study/uTools-Manuals
1
0
Fork 0
mirror of https://github.com/fofolee/uTools-Manuals.git synced 2025-06-08 15:04:05 +08:00
Code Issues Packages Projects Releases Wiki Activity
uTools-Manuals/docs/python/ssl.html
fofolee 38dcd51d8a v0.0.2
2019-04-21 11:50:48 +08:00

215 lines
225 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<div class="body" role="main"><div class="section" id="module-ssl"><h1><span class="yiyi-st" id="yiyi-10">18.2. <a class="reference internal" href="#module-ssl" title="ssl: TLS/SSL wrapper for socket objects"><code class="xref py py-mod docutils literal"><span class="pre">ssl</span></code></a> — TLS/SSL wrapper for socket objects</span></h1><p><span class="yiyi-st" id="yiyi-11"><strong>Source code:</strong> <a class="reference external" href="https://hg.python.org/cpython/file/3.5/Lib/ssl.py">Lib/ssl.py</a></span></p><p><span class="yiyi-st" id="yiyi-12">This module provides access to Transport Layer Security (often known as “Secure Sockets Layer”) encryption and peer authentication facilities for network sockets, both client-side and server-side. </span><span class="yiyi-st" id="yiyi-13">This module uses the OpenSSL library. </span><span class="yiyi-st" id="yiyi-14">It is available on all modern Unix systems, Windows, Mac OS X, and probably additional platforms, as long as OpenSSL is installed on that platform.</span></p><div class="admonition note"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-15">Note</span></p><p class="last"><span class="yiyi-st" id="yiyi-16">Some behavior may be platform dependent, since calls are made to the operating system socket APIs. </span><span class="yiyi-st" id="yiyi-17">The installed version of OpenSSL may also cause variations in behavior. </span><span class="yiyi-st" id="yiyi-18">For example, TLSv1.1 and TLSv1.2 come with openssl version 1.0.1.</span></p></div><div class="admonition warning"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-19">Warning</span></p><p class="last"><span class="yiyi-st" id="yiyi-20">Dont use this module without reading the <a class="reference internal" href="#ssl-security"><span>Security considerations</span></a>. </span><span class="yiyi-st" id="yiyi-21">Doing so may lead to a false sense of security, as the default settings of the ssl module are not necessarily appropriate for your application.</span></p></div><p><span class="yiyi-st" id="yiyi-22">This section documents the objects and functions in the <code class="docutils literal"><span class="pre">ssl</span></code> module; for more general information about TLS, SSL, and certificates, the reader is referred to the documents in the “See Also” section at the bottom.</span></p><p><span class="yiyi-st" id="yiyi-23">This module provides a class, <a class="reference internal" href="#ssl.SSLSocket" title="ssl.SSLSocket"><code class="xref py py-class docutils literal"><span class="pre">ssl.SSLSocket</span></code></a>, which is derived from the <a class="reference internal" href="socket.html#socket.socket" title="socket.socket"><code class="xref py py-class docutils literal"><span class="pre">socket.socket</span></code></a> type, and provides a socket-like wrapper that also encrypts and decrypts the data going over the socket with SSL. </span><span class="yiyi-st" id="yiyi-24">It supports additional methods such as <code class="xref py py-meth docutils literal"><span class="pre">getpeercert()</span></code>, which retrieves the certificate of the other side of the connection, and <code class="xref py py-meth docutils literal"><span class="pre">cipher()</span></code>,which retrieves the cipher being used for the secure connection.</span></p><p><span class="yiyi-st" id="yiyi-25">对于更复杂的应用程序,<a class="reference internal" href="#ssl.SSLContext" title="ssl.SSLContext"><code class="xref py py-class docutils literal"><span class="pre">ssl.SSLContext</span></code></a>类有助于管理设置和证书,然后可以通过<a class="reference internal" href="#ssl.SSLContext.wrap_socket" title="ssl.SSLContext.wrap_socket"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.wrap_socket()</span></code></a>方法创建的SSL套接字继承。</span></p><div class="section" id="functions-constants-and-exceptions"><h2><span class="yiyi-st" id="yiyi-26">18.2.1. </span><span class="yiyi-st" id="yiyi-27">Functions, Constants, and Exceptions</span></h2><dl class="exception"><dt id="ssl.SSLError"><span class="yiyi-st" id="yiyi-28"> <em class="property">exception </em><code class="descclassname">ssl.</code><code class="descname">SSLError</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-29">Raised to signal an error from the underlying SSL implementation (currently provided by the OpenSSL library). </span><span class="yiyi-st" id="yiyi-30">This signifies some problem in the higher-level encryption and authentication layer thats superimposed on the underlying network connection. </span><span class="yiyi-st" id="yiyi-31">This error is a subtype of <a class="reference internal" href="exceptions.html#OSError" title="OSError"><code class="xref py py-exc docutils literal"><span class="pre">OSError</span></code></a>. </span><span class="yiyi-st" id="yiyi-32">The error code and message of <a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-exc docutils literal"><span class="pre">SSLError</span></code></a> instances are provided by the OpenSSL library.</span></p><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-33"><span class="versionmodified">Changed in version 3.3: </span><a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-exc docutils literal"><span class="pre">SSLError</span></code></a> used to be a subtype of <a class="reference internal" href="socket.html#socket.error" title="socket.error"><code class="xref py py-exc docutils literal"><span class="pre">socket.error</span></code></a>.</span></p></div><dl class="attribute"><dt id="ssl.SSLError.library"><span class="yiyi-st" id="yiyi-34"> <code class="descname">library</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-35">A string mnemonic designating the OpenSSL submodule in which the error occurred, such as <code class="docutils literal"><span class="pre">SSL</span></code>, <code class="docutils literal"><span class="pre">PEM</span></code> or <code class="docutils literal"><span class="pre">X509</span></code>. </span><span class="yiyi-st" id="yiyi-36">The range of possible values depends on the OpenSSL version.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-37"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="attribute"><dt id="ssl.SSLError.reason"><span class="yiyi-st" id="yiyi-38"> <code class="descname">reason</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-39">A string mnemonic designating the reason this error occurred, for example <code class="docutils literal"><span class="pre">CERTIFICATE_VERIFY_FAILED</span></code>. </span><span class="yiyi-st" id="yiyi-40">The range of possible values depends on the OpenSSL version.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-41"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl></dd></dl><dl class="exception"><dt id="ssl.SSLZeroReturnError"><span class="yiyi-st" id="yiyi-42"> <em class="property">exception </em><code class="descclassname">ssl.</code><code class="descname">SSLZeroReturnError</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-43">A subclass of <a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-exc docutils literal"><span class="pre">SSLError</span></code></a> raised when trying to read or write and the SSL connection has been closed cleanly. </span><span class="yiyi-st" id="yiyi-44">Note that this doesnt mean that the underlying transport (read TCP) has been closed.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-45"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="exception"><dt id="ssl.SSLWantReadError"><span class="yiyi-st" id="yiyi-46"> <em class="property">exception </em><code class="descclassname">ssl.</code><code class="descname">SSLWantReadError</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-47">A subclass of <a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-exc docutils literal"><span class="pre">SSLError</span></code></a> raised by a <a class="reference internal" href="#ssl-nonblocking"><span>non-blocking SSL socket</span></a> when trying to read or write data, but more data needs to be received on the underlying TCP transport before the request can be fulfilled.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-48"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="exception"><dt id="ssl.SSLWantWriteError"><span class="yiyi-st" id="yiyi-49"> <em class="property">exception </em><code class="descclassname">ssl.</code><code class="descname">SSLWantWriteError</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-50">A subclass of <a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-exc docutils literal"><span class="pre">SSLError</span></code></a> raised by a <a class="reference internal" href="#ssl-nonblocking"><span>non-blocking SSL socket</span></a> when trying to read or write data, but more data needs to be sent on the underlying TCP transport before the request can be fulfilled.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-51"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="exception"><dt id="ssl.SSLSyscallError"><span class="yiyi-st" id="yiyi-52"> <em class="property">exception </em><code class="descclassname">ssl.</code><code class="descname">SSLSyscallError</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-53">A subclass of <a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-exc docutils literal"><span class="pre">SSLError</span></code></a> raised when a system error was encountered while trying to fulfill an operation on a SSL socket. </span><span class="yiyi-st" id="yiyi-54">Unfortunately, there is no easy way to inspect the original errno number.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-55"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="exception"><dt id="ssl.SSLEOFError"><span class="yiyi-st" id="yiyi-56"> <em class="property">exception </em><code class="descclassname">ssl.</code><code class="descname">SSLEOFError</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-57">A subclass of <a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-exc docutils literal"><span class="pre">SSLError</span></code></a> raised when the SSL connection has been terminated abruptly. </span><span class="yiyi-st" id="yiyi-58">Generally, you shouldnt try to reuse the underlying transport when this error is encountered.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-59"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="exception"><dt id="ssl.CertificateError"><span class="yiyi-st" id="yiyi-60"> <em class="property">exception </em><code class="descclassname">ssl.</code><code class="descname">CertificateError</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-61">Raised to signal an error with a certificate (such as mismatching hostname). </span><span class="yiyi-st" id="yiyi-62">Certificate errors detected by OpenSSL, though, raise an <a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-exc docutils literal"><span class="pre">SSLError</span></code></a>.</span></p></dd></dl><div class="section" id="socket-creation"><h3><span class="yiyi-st" id="yiyi-63">18.2.1.1. </span><span class="yiyi-st" id="yiyi-64">Socket creation</span></h3><p><span class="yiyi-st" id="yiyi-65">The following function allows for standalone socket creation. </span><span class="yiyi-st" id="yiyi-66">Starting from Python 3.2, it can be more flexible to use <a class="reference internal" href="#ssl.SSLContext.wrap_socket" title="ssl.SSLContext.wrap_socket"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.wrap_socket()</span></code></a> instead.</span></p><dl class="function"><dt id="ssl.wrap_socket"><span class="yiyi-st" id="yiyi-67"> <code class="descclassname">ssl.</code><code class="descname">wrap_socket</code><span class="sig-paren">(</span><em>sock</em>, <em>keyfile=None</em>, <em>certfile=None</em>, <em>server_side=False</em>, <em>cert_reqs=CERT_NONE</em>, <em>ssl_version={see docs}</em>, <em>ca_certs=None</em>, <em>do_handshake_on_connect=True</em>, <em>suppress_ragged_eofs=True</em>, <em>ciphers=None</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-68">Takes an instance <code class="docutils literal"><span class="pre">sock</span></code> of <a class="reference internal" href="socket.html#socket.socket" title="socket.socket"><code class="xref py py-class docutils literal"><span class="pre">socket.socket</span></code></a>, and returns an instance of <a class="reference internal" href="#ssl.SSLSocket" title="ssl.SSLSocket"><code class="xref py py-class docutils literal"><span class="pre">ssl.SSLSocket</span></code></a>, a subtype of <a class="reference internal" href="socket.html#socket.socket" title="socket.socket"><code class="xref py py-class docutils literal"><span class="pre">socket.socket</span></code></a>, which wraps the underlying socket in an SSL context. </span><span class="yiyi-st" id="yiyi-69"><code class="docutils literal"><span class="pre">sock</span></code> must be a <a class="reference internal" href="socket.html#socket.SOCK_STREAM" title="socket.SOCK_STREAM"><code class="xref py py-data docutils literal"><span class="pre">SOCK_STREAM</span></code></a> socket; other socket types are unsupported.