultCiphers Undocumented
Variable _tlsDisableFlags Undocumented
Function _getExcludedTLSProtocols Given a pair of TLSVersion constants, figure out what versions we want to disable (as OpenSSL is an exclusion based API).
Function _usablePyOpenSSL Check pyOpenSSL version string whether we can use it for host verification.
Function _selectVerifyImplementation Determine if service_identity is installed. If so, use it. If not, use simplistic and incorrect checking as implemented in simpleVerifyHostname.
Variable _x509names Undocumented
Function _handleattrhelper No summary
Function _tolerateErrors Wrap up an info_callback for pyOpenSSL so that if something goes wrong the error is immediately logged and the connection is dropped if possible.
Function _expandCipherString Expand cipherString according to method and options to a tuple of explicit ciphers that are supported by the current platform.
Function _selectCiphers Caclulate the acceptable list of ciphers from the ciphers we want and the ciphers we have support for.
Variable _defaultCurveName Undocumented
Class _ChooseDiffieHellmanEllipticCurve Chooses the best elliptic curve for Elliptic Curve Diffie-Hellman key exchange, and provides a configureECDHCurve method to set the curve, when appropriate, on a new OpenSSL.SSL.Context.
Function _setAcceptableProtocols Called to set up the OpenSSL.SSL.Context for doing NPN and/or ALPN negotiation.
_tlsDisableFlags = (source)

Undocumented

def _getExcludedTLSProtocols(oldest, newest): (source)

Given a pair of TLSVersion constants, figure out what versions we want to disable (as OpenSSL is an exclusion based API).

ParametersoldestThe oldest TLSVersion we want to allow. (type: TLSVersion constant)
newestThe newest TLSVersion we want to allow, or None for no upper limit. (type: TLSVersion constant or None)
ReturnsThe versions we want to disable. (type: list of TLSVersion constants.)
def simpleVerifyHostname(connection, hostname): (source)

Check only the common name in the certificate presented by the peer and only for an exact match.

This is to provide something in the way of hostname verification to users who haven't installed service_identity. This check is overly strict, relies on a deprecated TLS feature (you're supposed to ignore the commonName if the subjectAlternativeName extensions are present, I believe), and lots of valid certificates will fail.

Parametersconnectionthe OpenSSL connection to verify. (type: OpenSSL.SSL.Connection)
hostnameThe hostname expected by the user. (type: unicode)
Raisestwisted.internet.ssl.VerificationErrorif the common name and hostname don't match.
def simpleVerifyIPAddress(connection, hostname): (source)

Always fails validation of IP addresses

Parametersconnectionthe OpenSSL connection to verify. (type: OpenSSL.SSL.Connection)
hostnameThe hostname expected by the user. (type: unicode)
Raisestwisted.internet.ssl.VerificationErrorAlways raised
def _usablePyOpenSSL(version): (source)

Check pyOpenSSL version string whether we can use it for host verification.

ParametersversionA pyOpenSSL version string. (type: str)
ReturnsUndocumented (type: bool)
def _selectVerifyImplementation(): (source)

Determine if service_identity is installed. If so, use it. If not, use simplistic and incorrect checking as implemented in simpleVerifyHostname.

Returns2-tuple of (verify_hostname, VerificationError) (type: tuple)
verifyHostname = (source)

Undocumented

verifyIPAddress = (source)

Undocumented

_x509names = (source)

Undocumented

(type: dict[str, str])
def _handleattrhelper(Class, transport, methodName): (source)

(private) Helper for Certificate.peerFromTransport and Certificate.hostFromTransport which checks for incompatible handle types and null certificates and raises the appropriate exception or returns the appropriate certificate object.

def _tolerateErrors(wrapped): (source)

Wrap up an info_callback for pyOpenSSL so that if something goes wrong the error is immediately logged and the connection is dropped if possible.

This wrapper exists because some versions of pyOpenSSL don't handle errors from callbacks at all, and those which do write tracebacks directly to stderr rather than to a supplied logging system. This reports unexpected errors to the Twisted logging system.

Also, this terminates the connection immediately if possible because if you've got bugs in your verification logic it's much safer to just give up.

ParameterswrappedA valid info_callback for pyOpenSSL. (type: callable)
ReturnsA valid info_callback for pyOpenSSL that handles any errors in wrapped. (type: callable)
@lru_cache(maxsize=32)
def _expandCipherString(cipherString, method, options): (source)

Expand cipherString according to method and options to a tuple of explicit ciphers that are supported by the current platform.

ParameterscipherStringAn OpenSSL cipher string to expand. (type: unicode)
methodAn OpenSSL method like SSL.TLSv1_METHOD used for determining the effective ciphers.
optionsOpenSSL options like SSL.OP_NO_SSLv3 ORed together. (type: int)
ReturnsThe effective list of explicit ciphers that results from the arguments on the current platform. (type: tuple of ICipher)
@lru_cache(maxsize=128)
def _selectCiphers(wantedCiphers, availableCiphers): (source)

Caclulate the acceptable list of ciphers from the ciphers we want and the ciphers we have support for.

ParameterswantedCiphersThe ciphers we want to use. (type: tuple of OpenSSLCipher)
availableCiphersThe ciphers we have available to use. (type: tuple of OpenSSLCipher)
ReturnsUndocumented (type: tuple of OpenSSLCipher)
defaultCiphers = (source)

Undocumented

_defaultCurveName = (source)

Undocumented

(type: str)
def _setAcceptableProtocols(context, acceptableProtocols): (source)

Called to set up the OpenSSL.SSL.Context for doing NPN and/or ALPN negotiation.

ParameterscontextThe context which is set up. (type: OpenSSL.SSL.Context)
acceptableProtocolsThe protocols this peer is willing to speak after the TLS negotiation has completed, advertised over both ALPN and NPN. If this argument is specified, and no overlap can be found with the other peer, the connection will fail to be established. If the remote peer does not offer NPN or ALPN, the connection will be established, but no protocol wil be negotiated. Protocols earlier in the list are preferred over those later in the list. (type: list of bytes)
API Documentation for Twisted, generated by pydoctor 20.12.1 at 2021-02-28 19:53:36.