</span></p><p><span class="yiyi-st" id="yiyi-70">For client-side sockets, the context construction is lazy; if the underlying socket isnt connected yet, the context construction will be performed after <code class="xref py py-meth docutils literal"><span class="pre">connect()</span></code> is called on the socket. </span><span class="yiyi-st" id="yiyi-71">For server-side sockets, if the socket has no remote peer, it is assumed to be a listening socket, and the server-side SSL wrapping is automatically performed on client connections accepted via the <code class="xref py py-meth docutils literal"><span class="pre">accept()</span></code> method. </span><span class="yiyi-st" id="yiyi-72"><a class="reference internal" href="#ssl.wrap_socket" title="ssl.wrap_socket"><code class="xref py py-func docutils literal"><span class="pre">wrap_socket()</span></code></a> may raise <a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-exc docutils literal"><span class="pre">SSLError</span></code></a>.</span></p><p><span class="yiyi-st" id="yiyi-73">The <code class="docutils literal"><span class="pre">keyfile</span></code> and <code class="docutils literal"><span class="pre">certfile</span></code> parameters specify optional files which contain a certificate to be used to identify the local side of the connection. </span><span class="yiyi-st" id="yiyi-74">See the discussion of <a class="reference internal" href="#ssl-certificates"><span>Certificates</span></a> for more information on how the certificate is stored in the <code class="docutils literal"><span class="pre">certfile</span></code>.</span></p><p><span class="yiyi-st" id="yiyi-75">The parameter <code class="docutils literal"><span class="pre">server_side</span></code> is a boolean which identifies whether server-side or client-side behavior is desired from this socket.</span></p><p><span class="yiyi-st" id="yiyi-76">The parameter <code class="docutils literal"><span class="pre">cert_reqs</span></code> specifies whether a certificate is required from the other side of the connection, and whether it will be validated if provided. </span><span class="yiyi-st" id="yiyi-77">It must be one of the three values <a class="reference internal" href="#ssl.CERT_NONE" title="ssl.CERT_NONE"><code class="xref py py-const docutils literal"><span class="pre">CERT_NONE</span></code></a> (certificates ignored), <a class="reference internal" href="#ssl.CERT_OPTIONAL" title="ssl.CERT_OPTIONAL"><code class="xref py py-const docutils literal"><span class="pre">CERT_OPTIONAL</span></code></a> (not required, but validated if provided), or <a class="reference internal" href="#ssl.CERT_REQUIRED" title="ssl.CERT_REQUIRED"><code class="xref py py-const docutils literal"><span class="pre">CERT_REQUIRED</span></code></a> (required and validated). </span><span class="yiyi-st" id="yiyi-78">If the value of this parameter is not <a class="reference internal" href="#ssl.CERT_NONE" title="ssl.CERT_NONE"><code class="xref py py-const docutils literal"><span class="pre">CERT_NONE</span></code></a>, then the <code class="docutils literal"><span class="pre">ca_certs</span></code> parameter must point to a file of CA certificates.</span></p><p><span class="yiyi-st" id="yiyi-79">The <code class="docutils literal"><span class="pre">ca_certs</span></code> file contains a set of concatenated “certification authority” certificates, which are used to validate certificates passed from the other end of the connection. </span><span class="yiyi-st" id="yiyi-80">See the discussion of <a class="reference internal" href="#ssl-certificates"><span>Certificates</span></a> for more information about how to arrange the certificates in this file.</span></p><p><span class="yiyi-st" id="yiyi-81">The parameter <code class="docutils literal"><span class="pre">ssl_version</span></code> specifies which version of the SSL protocol to use. </span><span class="yiyi-st" id="yiyi-82">Typically, the server chooses a particular protocol version, and the client must adapt to the servers choice. </span><span class="yiyi-st" id="yiyi-83">Most of the versions are not interoperable with the other versions. </span><span class="yiyi-st" id="yiyi-84">If not specified, the default is <a class="reference internal" href="#ssl.PROTOCOL_SSLv23" title="ssl.PROTOCOL_SSLv23"><code class="xref py py-data docutils literal"><span class="pre">PROTOCOL_SSLv23</span></code></a>; it provides the most compatibility with other versions.</span></p><p><span class="yiyi-st" id="yiyi-85">Heres a table showing which versions in a client (down the side) can connect to which versions in a server (along the top):</span></p><span class="yiyi-st" id="yiyi-96"> <blockquote> <div><table border="1" class="docutils"> <colgroup> <col width="29%"/> <col width="11%"/> <col width="11%"/> <col width="12%"/> <col width="11%"/> <col width="13%"/> <col width="13%"/> </colgroup> <tbody valign="top"> <tr class="row-odd"><td><em>client</em> / <strong>server</strong></td> <td><strong>SSLv2</strong></td> <td><strong>SSLv3</strong></td> <td><strong>SSLv23</strong></td> <td><strong>TLSv1</strong></td> <td><strong>TLSv1.1</strong></td> <td><strong>TLSv1.2</strong></td> </tr> <tr class="row-even"><td><em>SSLv2</em></td> <td>yes</td> <td>no</td> <td>yes</td> <td>no</td> <td>no</td> <td>no</td> </tr> <tr class="row-odd"><td><em>SSLv3</em></td> <td>no</td> <td>yes</td> <td>yes</td> <td>no</td> <td>no</td> <td>no</td> </tr> <tr class="row-even"><td><em>SSLv23</em></td> <td>no</td> <td>yes</td> <td>yes</td> <td>yes</td> <td>yes</td> <td>yes</td> </tr> <tr class="row-odd"><td><em>TLSv1</em></td> <td>no</td> <td>no</td> <td>yes</td> <td>yes</td> <td>no</td> <td>no</td> </tr> <tr class="row-even"><td><em>TLSv1.1</em></td> <td>no</td> <td>no</td> <td>yes</td> <td>no</td> <td>yes</td> <td>no</td> </tr> <tr class="row-odd"><td><em>TLSv1.2</em></td> <td>no</td> <td>no</td> <td>yes</td> <td>no</td> <td>no</td> <td>yes</td> </tr> </tbody> </table> </div></blockquote></span><div class="admonition note"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-86">Note</span></p><p class="last"><span class="yiyi-st" id="yiyi-87">Which connections succeed will vary depending on the version of OpenSSL. </span><span class="yiyi-st" id="yiyi-88">For example, before OpenSSL 1.0.0, an SSLv23 client would always attempt SSLv2 connections.</span></p></div><p><span class="yiyi-st" id="yiyi-89">The <em>ciphers</em> parameter sets the available ciphers for this SSL object. </span><span class="yiyi-st" id="yiyi-90">It should be a string in the <a class="reference external" href="https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT">OpenSSL cipher list format</a>.</span></p><p><span class="yiyi-st" id="yiyi-91">The parameter <code class="docutils literal"><span class="pre">do_handshake_on_connect</span></code> specifies whether to do the SSL handshake automatically after doing a <code class="xref py py-meth docutils literal"><span class="pre">socket.connect()</span></code>, or whether the application program will call it explicitly, by invoking the <a class="reference internal" href="#ssl.SSLSocket.do_handshake" title="ssl.SSLSocket.do_handshake"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.do_handshake()</span></code></a> method. </span><span class="yiyi-st" id="yiyi-92">Calling <a class="reference internal" href="#ssl.SSLSocket.do_handshake" title="ssl.SSLSocket.do_handshake"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.do_handshake()</span></code></a> explicitly gives the program control over the blocking behavior of the socket I/O involved in the handshake.</span></p><p><span class="yiyi-st" id="yiyi-93">The parameter <code class="docutils literal"><span class="pre">suppress_ragged_eofs</span></code> specifies how the <code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.recv()</span></code> method should signal unexpected EOF from the other end of the connection. </span><span class="yiyi-st" id="yiyi-94">If specified as <a class="reference internal" href="constants.html#True" title="True"><code class="xref py py-const docutils literal"><span class="pre">True</span></code></a> (the default), it returns a normal EOF (an empty bytes object) in response to unexpected EOF errors raised from the underlying socket; if <a class="reference internal" href="constants.html#False" title="False"><code class="xref py py-const docutils literal"><span class="pre">False</span></code></a>, it will raise the exceptions back to the caller.</span></p><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-95"><span class="versionmodified">Changed in version 3.2: </span>New optional argument <em>ciphers</em>.</span></p></div></dd></dl></div><div class="section" id="context-creation"><h3><span class="yiyi-st" id="yiyi-97">18.2.1.2. </span><span class="yiyi-st" id="yiyi-98">Context creation</span></h3><p><span class="yiyi-st" id="yiyi-99">A convenience function helps create <a class="reference internal" href="#ssl.SSLContext" title="ssl.SSLContext"><code class="xref py py-class docutils literal"><span class="pre">SSLContext</span></code></a> objects for common purposes.</span></p><dl class="function"><dt id="ssl.create_default_context"><span class="yiyi-st" id="yiyi-100"> <code class="descclassname">ssl.</code><code class="descname">create_default_context</code><span class="sig-paren">(</span><em>purpose=Purpose.SERVER_AUTH</em>, <em>cafile=None</em>, <em>capath=None</em>, <em>cadata=None</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-101">Return a new <a class="reference internal" href="#ssl.SSLContext" title="ssl.SSLContext"><code class="xref py py-class docutils literal"><span class="pre">SSLContext</span></code></a> object with default settings for the given <em>purpose</em>. </span><span class="yiyi-st" id="yiyi-102">The settings are chosen by the <a class="reference internal" href="#module-ssl" title="ssl: TLS/SSL wrapper for socket objects"><code class="xref py py-mod docutils literal"><span class="pre">ssl</span></code></a> module, and usually represent a higher security level than when calling the <a class="reference internal" href="#ssl.SSLContext" title="ssl.SSLContext"><code class="xref py py-class docutils literal"><span class="pre">SSLContext</span></code></a> constructor directly.</span></p><p><span class="yiyi-st" id="yiyi-103"><em>cafile</em>, <em>capath</em>, <em>cadata</em> represent optional CA certificates to trust for certificate verification, as in <a class="reference internal" href="#ssl.SSLContext.load_verify_locations" title="ssl.SSLContext.load_verify_locations"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.load_verify_locations()</span></code></a>. </span><span class="yiyi-st" id="yiyi-104">If all three are <a class="reference internal" href="constants.html#None" title="None"><code class="xref py py-const docutils literal"><span class="pre">None</span></code></a>, this function can choose to trust the systems default CA certificates instead.</span></p><p><span class="yiyi-st" id="yiyi-105">The settings are: <a class="reference internal" href="#ssl.PROTOCOL_SSLv23" title="ssl.PROTOCOL_SSLv23"><code class="xref py py-data docutils literal"><span class="pre">PROTOCOL_SSLv23</span></code></a>, <a class="reference internal" href="#ssl.OP_NO_SSLv2" title="ssl.OP_NO_SSLv2"><code class="xref py py-data docutils literal"><span class="pre">OP_NO_SSLv2</span></code></a>, and <a class="reference internal" href="#ssl.OP_NO_SSLv3" title="ssl.OP_NO_SSLv3"><code class="xref py py-data docutils literal"><span class="pre">OP_NO_SSLv3</span></code></a> with high encryption cipher suites without RC4 and without unauthenticated cipher suites. </span><span class="yiyi-st" id="yiyi-106"><a class="reference internal" href="#ssl.Purpose.SERVER_AUTH" title="ssl.Purpose.SERVER_AUTH"><code class="xref py py-data docutils literal"><span class="pre">SERVER_AUTH</span></code></a>作为<em>目的</em><a class="reference internal" href="#ssl.SSLContext.verify_mode" title="ssl.SSLContext.verify_mode"><code class="xref py py-data docutils literal"><span class="pre">verify_mode</span></code></a>设置为<a class="reference internal" href="#ssl.CERT_REQUIRED" title="ssl.CERT_REQUIRED"><code class="xref py py-data docutils literal"><span class="pre">CERT_REQUIRED</span></code></a>并加载CA证书至少有一个<em>cafile</em><em>capath</em><em>cadata</em>)或使用<a class="reference internal" href="#ssl.SSLContext.load_default_certs" title="ssl.SSLContext.load_default_certs"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.load_default_certs()</span></code></a>加载默认CA证书。</span></p><div class="admonition note"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-107">Note</span></p><p><span class="yiyi-st" id="yiyi-108">The protocol, options, cipher and other settings may change to more restrictive values anytime without prior deprecation. </span><span class="yiyi-st" id="yiyi-109">The values represent a fair balance between compatibility and security.</span></p><p class="last"><span class="yiyi-st" id="yiyi-110">If your application needs specific settings, you should create a <a class="reference internal" href="#ssl.SSLContext" title="ssl.SSLContext"><code class="xref py py-class docutils literal"><span class="pre">SSLContext</span></code></a> and apply the settings yourself.</span></p></div><div class="admonition note"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-111">Note</span></p><p><span class="yiyi-st" id="yiyi-112">If you find that when certain older clients or servers attempt to connect with a <a class="reference internal" href="#ssl.SSLContext" title="ssl.SSLContext"><code class="xref py py-class docutils literal"><span class="pre">SSLContext</span></code></a> created by this function that they get an error stating “Protocol or cipher suite mismatch”, it may be that they only support SSL3.0 which this function excludes using the <a class="reference internal" href="#ssl.OP_NO_SSLv3" title="ssl.OP_NO_SSLv3"><code class="xref py py-data docutils literal"><span class="pre">OP_NO_SSLv3</span></code></a>. </span><span class="yiyi-st" id="yiyi-113">SSL3.0 is widely considered to be <a class="reference external" href="https://en.wikipedia.org/wiki/POODLE">completely broken</a>. </span><span class="yiyi-st" id="yiyi-114">如果您仍希望继续使用此功能但仍允许使用SSL 3.0连接,则可以使用以下方式重新启用它们:</span></p><div class="last highlight-python3"><div class="highlight"><pre><span></span><span class="n">ctx</span> <span class="o">=</span> <span class="n">ssl</span><span class="o">.</span><span class="n">create_default_context</span><span class="p">(</span><span class="n">Purpose</span><span class="o">.</span><span class="n">CLIENT_AUTH</span><span class="p">)</span>
<span class="n">ctx</span><span class="o">.</span><span class="n">options</span> <span class="o">&amp;=</span> <span class="o">~</span><span class="n">ssl</span><span class="o">.</span><span class="n">OP_NO_SSLv3</span>
</pre></div></div></div><div class="versionadded"><p><span class="yiyi-st" id="yiyi-115"><span class="versionmodified">New in version 3.4.</span></span></p></div><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-116"><span class="versionmodified">Changed in version 3.4.4: </span>RC4 was dropped from the default cipher string.</span></p></div></dd></dl></div><div class="section" id="random-generation"><h3><span class="yiyi-st" id="yiyi-117">18.2.1.3. </span><span class="yiyi-st" id="yiyi-118">Random generation</span></h3><dl class="function"><dt id="ssl.RAND_bytes"><span class="yiyi-st" id="yiyi-119"> <code class="descclassname">ssl.</code><code class="descname">RAND_bytes</code><span class="sig-paren">(</span><em>num</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-120">Return <em>num</em> cryptographically strong pseudo-random bytes. </span><span class="yiyi-st" id="yiyi-121">Raises an <a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-class docutils literal"><span class="pre">SSLError</span></code></a> if the PRNG has not been seeded with enough data or if the operation is not supported by the current RAND method. </span><span class="yiyi-st" id="yiyi-122"><a class="reference internal" href="#ssl.RAND_status" title="ssl.RAND_status"><code class="xref py py-func docutils literal"><span class="pre">RAND_status()</span></code></a> can be used to check the status of the PRNG and <a class="reference internal" href="#ssl.RAND_add" title="ssl.RAND_add"><code class="xref py py-func docutils literal"><span class="pre">RAND_add()</span></code></a> can be used to seed the PRNG.</span></p><p><span class="yiyi-st" id="yiyi-123">For almost all applications <a class="reference internal" href="os.html#os.urandom" title="os.urandom"><code class="xref py py-func docutils literal"><span class="pre">os.urandom()</span></code></a> is preferable.</span></p><p><span class="yiyi-st" id="yiyi-124">Read the Wikipedia article, <a class="reference external" href="https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator">Cryptographically secure pseudorandom number generator (CSPRNG)</a>, to get the requirements of a cryptographically generator.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-125"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="function"><dt id="ssl.RAND_pseudo_bytes"><span class="yiyi-st" id="yiyi-126"> <code class="descclassname">ssl.</code><code class="descname">RAND_pseudo_bytes</code><span class="sig-paren">(</span><em>num</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-127">Return (bytes, is_cryptographic): bytes are <em>num</em> pseudo-random bytes, is_cryptographic is <code class="docutils literal"><span class="pre">True</span></code> if the bytes generated are cryptographically strong. </span><span class="yiyi-st" id="yiyi-128">Raises an <a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-class docutils literal"><span class="pre">SSLError</span></code></a> if the operation is not supported by the current RAND method.</span></p><p><span class="yiyi-st" id="yiyi-129">Generated pseudo-random byte sequences will be unique if they are of sufficient length, but are not necessarily unpredictable. </span><span class="yiyi-st" id="yiyi-130">They can be used for non-cryptographic purposes and for certain purposes in cryptographic protocols, but usually not for key generation etc.</span></p><p><span class="yiyi-st" id="yiyi-131">For almost all applications <a class="reference internal" href="os.html#os.urandom" title="os.urandom"><code class="xref py py-func docutils literal"><span class="pre">os.urandom()</span></code></a> is preferable.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-132"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="function"><dt id="ssl.RAND_status"><span class="yiyi-st" id="yiyi-133"> <code class="descclassname">ssl.</code><code class="descname">RAND_status</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-134">Return <code class="docutils literal"><span class="pre">True</span></code> if the SSL pseudo-random number generator has been seeded with enough randomness, and <code class="docutils literal"><span class="pre">False</span></code> otherwise. </span><span class="yiyi-st" id="yiyi-135">You can use <a class="reference internal" href="#ssl.RAND_egd" title="ssl.RAND_egd"><code class="xref py py-func docutils literal"><span class="pre">ssl.RAND_egd()</span></code></a> and <a class="reference internal" href="#ssl.RAND_add" title="ssl.RAND_add"><code class="xref py py-func docutils literal"><span class="pre">ssl.RAND_add()</span></code></a> to increase the randomness of the pseudo-random number generator.</span></p></dd></dl><dl class="function"><dt id="ssl.RAND_egd"><span class="yiyi-st" id="yiyi-136"> <code class="descclassname">ssl.</code><code class="descname">RAND_egd</code><span class="sig-paren">(</span><em>path</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-137">If you are running an entropy-gathering daemon (EGD) somewhere, and <em>path</em> is the pathname of a socket connection open to it, this will read 256 bytes of randomness from the socket, and add it to the SSL pseudo-random number generator to increase the security of generated secret keys. </span><span class="yiyi-st" id="yiyi-138">This is typically only necessary on systems without better sources of randomness.</span></p><p><span class="yiyi-st" id="yiyi-139">See <a class="reference external" href="http://egd.sourceforge.net/">http://egd.sourceforge.net/</a> or <a class="reference external" href="http://prngd.sourceforge.net/">http://prngd.sourceforge.net/</a> for sources of entropy-gathering daemons.</span></p><p><span class="yiyi-st" id="yiyi-140">Availability: not available with LibreSSL.</span></p></dd></dl><dl class="function"><dt id="ssl.RAND_add"><span class="yiyi-st" id="yiyi-141"> <code class="descclassname">ssl.</code><code class="descname">RAND_add</code><span class="sig-paren">(</span><em>bytes</em>, <em>entropy</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-142">Mix the given <em>bytes</em> into the SSL pseudo-random number generator. </span><span class="yiyi-st" id="yiyi-143">The parameter <em>entropy</em> (a float) is a lower bound on the entropy contained in string (so you can always use <code class="xref py py-const docutils literal"><span class="pre">0.0</span></code>). </span><span class="yiyi-st" id="yiyi-144">See <span class="target" id="index-2"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc1750.html"><strong>RFC 1750</strong></a> for more information on sources of entropy.</span></p><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-145"><span class="versionmodified">Changed in version 3.5: </span>Writable <a class="reference internal" href="../glossary.html#term-bytes-like-object"><span class="xref std std-term">bytes-like object</span></a> is now accepted.</span></p></div></dd></dl></div><div class="section" id="certificate-handling"><h3><span class="yiyi-st" id="yiyi-146">18.2.1.4. </span><span class="yiyi-st" id="yiyi-147">Certificate handling</span></h3><dl class="function"><dt id="ssl.match_hostname"><span class="yiyi-st" id="yiyi-148"> <code class="descclassname">ssl.</code><code class="descname">match_hostname</code><span class="sig-paren">(</span><em>cert</em>, <em>hostname</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-149">Verify that <em>cert</em> (in decoded format as returned by <a class="reference internal" href="#ssl.SSLSocket.getpeercert" title="ssl.SSLSocket.getpeercert"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.getpeercert()</span></code></a>) matches the given <em>hostname</em>. </span><span class="yiyi-st" id="yiyi-150">The rules applied are those for checking the identity of HTTPS servers as outlined in <span class="target" id="index-3"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc2818.html"><strong>RFC 2818</strong></a> and <span class="target" id="index-4"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6125.html"><strong>RFC 6125</strong></a>. </span><span class="yiyi-st" id="yiyi-151">In addition to HTTPS, this function should be suitable for checking the identity of servers in various SSL-based protocols such as FTPS, IMAPS, POPS and others.</span></p><p><span class="yiyi-st" id="yiyi-152"><a class="reference internal" href="#ssl.CertificateError" title="ssl.CertificateError"><code class="xref py py-exc docutils literal"><span class="pre">CertificateError</span></code></a> is raised on failure. </span><span class="yiyi-st" id="yiyi-153">On success, the function returns nothing:</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">cert</span> <span class="o">=</span> <span class="p">{</span><span class="s1">'subject'</span><span class="p">:</span> <span class="p">(((</span><span class="s1">'commonName'</span><span class="p">,</span> <span class="s1">'example.com'</span><span class="p">),),)}</span>
<span class="gp">&gt;&gt;&gt; </span><span class="n">ssl</span><span class="o">.</span><span class="n">match_hostname</span><span class="p">(</span><span class="n">cert</span><span class="p">,</span> <span class="s2">"example.com"</span><span class="p">)</span>
<span class="gp">&gt;&gt;&gt; </span><span class="n">ssl</span><span class="o">.</span><span class="n">match_hostname</span><span class="p">(</span><span class="n">cert</span><span class="p">,</span> <span class="s2">"example.org"</span><span class="p">)</span>
<span class="gt">Traceback (most recent call last):</span>
File <span class="nb">"&lt;stdin&gt;"</span>, line <span class="m">1</span>, in <span class="n">&lt;module&gt;</span>
File <span class="nb">"/home/py3k/Lib/ssl.py"</span>, line <span class="m">130</span>, in <span class="n">match_hostname</span>
<span class="gr">ssl.CertificateError</span>: <span class="n">hostname 'example.org' doesn't match 'example.com'</span>
</code></pre><div class="versionadded"><p><span class="yiyi-st" id="yiyi-154"><span class="versionmodified">New in version 3.2.</span></span></p></div><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-155"><span class="versionmodified">Changed in version 3.3.3: </span>The function now follows <span class="target" id="index-5"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6125.html"><strong>RFC 6125</strong></a>, section 6.4.3 and does neither match multiple wildcards (e.g. </span><span class="yiyi-st" id="yiyi-156"><code class="docutils literal"><span class="pre">*.*.com</span></code> or <code class="docutils literal"><span class="pre">*a*.example.org</span></code>) nor a wildcard inside an internationalized domain names (IDN) fragment. </span><span class="yiyi-st" id="yiyi-157">IDN A-labels such as <code class="docutils literal"><span class="pre">www*.xn--pthon-kva.org</span></code> are still supported, but <code class="docutils literal"><span class="pre">x*.python.org</span></code> no longer matches <code class="docutils literal"><span class="pre">xn--tda.python.org</span></code>.</span></p></div><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-158"><span class="versionmodified">Changed in version 3.5: </span>Matching of IP addresses, when present in the subjectAltName field of the certificate, is now supported.</span></p></div></dd></dl><dl class="function"><dt id="ssl.cert_time_to_seconds"><span class="yiyi-st" id="yiyi-159"> <code class="descclassname">ssl.</code><code class="descname">cert_time_to_seconds</code><span class="sig-paren">(</span><em>cert_time</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-160">Return the time in seconds since the Epoch, given the <code class="docutils literal"><span class="pre">cert_time</span></code> string representing the “notBefore” or “notAfter” date from a certificate in <code class="docutils literal"><span class="pre">"%b</span> <span class="pre">%d</span> <span class="pre">%H:%M:%S</span> <span class="pre">%Y</span> <span class="pre">%Z"</span></code> strptime format (C locale).</span></p><p><span class="yiyi-st" id="yiyi-161">Heres an example:</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="kn">import</span> <span class="nn">ssl</span>
<span class="gp">&gt;&gt;&gt; </span><span class="n">timestamp</span> <span class="o">=</span> <span class="n">ssl</span><span class="o">.</span><span class="n">cert_time_to_seconds</span><span class="p">(</span><span class="s2">"Jan 5 09:34:43 2018 GMT"</span><span class="p">)</span>
<span class="gp">&gt;&gt;&gt; </span><span class="n">timestamp</span>
<span class="go">1515144883</span>
<span class="gp">&gt;&gt;&gt; </span><span class="kn">from</span> <span class="nn">datetime</span> <span class="k">import</span> <span class="n">datetime</span>
<span class="gp">&gt;&gt;&gt; </span><span class="nb">print</span><span class="p">(</span><span class="n">datetime</span><span class="o">.</span><span class="n">utcfromtimestamp</span><span class="p">(</span><span class="n">timestamp</span><span class="p">))</span>
<span class="go">2018-01-05 09:34:43</span>
</code></pre><p><span class="yiyi-st" id="yiyi-162">“notBefore” or “notAfter” dates must use GMT (<span class="target" id="index-6"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5280.html"><strong>RFC 5280</strong></a>).</span></p><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-163"><span class="versionmodified">Changed in version 3.5: </span>Interpret the input time as a time in UTC as specified by GMT timezone in the input string. </span><span class="yiyi-st" id="yiyi-164">Local timezone was used previously. </span><span class="yiyi-st" id="yiyi-165">Return an integer (no fractions of a second in the input format)</span></p></div></dd></dl><dl class="function"><dt id="ssl.get_server_certificate"><span class="yiyi-st" id="yiyi-166"> <code class="descclassname">ssl.</code><code class="descname">get_server_certificate</code><span class="sig-paren">(</span><em>addr</em>, <em>ssl_version=PROTOCOL_SSLv23</em>, <em>ca_certs=None</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-167">Given the address <code class="docutils literal"><span class="pre">addr</span></code> of an SSL-protected server, as a (<em>hostname</em>, <em>port-number</em>) pair, fetches the servers certificate, and returns it as a PEM-encoded string. </span><span class="yiyi-st" id="yiyi-168">If <code class="docutils literal"><span class="pre">ssl_version</span></code> is specified, uses that version of the SSL protocol to attempt to connect to the server. </span><span class="yiyi-st" id="yiyi-169">If <code class="docutils literal"><span class="pre">ca_certs</span></code> is specified, it should be a file containing a list of root certificates, the same format as used for the same parameter in <a class="reference internal" href="#ssl.wrap_socket" title="ssl.wrap_socket"><code class="xref py py-func docutils literal"><span class="pre">wrap_socket()</span></code></a>. </span><span class="yiyi-st" id="yiyi-170">The call will attempt to validate the server certificate against that set of root certificates, and will fail if the validation attempt fails.</span></p><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-171"><span class="versionmodified">Changed in version 3.3: </span>This function is now IPv6-compatible.</span></p></div><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-172"><span class="versionmodified">Changed in version 3.5: </span>The default <em>ssl_version</em> is changed from <a class="reference internal" href="#ssl.PROTOCOL_SSLv3" title="ssl.PROTOCOL_SSLv3"><code class="xref py py-data docutils literal"><span class="pre">PROTOCOL_SSLv3</span></code></a> to <a class="reference internal" href="#ssl.PROTOCOL_SSLv23" title="ssl.PROTOCOL_SSLv23"><code class="xref py py-data docutils literal"><span class="pre">PROTOCOL_SSLv23</span></code></a> for maximum compatibility with modern servers.</span></p></div></dd></dl><dl class="function"><dt id="ssl.DER_cert_to_PEM_cert"><span class="yiyi-st" id="yiyi-173"> <code class="descclassname">ssl.</code><code class="descname">DER_cert_to_PEM_cert</code><span class="sig-paren">(</span><em>DER_cert_bytes</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-174">Given a certificate as a DER-encoded blob of bytes, returns a PEM-encoded string version of the same certificate.</span></p></dd></dl><dl class="function"><dt id="ssl.PEM_cert_to_DER_cert"><span class="yiyi-st" id="yiyi-175"> <code class="descclassname">ssl.</code><code class="descname">PEM_cert_to_DER_cert</code><span class="sig-paren">(</span><em>PEM_cert_string</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-176">Given a certificate as an ASCII PEM string, returns a DER-encoded sequence of bytes for that same certificate.</span></p></dd></dl><dl class="function"><dt id="ssl.get_default_verify_paths"><span class="yiyi-st" id="yiyi-177"> <code class="descclassname">ssl.</code><code class="descname">get_default_verify_paths</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-178">Returns a named tuple with paths to OpenSSLs default cafile and capath. </span><span class="yiyi-st" id="yiyi-179">The paths are the same as used by <a class="reference internal" href="#ssl.SSLContext.set_default_verify_paths" title="ssl.SSLContext.set_default_verify_paths"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.set_default_verify_paths()</span></code></a>. </span><span class="yiyi-st" id="yiyi-180">The return value is a <a class="reference internal" href="../glossary.html#term-named-tuple"><span class="xref std std-term">named tuple</span></a> <code class="docutils literal"><span class="pre">DefaultVerifyPaths</span></code>:</span></p><ul class="simple"><li><span class="yiyi-st" id="yiyi-181"><code class="xref py py-attr docutils literal"><span class="pre">cafile</span></code> - resolved path to cafile or None if the file doesnt exist,</span></li><li><span class="yiyi-st" id="yiyi-182"><code class="xref py py-attr docutils literal"><span class="pre">capath</span></code> - resolved path to capath or None if the directory doesnt exist,</span></li><li><span class="yiyi-st" id="yiyi-183"><code class="xref py py-attr docutils literal"><span class="pre">openssl_cafile_env</span></code> - OpenSSLs environment key that points to a cafile,</span></li><li><span class="yiyi-st" id="yiyi-184"><code class="xref py py-attr docutils literal"><span class="pre">openssl_cafile</span></code> - hard coded path to a cafile,</span></li><li><span class="yiyi-st" id="yiyi-185"><code class="xref py py-attr docutils literal"><span class="pre">openssl_capath_env</span></code> - OpenSSLs environment key that points to a capath,</span></li><li><span class="yiyi-st" id="yiyi-186"><code class="xref py py-attr docutils literal"><span class="pre">openssl_capath</span></code> - hard coded path to a capath directory</span></li></ul><div class="versionadded"><p><span class="yiyi-st" id="yiyi-187"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="function"><dt id="ssl.enum_certificates"><span class="yiyi-st" id="yiyi-188"> <code class="descclassname">ssl.</code><code class="descname">enum_certificates</code><span class="sig-paren">(</span><em>store_name</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-189">Retrieve certificates from Windows system cert store. </span><span class="yiyi-st" id="yiyi-190"><em>store_name</em> may be one of <code class="docutils literal"><span class="pre">CA</span></code>, <code class="docutils literal"><span class="pre">ROOT</span></code> or <code class="docutils literal"><span class="pre">MY</span></code>. </span><span class="yiyi-st" id="yiyi-191">Windows may provide additional cert stores, too.</span></p><p><span class="yiyi-st" id="yiyi-192">The function returns a list of (cert_bytes, encoding_type, trust) tuples. </span><span class="yiyi-st" id="yiyi-193">The encoding_type specifies the encoding of cert_bytes. </span><span class="yiyi-st" id="yiyi-194">It is either <code class="xref py py-const docutils literal"><span class="pre">x509_asn</span></code> for X.509 ASN.1 data or <code class="xref py py-const docutils literal"><span class="pre">pkcs_7_asn</span></code> for PKCS#7 ASN.1 data. </span><span class="yiyi-st" id="yiyi-195">Trust specifies the purpose of the certificate as a set of OIDS or exactly <code class="docutils literal"><span class="pre">True</span></code> if the certificate is trustworthy for all purposes.</span></p><p><span class="yiyi-st" id="yiyi-196">Example:</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">ssl</span><span class="o">.</span><span class="n">enum_certificates</span><span class="p">(</span><span class="s2">"CA"</span><span class="p">)</span>
<span class="go">[(b'data...', 'x509_asn', {'1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2'}),</span>
<span class="go"> (b'data...', 'x509_asn', True)]</span>
</code></pre><p><span class="yiyi-st" id="yiyi-197">Availability: Windows.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-198"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="function"><dt id="ssl.enum_crls"><span class="yiyi-st" id="yiyi-199"> <code class="descclassname">ssl.</code><code class="descname">enum_crls</code><span class="sig-paren">(</span><em>store_name</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-200">Retrieve CRLs from Windows system cert store. </span><span class="yiyi-st" id="yiyi-201"><em>store_name</em> may be one of <code class="docutils literal"><span class="pre">CA</span></code>, <code class="docutils literal"><span class="pre">ROOT</span></code> or <code class="docutils literal"><span class="pre">MY</span></code>. </span><span class="yiyi-st" id="yiyi-202">Windows may provide additional cert stores, too.</span></p><p><span class="yiyi-st" id="yiyi-203">The function returns a list of (cert_bytes, encoding_type, trust) tuples. </span><span class="yiyi-st" id="yiyi-204">The encoding_type specifies the encoding of cert_bytes. </span><span class="yiyi-st" id="yiyi-205">It is either <code class="xref py py-const docutils literal"><span class="pre">x509_asn</span></code> for X.509 ASN.1 data or <code class="xref py py-const docutils literal"><span class="pre">pkcs_7_asn</span></code> for PKCS#7 ASN.1 data.</span></p><p><span class="yiyi-st" id="yiyi-206">Availability: Windows.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-207"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl></div><div class="section" id="constants"><h3><span class="yiyi-st" id="yiyi-208">18.2.1.5. </span><span class="yiyi-st" id="yiyi-209">Constants</span></h3><dl class="data"><dt id="ssl.CERT_NONE"><span class="yiyi-st" id="yiyi-210"> <code class="descclassname">ssl.</code><code class="descname">CERT_NONE</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-211">Possible value for <a class="reference internal" href="#ssl.SSLContext.verify_mode" title="ssl.SSLContext.verify_mode"><code class="xref py py-attr docutils literal"><span class="pre">SSLContext.verify_mode</span></code></a>, or the <code class="docutils literal"><span class="pre">cert_reqs</span></code> parameter to <a class="reference internal" href="#ssl.wrap_socket" title="ssl.wrap_socket"><code class="xref py py-func docutils literal"><span class="pre">wrap_socket()</span></code></a>. </span><span class="yiyi-st" id="yiyi-212">In this mode (the default), no certificates will be required from the other side of the socket connection. </span><span class="yiyi-st" id="yiyi-213">If a certificate is received from the other end, no attempt to validate it is made.</span></p><p><span class="yiyi-st" id="yiyi-214">See the discussion of <a class="reference internal" href="#ssl-security"><span>Security considerations</span></a> below.</span></p></dd></dl><dl class="data"><dt id="ssl.CERT_OPTIONAL"><span class="yiyi-st" id="yiyi-215"> <code class="descclassname">ssl.</code><code class="descname">CERT_OPTIONAL</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-216">Possible value for <a class="reference internal" href="#ssl.SSLContext.verify_mode" title="ssl.SSLContext.verify_mode"><code class="xref py py-attr docutils literal"><span class="pre">SSLContext.verify_mode</span></code></a>, or the <code class="docutils literal"><span class="pre">cert_reqs</span></code> parameter to <a class="reference internal" href="#ssl.wrap_socket" title="ssl.wrap_socket"><code class="xref py py-func docutils literal"><span class="pre">wrap_socket()</span></code></a>. </span><span class="yiyi-st" id="yiyi-217">In this mode no certificates will be required from the other side of the socket connection; but if they are provided, validation will be attempted and an <a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-class docutils literal"><span class="pre">SSLError</span></code></a> will be raised on failure.</span></p><p><span class="yiyi-st" id="yiyi-218">Use of this setting requires a valid set of CA certificates to be passed, either to <a class="reference internal" href="#ssl.SSLContext.load_verify_locations" title="ssl.SSLContext.load_verify_locations"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.load_verify_locations()</span></code></a> or as a value of the <code class="docutils literal"><span class="pre">ca_certs</span></code> parameter to <a class="reference internal" href="#ssl.wrap_socket" title="ssl.wrap_socket"><code class="xref py py-func docutils literal"><span class="pre">wrap_socket()</span></code></a>.</span></p></dd></dl><dl class="data"><dt id="ssl.CERT_REQUIRED"><span class="yiyi-st" id="yiyi-219"> <code class="descclassname">ssl.</code><code class="descname">CERT_REQUIRED</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-220">Possible value for <a class="reference internal" href="#ssl.SSLContext.verify_mode" title="ssl.SSLContext.verify_mode"><code class="xref py py-attr docutils literal"><span class="pre">SSLContext.verify_mode</span></code></a>, or the <code class="docutils literal"><span class="pre">cert_reqs</span></code> parameter to <a class="reference internal" href="#ssl.wrap_socket" title="ssl.wrap_socket"><code class="xref py py-func docutils literal"><span class="pre">wrap_socket()</span></code></a>. </span><span class="yiyi-st" id="yiyi-221">In this mode, certificates are required from the other side of the socket connection; an <a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-class docutils literal"><span class="pre">SSLError</span></code></a> will be raised if no certificate is provided, or if its validation fails.</span></p><p><span class="yiyi-st" id="yiyi-222">Use of this setting requires a valid set of CA certificates to be passed, either to <a class="reference internal" href="#ssl.SSLContext.load_verify_locations" title="ssl.SSLContext.load_verify_locations"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.load_verify_locations()</span></code></a> or as a value of the <code class="docutils literal"><span class="pre">ca_certs</span></code> parameter to <a class="reference internal" href="#ssl.wrap_socket" title="ssl.wrap_socket"><code class="xref py py-func docutils literal"><span class="pre">wrap_socket()</span></code></a>.</span></p></dd></dl><dl class="data"><dt id="ssl.VERIFY_DEFAULT"><span class="yiyi-st" id="yiyi-223"> <code class="descclassname">ssl.</code><code class="descname">VERIFY_DEFAULT</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-224">Possible value for <a class="reference internal" href="#ssl.SSLContext.verify_flags" title="ssl.SSLContext.verify_flags"><code class="xref py py-attr docutils literal"><span class="pre">SSLContext.verify_flags</span></code></a>. </span><span class="yiyi-st" id="yiyi-225">In this mode, certificate revocation lists (CRLs) are not checked. </span><span class="yiyi-st" id="yiyi-226">By default OpenSSL does neither require nor verify CRLs.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-227"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.VERIFY_CRL_CHECK_LEAF"><span class="yiyi-st" id="yiyi-228"> <code class="descclassname">ssl.</code><code class="descname">VERIFY_CRL_CHECK_LEAF</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-229">Possible value for <a class="reference internal" href="#ssl.SSLContext.verify_flags" title="ssl.SSLContext.verify_flags"><code class="xref py py-attr docutils literal"><span class="pre">SSLContext.verify_flags</span></code></a>. </span><span class="yiyi-st" id="yiyi-230">In this mode, only the peer cert is check but non of the intermediate CA certificates. </span><span class="yiyi-st" id="yiyi-231">The mode requires a valid CRL that is signed by the peer certs issuer (its direct ancestor CA). </span><span class="yiyi-st" id="yiyi-232">If no proper has been loaded <a class="reference internal" href="#ssl.SSLContext.load_verify_locations" title="ssl.SSLContext.load_verify_locations"><code class="xref py py-attr docutils literal"><span class="pre">SSLContext.load_verify_locations</span></code></a>, validation will fail.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-233"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.VERIFY_CRL_CHECK_CHAIN"><span class="yiyi-st" id="yiyi-234"> <code class="descclassname">ssl.</code><code class="descname">VERIFY_CRL_CHECK_CHAIN</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-235">Possible value for <a class="reference internal" href="#ssl.SSLContext.verify_flags" title="ssl.SSLContext.verify_flags"><code class="xref py py-attr docutils literal"><span class="pre">SSLContext.verify_flags</span></code></a>. </span><span class="yiyi-st" id="yiyi-236">In this mode, CRLs of all certificates in the peer cert chain are checked.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-237"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.VERIFY_X509_STRICT"><span class="yiyi-st" id="yiyi-238"> <code class="descclassname">ssl.</code><code class="descname">VERIFY_X509_STRICT</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-239">Possible value for <a class="reference internal" href="#ssl.SSLContext.verify_flags" title="ssl.SSLContext.verify_flags"><code class="xref py py-attr docutils literal"><span class="pre">SSLContext.verify_flags</span></code></a> to disable workarounds for broken X.509 certificates.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-240"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.VERIFY_X509_TRUSTED_FIRST"><span class="yiyi-st" id="yiyi-241"> <code class="descclassname">ssl.</code><code class="descname">VERIFY_X509_TRUSTED_FIRST</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-242">Possible value for <a class="reference internal" href="#ssl.SSLContext.verify_flags" title="ssl.SSLContext.verify_flags"><code class="xref py py-attr docutils literal"><span class="pre">SSLContext.verify_flags</span></code></a>. </span><span class="yiyi-st" id="yiyi-243">It instructs OpenSSL to prefer trusted certificates when building the trust chain to validate a certificate. </span><span class="yiyi-st" id="yiyi-244">This flag is enabled by default.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-245"><span class="versionmodified">New in version 3.4.4.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.PROTOCOL_SSLv23"><span class="yiyi-st" id="yiyi-246"> <code class="descclassname">ssl.</code><code class="descname">PROTOCOL_SSLv23</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-247">Selects the highest protocol version that both the client and server support. </span><span class="yiyi-st" id="yiyi-248">Despite the name, this option can select “TLS” protocols as well as “SSL”.</span></p></dd></dl><dl class="data"><dt id="ssl.PROTOCOL_SSLv2"><span class="yiyi-st" id="yiyi-249"> <code class="descclassname">ssl.</code><code class="descname">PROTOCOL_SSLv2</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-250">Selects SSL version 2 as the channel encryption protocol.</span></p><p><span class="yiyi-st" id="yiyi-251">This protocol is not available if OpenSSL is compiled with the <code class="docutils literal"><span class="pre">OPENSSL_NO_SSL2</span></code> flag.</span></p><div class="admonition warning"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-252">Warning</span></p><p class="last"><span class="yiyi-st" id="yiyi-253">SSLv2已是不安全的协议。</span><span class="yiyi-st" id="yiyi-254">除非你知道自己在做什么,否则不要使用该协议。</span></p></div></dd></dl><dl class="data"><dt id="ssl.PROTOCOL_SSLv3"><span class="yiyi-st" id="yiyi-255"> <code class="descclassname">ssl.</code><code class="descname">PROTOCOL_SSLv3</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-256">Selects SSL version 3 as the channel encryption protocol.</span></p><p><span class="yiyi-st" id="yiyi-257">This protocol is not be available if OpenSSL is compiled with the <code class="docutils literal"><span class="pre">OPENSSL_NO_SSLv3</span></code> flag.</span></p><div class="admonition warning"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-258">Warning</span></p><p class="last"><span class="yiyi-st" id="yiyi-259">SSLv3已是不安全的协议。</span><span class="yiyi-st" id="yiyi-260">除非你知道自己在做什么,否则不要使用该协议。</span></p></div></dd></dl><dl class="data"><dt id="ssl.PROTOCOL_TLSv1"><span class="yiyi-st" id="yiyi-261"> <code class="descclassname">ssl.</code><code class="descname">PROTOCOL_TLSv1</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-262">Selects TLS version 1.0 as the channel encryption protocol.</span></p></dd></dl><dl class="data"><dt id="ssl.PROTOCOL_TLSv1_1"><span class="yiyi-st" id="yiyi-263"> <code class="descclassname">ssl.</code><code class="descname">PROTOCOL_TLSv1_1</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-264">Selects TLS version 1.1 as the channel encryption protocol. </span><span class="yiyi-st" id="yiyi-265">Available only with openssl version 1.0.1+.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-266"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.PROTOCOL_TLSv1_2"><span class="yiyi-st" id="yiyi-267"> <code class="descclassname">ssl.</code><code class="descname">PROTOCOL_TLSv1_2</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-268">使用TLSv1.2作为通道加密协议。</span><span class="yiyi-st" id="yiyi-269">This is the most modern version, and probably the best choice for maximum protection, if both sides can speak it. </span><span class="yiyi-st" id="yiyi-270">Available only with openssl version 1.0.1+.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-271"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.OP_ALL"><span class="yiyi-st" id="yiyi-272"> <code class="descclassname">ssl.</code><code class="descname">OP_ALL</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-273">Enables workarounds for various bugs present in other SSL implementations. </span><span class="yiyi-st" id="yiyi-274">This option is set by default. </span><span class="yiyi-st" id="yiyi-275">It does not necessarily set the same flags as OpenSSLs <code class="docutils literal"><span class="pre">SSL_OP_ALL</span></code> constant.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-276"><span class="versionmodified">New in version 3.2.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.OP_NO_SSLv2"><span class="yiyi-st" id="yiyi-277"> <code class="descclassname">ssl.</code><code class="descname">OP_NO_SSLv2</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-278">Prevents an SSLv2 connection. </span><span class="yiyi-st" id="yiyi-279">This option is only applicable in conjunction with <a class="reference internal" href="#ssl.PROTOCOL_SSLv23" title="ssl.PROTOCOL_SSLv23"><code class="xref py py-const docutils literal"><span class="pre">PROTOCOL_SSLv23</span></code></a>. </span><span class="yiyi-st" id="yiyi-280">It prevents the peers from choosing SSLv2 as the protocol version.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-281"><span class="versionmodified">New in version 3.2.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.OP_NO_SSLv3"><span class="yiyi-st" id="yiyi-282"> <code class="descclassname">ssl.</code><code class="descname">OP_NO_SSLv3</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-283">Prevents an SSLv3 connection. </span><span class="yiyi-st" id="yiyi-284">This option is only applicable in conjunction with <a class="reference internal" href="#ssl.PROTOCOL_SSLv23" title="ssl.PROTOCOL_SSLv23"><code class="xref py py-const docutils literal"><span class="pre">PROTOCOL_SSLv23</span></code></a>. </span><span class="yiyi-st" id="yiyi-285">It prevents the peers from choosing SSLv3 as the protocol version.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-286"><span class="versionmodified">New in version 3.2.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.OP_NO_TLSv1"><span class="yiyi-st" id="yiyi-287"> <code class="descclassname">ssl.</code><code class="descname">OP_NO_TLSv1</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-288">Prevents a TLSv1 connection. </span><span class="yiyi-st" id="yiyi-289">This option is only applicable in conjunction with <a class="reference internal" href="#ssl.PROTOCOL_SSLv23" title="ssl.PROTOCOL_SSLv23"><code class="xref py py-const docutils literal"><span class="pre">PROTOCOL_SSLv23</span></code></a>. </span><span class="yiyi-st" id="yiyi-290">It prevents the peers from choosing TLSv1 as the protocol version.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-291"><span class="versionmodified">New in version 3.2.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.OP_NO_TLSv1_1"><span class="yiyi-st" id="yiyi-292"> <code class="descclassname">ssl.</code><code class="descname">OP_NO_TLSv1_1</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-293">Prevents a TLSv1.1 connection. </span><span class="yiyi-st" id="yiyi-294">This option is only applicable in conjunction with <a class="reference internal" href="#ssl.PROTOCOL_SSLv23" title="ssl.PROTOCOL_SSLv23"><code class="xref py py-const docutils literal"><span class="pre">PROTOCOL_SSLv23</span></code></a>. </span><span class="yiyi-st" id="yiyi-295">It prevents the peers from choosing TLSv1.1 as the protocol version. </span><span class="yiyi-st" id="yiyi-296">Available only with openssl version 1.0.1+.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-297"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.OP_NO_TLSv1_2"><span class="yiyi-st" id="yiyi-298"> <code class="descclassname">ssl.</code><code class="descname">OP_NO_TLSv1_2</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-299">Prevents a TLSv1.2 connection. </span><span class="yiyi-st" id="yiyi-300">This option is only applicable in conjunction with <a class="reference internal" href="#ssl.PROTOCOL_SSLv23" title="ssl.PROTOCOL_SSLv23"><code class="xref py py-const docutils literal"><span class="pre">PROTOCOL_SSLv23</span></code></a>. </span><span class="yiyi-st" id="yiyi-301">It prevents the peers from choosing TLSv1.2 as the protocol version. </span><span class="yiyi-st" id="yiyi-302">Available only with openssl version 1.0.1+.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-303"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.OP_CIPHER_SERVER_PREFERENCE"><span class="yiyi-st" id="yiyi-304"> <code class="descclassname">ssl.</code><code class="descname">OP_CIPHER_SERVER_PREFERENCE</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-305">Use the servers cipher ordering preference, rather than the clients. </span><span class="yiyi-st" id="yiyi-306">This option has no effect on client sockets and SSLv2 server sockets.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-307"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.OP_SINGLE_DH_USE"><span class="yiyi-st" id="yiyi-308"> <code class="descclassname">ssl.</code><code class="descname">OP_SINGLE_DH_USE</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-309">Prevents re-use of the same DH key for distinct SSL sessions. </span><span class="yiyi-st" id="yiyi-310">This improves forward secrecy but requires more computational resources. </span><span class="yiyi-st" id="yiyi-311">This option only applies to server sockets.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-312"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.OP_SINGLE_ECDH_USE"><span class="yiyi-st" id="yiyi-313"> <code class="descclassname">ssl.</code><code class="descname">OP_SINGLE_ECDH_USE</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-314">Prevents re-use of the same ECDH key for distinct SSL sessions. </span><span class="yiyi-st" id="yiyi-315">This improves forward secrecy but requires more computational resources. </span><span class="yiyi-st" id="yiyi-316">This option only applies to server sockets.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-317"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.OP_NO_COMPRESSION"><span class="yiyi-st" id="yiyi-318"> <code class="descclassname">ssl.</code><code class="descname">OP_NO_COMPRESSION</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-319">Disable compression on the SSL channel. </span><span class="yiyi-st" id="yiyi-320">This is useful if the application protocol supports its own compression scheme.</span></p><p><span class="yiyi-st" id="yiyi-321">This option is only available with OpenSSL 1.0.0 and later.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-322"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.HAS_ALPN"><span class="yiyi-st" id="yiyi-323"> <code class="descclassname">ssl.</code><code class="descname">HAS_ALPN</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-324">Whether the OpenSSL library has built-in support for the <em>Application-Layer Protocol Negotiation</em> TLS extension as described in <span class="target" id="index-7"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc7301.html"><strong>RFC 7301</strong></a>.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-325"><span class="versionmodified">New in version 3.5.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.HAS_ECDH"><span class="yiyi-st" id="yiyi-326"> <code class="descclassname">ssl.</code><code class="descname">HAS_ECDH</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-327">Whether the OpenSSL library has built-in support for Elliptic Curve-based Diffie-Hellman key exchange. </span><span class="yiyi-st" id="yiyi-328">This should be true unless the feature was explicitly disabled by the distributor.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-329"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.HAS_SNI"><span class="yiyi-st" id="yiyi-330"> <code class="descclassname">ssl.</code><code class="descname">HAS_SNI</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-331">Whether the OpenSSL library has built-in support for the <em>Server Name Indication</em> extension (as defined in <span class="target" id="index-8"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4366.html"><strong>RFC 4366</strong></a>).</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-332"><span class="versionmodified">New in version 3.2.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.HAS_NPN"><span class="yiyi-st" id="yiyi-333"> <code class="descclassname">ssl.</code><code class="descname">HAS_NPN</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-334">Whether the OpenSSL library has built-in support for <em>Next Protocol Negotiation</em> as described in the <a class="reference external" href="https://tools.ietf.org/html/draft-agl-tls-nextprotoneg">NPN draft specification</a>. </span><span class="yiyi-st" id="yiyi-335">When true, you can use the <a class="reference internal" href="#ssl.SSLContext.set_npn_protocols" title="ssl.SSLContext.set_npn_protocols"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.set_npn_protocols()</span></code></a> method to advertise which protocols you want to support.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-336"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.CHANNEL_BINDING_TYPES"><span class="yiyi-st" id="yiyi-337"> <code class="descclassname">ssl.</code><code class="descname">CHANNEL_BINDING_TYPES</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-338">List of supported TLS channel binding types. </span><span class="yiyi-st" id="yiyi-339">Strings in this list can be used as arguments to <a class="reference internal" href="#ssl.SSLSocket.get_channel_binding" title="ssl.SSLSocket.get_channel_binding"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.get_channel_binding()</span></code></a>.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-340"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.OPENSSL_VERSION"><span class="yiyi-st" id="yiyi-341"> <code class="descclassname">ssl.</code><code class="descname">OPENSSL_VERSION</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-342">The version string of the OpenSSL library loaded by the interpreter:</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">ssl</span><span class="o">.</span><span class="n">OPENSSL_VERSION</span>
<span class="go">'OpenSSL 0.9.8k 25 Mar 2009'</span>
</code></pre><div class="versionadded"><p><span class="yiyi-st" id="yiyi-343"><span class="versionmodified">New in version 3.2.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.OPENSSL_VERSION_INFO"><span class="yiyi-st" id="yiyi-344"> <code class="descclassname">ssl.</code><code class="descname">OPENSSL_VERSION_INFO</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-345">A tuple of five integers representing version information about the OpenSSL library:</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">ssl</span><span class="o">.</span><span class="n">OPENSSL_VERSION_INFO</span>
<span class="go">(0, 9, 8, 11, 15)</span>
</code></pre><div class="versionadded"><p><span class="yiyi-st" id="yiyi-346"><span class="versionmodified">New in version 3.2.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.OPENSSL_VERSION_NUMBER"><span class="yiyi-st" id="yiyi-347"> <code class="descclassname">ssl.</code><code class="descname">OPENSSL_VERSION_NUMBER</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-348">The raw version number of the OpenSSL library, as a single integer:</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">ssl</span><span class="o">.</span><span class="n">OPENSSL_VERSION_NUMBER</span>
<span class="go">9470143</span>
<span class="gp">&gt;&gt;&gt; </span><span class="nb">hex</span><span class="p">(</span><span class="n">ssl</span><span class="o">.</span><span class="n">OPENSSL_VERSION_NUMBER</span><span class="p">)</span>
<span class="go">'0x9080bf'</span>
</code></pre><div class="versionadded"><p><span class="yiyi-st" id="yiyi-349"><span class="versionmodified">New in version 3.2.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.ALERT_DESCRIPTION_HANDSHAKE_FAILURE"><span class="yiyi-st" id="yiyi-350"> <code class="descclassname">ssl.</code><code class="descname">ALERT_DESCRIPTION_HANDSHAKE_FAILURE</code></span></dt><dt id="ssl.ALERT_DESCRIPTION_INTERNAL_ERROR"><span class="yiyi-st" id="yiyi-351"> <code class="descclassname">ssl.</code><code class="descname">ALERT_DESCRIPTION_INTERNAL_ERROR</code></span></dt><dt><span class="yiyi-st" id="yiyi-352"> <code class="descname">ALERT_DESCRIPTION_*</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-353">Alert Descriptions from <span class="target" id="index-9"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5246.html"><strong>RFC 5246</strong></a> and others. </span><span class="yiyi-st" id="yiyi-354">The <a class="reference external" href="https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6">IANA TLS Alert Registry</a> contains this list and references to the RFCs where their meaning is defined.</span></p><p><span class="yiyi-st" id="yiyi-355">Used as the return value of the callback function in <a class="reference internal" href="#ssl.SSLContext.set_servername_callback" title="ssl.SSLContext.set_servername_callback"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.set_servername_callback()</span></code></a>.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-356"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.Purpose.SERVER_AUTH"><span class="yiyi-st" id="yiyi-357"> <code class="descclassname">Purpose.</code><code class="descname">SERVER_AUTH</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-358">Option for <a class="reference internal" href="#ssl.create_default_context" title="ssl.create_default_context"><code class="xref py py-func docutils literal"><span class="pre">create_default_context()</span></code></a> and <a class="reference internal" href="#ssl.SSLContext.load_default_certs" title="ssl.SSLContext.load_default_certs"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.load_default_certs()</span></code></a>. </span><span class="yiyi-st" id="yiyi-359">This value indicates that the context may be used to authenticate Web servers (therefore, it will be used to create client-side sockets).</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-360"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="data"><dt id="ssl.Purpose.CLIENT_AUTH"><span class="yiyi-st" id="yiyi-361"> <code class="descclassname">Purpose.</code><code class="descname">CLIENT_AUTH</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-362">Option for <a class="reference internal" href="#ssl.create_default_context" title="ssl.create_default_context"><code class="xref py py-func docutils literal"><span class="pre">create_default_context()</span></code></a> and <a class="reference internal" href="#ssl.SSLContext.load_default_certs" title="ssl.SSLContext.load_default_certs"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.load_default_certs()</span></code></a>. </span><span class="yiyi-st" id="yiyi-363">This value indicates that the context may be used to authenticate Web clients (therefore, it will be used to create server-side sockets).</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-364"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl></div></div><div class="section" id="ssl-sockets"><h2><span class="yiyi-st" id="yiyi-365">18.2.2. </span><span class="yiyi-st" id="yiyi-366">SSL Sockets</span></h2><dl class="class"><dt id="ssl.SSLSocket"><span class="yiyi-st" id="yiyi-367"> <em class="property">class </em><code class="descclassname">ssl.</code><code class="descname">SSLSocket</code><span class="sig-paren">(</span><em>socket.socket</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-368">SSL sockets provide the following methods of <a class="reference internal" href="socket.html#socket-objects"><span>Socket Objects</span></a>:</span></p><ul class="simple"><li><span class="yiyi-st" id="yiyi-369"><a class="reference internal" href="socket.html#socket.socket.accept" title="socket.socket.accept"><code class="xref py py-meth docutils literal"><span class="pre">accept()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-370"><a class="reference internal" href="socket.html#socket.socket.bind" title="socket.socket.bind"><code class="xref py py-meth docutils literal"><span class="pre">bind()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-371"><a class="reference internal" href="socket.html#socket.socket.close" title="socket.socket.close"><code class="xref py py-meth docutils literal"><span class="pre">close()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-372"><a class="reference internal" href="socket.html#socket.socket.connect" title="socket.socket.connect"><code class="xref py py-meth docutils literal"><span class="pre">connect()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-373"><a class="reference internal" href="socket.html#socket.socket.detach" title="socket.socket.detach"><code class="xref py py-meth docutils literal"><span class="pre">detach()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-374"><a class="reference internal" href="socket.html#socket.socket.fileno" title="socket.socket.fileno"><code class="xref py py-meth docutils literal"><span class="pre">fileno()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-375"><a class="reference internal" href="socket.html#socket.socket.getpeername" title="socket.socket.getpeername"><code class="xref py py-meth docutils literal"><span class="pre">getpeername()</span></code></a>, <a class="reference internal" href="socket.html#socket.socket.getsockname" title="socket.socket.getsockname"><code class="xref py py-meth docutils literal"><span class="pre">getsockname()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-376"><a class="reference internal" href="socket.html#socket.socket.getsockopt" title="socket.socket.getsockopt"><code class="xref py py-meth docutils literal"><span class="pre">getsockopt()</span></code></a>, <a class="reference internal" href="socket.html#socket.socket.setsockopt" title="socket.socket.setsockopt"><code class="xref py py-meth docutils literal"><span class="pre">setsockopt()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-377"><a class="reference internal" href="socket.html#socket.socket.gettimeout" title="socket.socket.gettimeout"><code class="xref py py-meth docutils literal"><span class="pre">gettimeout()</span></code></a>, <a class="reference internal" href="socket.html#socket.socket.settimeout" title="socket.socket.settimeout"><code class="xref py py-meth docutils literal"><span class="pre">settimeout()</span></code></a>, <a class="reference internal" href="socket.html#socket.socket.setblocking" title="socket.socket.setblocking"><code class="xref py py-meth docutils literal"><span class="pre">setblocking()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-378"><a class="reference internal" href="socket.html#socket.socket.listen" title="socket.socket.listen"><code class="xref py py-meth docutils literal"><span class="pre">listen()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-379"><a class="reference internal" href="socket.html#socket.socket.makefile" title="socket.socket.makefile"><code class="xref py py-meth docutils literal"><span class="pre">makefile()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-380"><a class="reference internal" href="socket.html#socket.socket.recv" title="socket.socket.recv"><code class="xref py py-meth docutils literal"><span class="pre">recv()</span></code></a>, <a class="reference internal" href="socket.html#socket.socket.recv_into" title="socket.socket.recv_into"><code class="xref py py-meth docutils literal"><span class="pre">recv_into()</span></code></a> (but passing a non-zero <code class="docutils literal"><span class="pre">flags</span></code> argument is not allowed)</span></li><li><span class="yiyi-st" id="yiyi-381"><a class="reference internal" href="socket.html#socket.socket.send" title="socket.socket.send"><code class="xref py py-meth docutils literal"><span class="pre">send()</span></code></a>, <a class="reference internal" href="socket.html#socket.socket.sendall" title="socket.socket.sendall"><code class="xref py py-meth docutils literal"><span class="pre">sendall()</span></code></a> (with the same limitation)</span></li><li><span class="yiyi-st" id="yiyi-382"><a class="reference internal" href="socket.html#socket.socket.sendfile" title="socket.socket.sendfile"><code class="xref py py-meth docutils literal"><span class="pre">sendfile()</span></code></a> (but <a class="reference internal" href="os.html#os.sendfile" title="os.sendfile"><code class="xref py py-mod docutils literal"><span class="pre">os.sendfile</span></code></a> will be used for plain-text sockets only, else <a class="reference internal" href="socket.html#socket.socket.send" title="socket.socket.send"><code class="xref py py-meth docutils literal"><span class="pre">send()</span></code></a> will be used)</span></li><li><span class="yiyi-st" id="yiyi-383"><a class="reference internal" href="socket.html#socket.socket.shutdown" title="socket.socket.shutdown"><code class="xref py py-meth docutils literal"><span class="pre">shutdown()</span></code></a></span></li></ul><p><span class="yiyi-st" id="yiyi-384">However, since the SSL (and TLS) protocol has its own framing atop of TCP, the SSL sockets abstraction can, in certain respects, diverge from the specification of normal, OS-level sockets. </span><span class="yiyi-st" id="yiyi-385">See especially the <a class="reference internal" href="#ssl-nonblocking"><span>notes on non-blocking sockets</span></a>.</span></p><p><span class="yiyi-st" id="yiyi-386">Usually, <a class="reference internal" href="#ssl.SSLSocket" title="ssl.SSLSocket"><code class="xref py py-class docutils literal"><span class="pre">SSLSocket</span></code></a> are not created directly, but using the <a class="reference internal" href="#ssl.wrap_socket" title="ssl.wrap_socket"><code class="xref py py-func docutils literal"><span class="pre">wrap_socket()</span></code></a> function or the <a class="reference internal" href="#ssl.SSLContext.wrap_socket" title="ssl.SSLContext.wrap_socket"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.wrap_socket()</span></code></a> method.</span></p><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-387"><span class="versionmodified">Changed in version 3.5: </span>The <code class="xref py py-meth docutils literal"><span class="pre">sendfile()</span></code> method was added.</span></p></div><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-388"><span class="versionmodified">Changed in version 3.5: </span>The <code class="xref py py-meth docutils literal"><span class="pre">shutdown()</span></code> does not reset the socket timeout each time bytes are received or sent. </span><span class="yiyi-st" id="yiyi-389">The socket timeout is now to maximum total duration of the shutdown.</span></p></div></dd></dl><p><span class="yiyi-st" id="yiyi-390">SSL sockets also have the following additional methods and attributes:</span></p><dl class="method"><dt id="ssl.SSLSocket.read"><span class="yiyi-st" id="yiyi-391"> <code class="descclassname">SSLSocket.</code><code class="descname">read</code><span class="sig-paren">(</span><em>len=1024</em>, <em>buffer=None</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-392">Read up to <em>len</em> bytes of data from the SSL socket and return the result as a <code class="docutils literal"><span class="pre">bytes</span></code> instance. </span><span class="yiyi-st" id="yiyi-393">If <em>buffer</em> is specified, then read into the buffer instead, and return the number of bytes read.</span></p><p><span class="yiyi-st" id="yiyi-394">Raise <a class="reference internal" href="#ssl.SSLWantReadError" title="ssl.SSLWantReadError"><code class="xref py py-exc docutils literal"><span class="pre">SSLWantReadError</span></code></a> or <a class="reference internal" href="#ssl.SSLWantWriteError" title="ssl.SSLWantWriteError"><code class="xref py py-exc docutils literal"><span class="pre">SSLWantWriteError</span></code></a> if the socket is <a class="reference internal" href="#ssl-nonblocking"><span>non-blocking</span></a> and the read would block.</span></p><p><span class="yiyi-st" id="yiyi-395">As at any time a re-negotiation is possible, a call to <a class="reference internal" href="#ssl.SSLSocket.read" title="ssl.SSLSocket.read"><code class="xref py py-meth docutils literal"><span class="pre">read()</span></code></a> can also cause write operations.</span></p><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-396"><span class="versionmodified">Changed in version 3.5: </span>The socket timeout is no more reset each time bytes are received or sent. </span><span class="yiyi-st" id="yiyi-397">The socket timeout is now to maximum total duration to read up to <em>len</em> bytes.</span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLSocket.write"><span class="yiyi-st" id="yiyi-398"> <code class="descclassname">SSLSocket.</code><code class="descname">write</code><span class="sig-paren">(</span><em>buf</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-399">Write <em>buf</em> to the SSL socket and return the number of bytes written. </span><span class="yiyi-st" id="yiyi-400">The <em>buf</em> argument must be an object supporting the buffer interface.</span></p><p><span class="yiyi-st" id="yiyi-401">Raise <a class="reference internal" href="#ssl.SSLWantReadError" title="ssl.SSLWantReadError"><code class="xref py py-exc docutils literal"><span class="pre">SSLWantReadError</span></code></a> or <a class="reference internal" href="#ssl.SSLWantWriteError" title="ssl.SSLWantWriteError"><code class="xref py py-exc docutils literal"><span class="pre">SSLWantWriteError</span></code></a> if the socket is <a class="reference internal" href="#ssl-nonblocking"><span>non-blocking</span></a> and the write would block.</span></p><p><span class="yiyi-st" id="yiyi-402">As at any time a re-negotiation is possible, a call to <a class="reference internal" href="#ssl.SSLSocket.write" title="ssl.SSLSocket.write"><code class="xref py py-meth docutils literal"><span class="pre">write()</span></code></a> can also cause read operations.</span></p><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-403"><span class="versionmodified">Changed in version 3.5: </span>The socket timeout is no more reset each time bytes are received or sent. </span><span class="yiyi-st" id="yiyi-404">The socket timeout is now to maximum total duration to write <em>buf</em>.</span></p></div></dd></dl><div class="admonition note"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-405">Note</span></p><p><span class="yiyi-st" id="yiyi-406">The <a class="reference internal" href="#ssl.SSLSocket.read" title="ssl.SSLSocket.read"><code class="xref py py-meth docutils literal"><span class="pre">read()</span></code></a> and <a class="reference internal" href="#ssl.SSLSocket.write" title="ssl.SSLSocket.write"><code class="xref py py-meth docutils literal"><span class="pre">write()</span></code></a> methods are the low-level methods that read and write unencrypted, application-level data and decrypt/encrypt it to encrypted, wire-level data. </span><span class="yiyi-st" id="yiyi-407">These methods require an active SSL connection, i.e. </span><span class="yiyi-st" id="yiyi-408">the handshake was completed and <a class="reference internal" href="#ssl.SSLSocket.unwrap" title="ssl.SSLSocket.unwrap"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.unwrap()</span></code></a> was not called.</span></p><p class="last"><span class="yiyi-st" id="yiyi-409">Normally you should use the socket API methods like <a class="reference internal" href="socket.html#socket.socket.recv" title="socket.socket.recv"><code class="xref py py-meth docutils literal"><span class="pre">recv()</span></code></a> and <a class="reference internal" href="socket.html#socket.socket.send" title="socket.socket.send"><code class="xref py py-meth docutils literal"><span class="pre">send()</span></code></a> instead of these methods.</span></p></div><dl class="method"><dt id="ssl.SSLSocket.do_handshake"><span class="yiyi-st" id="yiyi-410"> <code class="descclassname">SSLSocket.</code><code class="descname">do_handshake</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-411">Perform the SSL setup handshake.</span></p><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-412"><span class="versionmodified">Changed in version 3.4: </span>The handshake method also performs <a class="reference internal" href="#ssl.match_hostname" title="ssl.match_hostname"><code class="xref py py-func docutils literal"><span class="pre">match_hostname()</span></code></a> when the <a class="reference internal" href="#ssl.SSLContext.check_hostname" title="ssl.SSLContext.check_hostname"><code class="xref py py-attr docutils literal"><span class="pre">check_hostname</span></code></a> attribute of the sockets <a class="reference internal" href="#ssl.SSLSocket.context" title="ssl.SSLSocket.context"><code class="xref py py-attr docutils literal"><span class="pre">context</span></code></a> is true.</span></p></div><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-413"><span class="versionmodified">Changed in version 3.5: </span>The socket timeout is no more reset each time bytes are received or sent. </span><span class="yiyi-st" id="yiyi-414">The socket timeout is now to maximum total duration of the handshake.</span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLSocket.getpeercert"><span class="yiyi-st" id="yiyi-415"> <code class="descclassname">SSLSocket.</code><code class="descname">getpeercert</code><span class="sig-paren">(</span><em>binary_form=False</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-416">If there is no certificate for the peer on the other end of the connection, return <code class="docutils literal"><span class="pre">None</span></code>. </span><span class="yiyi-st" id="yiyi-417">If the SSL handshake hasnt been done yet, raise <a class="reference internal" href="exceptions.html#ValueError" title="ValueError"><code class="xref py py-exc docutils literal"><span class="pre">ValueError</span></code></a>.</span></p><p><span class="yiyi-st" id="yiyi-418">If the <code class="docutils literal"><span class="pre">binary_form</span></code> parameter is <a class="reference internal" href="constants.html#False" title="False"><code class="xref py py-const docutils literal"><span class="pre">False</span></code></a>, and a certificate was received from the peer, this method returns a <a class="reference internal" href="stdtypes.html#dict" title="dict"><code class="xref py py-class docutils literal"><span class="pre">dict</span></code></a> instance. </span><span class="yiyi-st" id="yiyi-419">If the certificate was not validated, the dict is empty. </span><span class="yiyi-st" id="yiyi-420">If the certificate was validated, it returns a dict with several keys, amongst them <code class="docutils literal"><span class="pre">subject</span></code> (the principal for which the certificate was issued) and <code class="docutils literal"><span class="pre">issuer</span></code> (the principal issuing the certificate). </span><span class="yiyi-st" id="yiyi-421">If a certificate contains an instance of the <em>Subject Alternative Name</em> extension (see <span class="target" id="index-10"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc3280.html"><strong>RFC 3280</strong></a>), there will also be a <code class="docutils literal"><span class="pre">subjectAltName</span></code> key in the dictionary.</span></p><p><span class="yiyi-st" id="yiyi-422">The <code class="docutils literal"><span class="pre">subject</span></code> and <code class="docutils literal"><span class="pre">issuer</span></code> fields are tuples containing the sequence of relative distinguished names (RDNs) given in the certificates data structure for the respective fields, and each RDN is a sequence of name-value pairs. </span><span class="yiyi-st" id="yiyi-423">Here is a real-world example:</span></p><pre><code class="language-python"><span></span><span class="p">{</span><span class="s1">'issuer'</span><span class="p">:</span> <span class="p">(((</span><span class="s1">'countryName'</span><span class="p">,</span> <span class="s1">'IL'</span><span class="p">),),</span>
<span class="p">((</span><span class="s1">'organizationName'</span><span class="p">,</span> <span class="s1">'StartCom Ltd.'</span><span class="p">),),</span>
<span class="p">((</span><span class="s1">'organizationalUnitName'</span><span class="p">,</span>
<span class="s1">'Secure Digital Certificate Signing'</span><span class="p">),),</span>
<span class="p">((</span><span class="s1">'commonName'</span><span class="p">,</span>
<span class="s1">'StartCom Class 2 Primary Intermediate Server CA'</span><span class="p">),)),</span>
<span class="s1">'notAfter'</span><span class="p">:</span> <span class="s1">'Nov 22 08:15:19 2013 GMT'</span><span class="p">,</span>
<span class="s1">'notBefore'</span><span class="p">:</span> <span class="s1">'Nov 21 03:09:52 2011 GMT'</span><span class="p">,</span>
<span class="s1">'serialNumber'</span><span class="p">:</span> <span class="s1">'95F0'</span><span class="p">,</span>
<span class="s1">'subject'</span><span class="p">:</span> <span class="p">(((</span><span class="s1">'description'</span><span class="p">,</span> <span class="s1">'571208-SLe257oHY9fVQ07Z'</span><span class="p">),),</span>
<span class="p">((</span><span class="s1">'countryName'</span><span class="p">,</span> <span class="s1">'US'</span><span class="p">),),</span>
<span class="p">((</span><span class="s1">'stateOrProvinceName'</span><span class="p">,</span> <span class="s1">'California'</span><span class="p">),),</span>
<span class="p">((</span><span class="s1">'localityName'</span><span class="p">,</span> <span class="s1">'San Francisco'</span><span class="p">),),</span>
<span class="p">((</span><span class="s1">'organizationName'</span><span class="p">,</span> <span class="s1">'Electronic Frontier Foundation, Inc.'</span><span class="p">),),</span>
<span class="p">((</span><span class="s1">'commonName'</span><span class="p">,</span> <span class="s1">'*.eff.org'</span><span class="p">),),</span>
<span class="p">((</span><span class="s1">'emailAddress'</span><span class="p">,</span> <span class="s1">'hostmaster@eff.org'</span><span class="p">),)),</span>
<span class="s1">'subjectAltName'</span><span class="p">:</span> <span class="p">((</span><span class="s1">'DNS'</span><span class="p">,</span> <span class="s1">'*.eff.org'</span><span class="p">),</span> <span class="p">(</span><span class="s1">'DNS'</span><span class="p">,</span> <span class="s1">'eff.org'</span><span class="p">)),</span>
<span class="s1">'version'</span><span class="p">:</span> <span class="mi">3</span><span class="p">}</span>
</code></pre><div class="admonition note"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-424">Note</span></p><p class="last"><span class="yiyi-st" id="yiyi-425">To validate a certificate for a particular service, you can use the <a class="reference internal" href="#ssl.match_hostname" title="ssl.match_hostname"><code class="xref py py-func docutils literal"><span class="pre">match_hostname()</span></code></a> function.</span></p></div><p><span class="yiyi-st" id="yiyi-426">If the <code class="docutils literal"><span class="pre">binary_form</span></code> parameter is <a class="reference internal" href="constants.html#True" title="True"><code class="xref py py-const docutils literal"><span class="pre">True</span></code></a>, and a certificate was provided, this method returns the DER-encoded form of the entire certificate as a sequence of bytes, or <a class="reference internal" href="constants.html#None" title="None"><code class="xref py py-const docutils literal"><span class="pre">None</span></code></a> if the peer did not provide a certificate. </span><span class="yiyi-st" id="yiyi-427">Whether the peer provides a certificate depends on the SSL sockets role:</span></p><ul class="simple"><li><span class="yiyi-st" id="yiyi-428">for a client SSL socket, the server will always provide a certificate, regardless of whether validation was required;</span></li><li><span class="yiyi-st" id="yiyi-429">for a server SSL socket, the client will only provide a certificate when requested by the server; therefore <a class="reference internal" href="#ssl.SSLSocket.getpeercert" title="ssl.SSLSocket.getpeercert"><code class="xref py py-meth docutils literal"><span class="pre">getpeercert()</span></code></a> will return <a class="reference internal" href="constants.html#None" title="None"><code class="xref py py-const docutils literal"><span class="pre">None</span></code></a> if you used <a class="reference internal" href="#ssl.CERT_NONE" title="ssl.CERT_NONE"><code class="xref py py-const docutils literal"><span class="pre">CERT_NONE</span></code></a> (rather than <a class="reference internal" href="#ssl.CERT_OPTIONAL" title="ssl.CERT_OPTIONAL"><code class="xref py py-const docutils literal"><span class="pre">CERT_OPTIONAL</span></code></a> or <a class="reference internal" href="#ssl.CERT_REQUIRED" title="ssl.CERT_REQUIRED"><code class="xref py py-const docutils literal"><span class="pre">CERT_REQUIRED</span></code></a>).</span></li></ul><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-430"><span class="versionmodified">Changed in version 3.2: </span>The returned dictionary includes additional items such as <code class="docutils literal"><span class="pre">issuer</span></code> and <code class="docutils literal"><span class="pre">notBefore</span></code>.</span></p></div><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-431"><span class="versionmodified">Changed in version 3.4: </span><a class="reference internal" href="exceptions.html#ValueError" title="ValueError"><code class="xref py py-exc docutils literal"><span class="pre">ValueError</span></code></a> is raised when the handshake isnt done. </span><span class="yiyi-st" id="yiyi-432">The returned dictionary includes additional X509v3 extension items such as <code class="docutils literal"><span class="pre">crlDistributionPoints</span></code>, <code class="docutils literal"><span class="pre">caIssuers</span></code> and <code class="docutils literal"><span class="pre">OCSP</span></code> URIs.</span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLSocket.cipher"><span class="yiyi-st" id="yiyi-433"> <code class="descclassname">SSLSocket.</code><code class="descname">cipher</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-434">Returns a three-value tuple containing the name of the cipher being used, the version of the SSL protocol that defines its use, and the number of secret bits being used. </span><span class="yiyi-st" id="yiyi-435">If no connection has been established, returns <code class="docutils literal"><span class="pre">None</span></code>.</span></p></dd></dl><dl class="method"><dt id="ssl.SSLSocket.shared_ciphers"><span class="yiyi-st" id="yiyi-436"> <code class="descclassname">SSLSocket.</code><code class="descname">shared_ciphers</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-437">Return the list of ciphers shared by the client during the handshake. </span><span class="yiyi-st" id="yiyi-438">Each entry of the returned list is a three-value tuple containing the name of the cipher, the version of the SSL protocol that defines its use, and the number of secret bits the cipher uses. </span><span class="yiyi-st" id="yiyi-439"><a class="reference internal" href="#ssl.SSLSocket.shared_ciphers" title="ssl.SSLSocket.shared_ciphers"><code class="xref py py-meth docutils literal"><span class="pre">shared_ciphers()</span></code></a> returns <code class="docutils literal"><span class="pre">None</span></code> if no connection has been established or the socket is a client socket.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-440"><span class="versionmodified">New in version 3.5.</span></span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLSocket.compression"><span class="yiyi-st" id="yiyi-441"> <code class="descclassname">SSLSocket.</code><code class="descname">compression</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-442">Return the compression algorithm being used as a string, or <code class="docutils literal"><span class="pre">None</span></code> if the connection isnt compressed.</span></p><p><span class="yiyi-st" id="yiyi-443">If the higher-level protocol supports its own compression mechanism, you can use <a class="reference internal" href="#ssl.OP_NO_COMPRESSION" title="ssl.OP_NO_COMPRESSION"><code class="xref py py-data docutils literal"><span class="pre">OP_NO_COMPRESSION</span></code></a> to disable SSL-level compression.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-444"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLSocket.get_channel_binding"><span class="yiyi-st" id="yiyi-445"> <code class="descclassname">SSLSocket.</code><code class="descname">get_channel_binding</code><span class="sig-paren">(</span><em>cb_type="tls-unique"</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-446">Get channel binding data for current connection, as a bytes object. </span><span class="yiyi-st" id="yiyi-447">Returns <code class="docutils literal"><span class="pre">None</span></code> if not connected or the handshake has not been completed.</span></p><p><span class="yiyi-st" id="yiyi-448">The <em>cb_type</em> parameter allow selection of the desired channel binding type. </span><span class="yiyi-st" id="yiyi-449">Valid channel binding types are listed in the <a class="reference internal" href="#ssl.CHANNEL_BINDING_TYPES" title="ssl.CHANNEL_BINDING_TYPES"><code class="xref py py-data docutils literal"><span class="pre">CHANNEL_BINDING_TYPES</span></code></a> list. </span><span class="yiyi-st" id="yiyi-450">Currently only the tls-unique channel binding, defined by <span class="target" id="index-11"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5929.html"><strong>RFC 5929</strong></a>, is supported. </span><span class="yiyi-st" id="yiyi-451"><a class="reference internal" href="exceptions.html#ValueError" title="ValueError"><code class="xref py py-exc docutils literal"><span class="pre">ValueError</span></code></a> will be raised if an unsupported channel binding type is requested.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-452"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLSocket.selected_alpn_protocol"><span class="yiyi-st" id="yiyi-453"> <code class="descclassname">SSLSocket.</code><code class="descname">selected_alpn_protocol</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-454">Return the protocol that was selected during the TLS handshake. </span><span class="yiyi-st" id="yiyi-455">If <a class="reference internal" href="#ssl.SSLContext.set_alpn_protocols" title="ssl.SSLContext.set_alpn_protocols"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.set_alpn_protocols()</span></code></a> was not called, if the other party does not support ALPN, if this socket does not support any of the clients proposed protocols, or if the handshake has not happened yet, <code class="docutils literal"><span class="pre">None</span></code> is returned.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-456"><span class="versionmodified">New in version 3.5.</span></span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLSocket.selected_npn_protocol"><span class="yiyi-st" id="yiyi-457"> <code class="descclassname">SSLSocket.</code><code class="descname">selected_npn_protocol</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-458">Return the higher-level protocol that was selected during the TLS/SSL handshake. </span><span class="yiyi-st" id="yiyi-459">If <a class="reference internal" href="#ssl.SSLContext.set_npn_protocols" title="ssl.SSLContext.set_npn_protocols"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.set_npn_protocols()</span></code></a> was not called, or if the other party does not support NPN, or if the handshake has not yet happened, this will return <code class="docutils literal"><span class="pre">None</span></code>.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-460"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLSocket.unwrap"><span class="yiyi-st" id="yiyi-461"> <code class="descclassname">SSLSocket.</code><code class="descname">unwrap</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-462">Performs the SSL shutdown handshake, which removes the TLS layer from the underlying socket, and returns the underlying socket object. </span><span class="yiyi-st" id="yiyi-463">This can be used to go from encrypted operation over a connection to unencrypted. </span><span class="yiyi-st" id="yiyi-464">The returned socket should always be used for further communication with the other side of the connection, rather than the original socket.</span></p></dd></dl><dl class="method"><dt id="ssl.SSLSocket.version"><span class="yiyi-st" id="yiyi-465"> <code class="descclassname">SSLSocket.</code><code class="descname">version</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-466">Return the actual SSL protocol version negotiated by the connection as a string, or <code class="docutils literal"><span class="pre">None</span></code> is no secure connection is established. </span><span class="yiyi-st" id="yiyi-467">As of this writing, possible return values include <code class="docutils literal"><span class="pre">"SSLv2"</span></code>, <code class="docutils literal"><span class="pre">"SSLv3"</span></code>, <code class="docutils literal"><span class="pre">"TLSv1"</span></code>, <code class="docutils literal"><span class="pre">"TLSv1.1"</span></code> and <code class="docutils literal"><span class="pre">"TLSv1.2"</span></code>. </span><span class="yiyi-st" id="yiyi-468">Recent OpenSSL versions may define more return values.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-469"><span class="versionmodified">New in version 3.5.</span></span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLSocket.pending"><span class="yiyi-st" id="yiyi-470"> <code class="descclassname">SSLSocket.</code><code class="descname">pending</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-471">Returns the number of already decrypted bytes available for read, pending on the connection.</span></p></dd></dl><dl class="attribute"><dt id="ssl.SSLSocket.context"><span class="yiyi-st" id="yiyi-472"> <code class="descclassname">SSLSocket.</code><code class="descname">context</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-473">The <a class="reference internal" href="#ssl.SSLContext" title="ssl.SSLContext"><code class="xref py py-class docutils literal"><span class="pre">SSLContext</span></code></a> object this SSL socket is tied to. </span><span class="yiyi-st" id="yiyi-474">If the SSL socket was created using the top-level <a class="reference internal" href="#ssl.wrap_socket" title="ssl.wrap_socket"><code class="xref py py-func docutils literal"><span class="pre">wrap_socket()</span></code></a> function (rather than <a class="reference internal" href="#ssl.SSLContext.wrap_socket" title="ssl.SSLContext.wrap_socket"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.wrap_socket()</span></code></a>), this is a custom context object created for this SSL socket.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-475"><span class="versionmodified">New in version 3.2.</span></span></p></div></dd></dl><dl class="attribute"><dt id="ssl.SSLSocket.server_side"><span class="yiyi-st" id="yiyi-476"> <code class="descclassname">SSLSocket.</code><code class="descname">server_side</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-477">A boolean which is <code class="docutils literal"><span class="pre">True</span></code> for server-side sockets and <code class="docutils literal"><span class="pre">False</span></code> for client-side sockets.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-478"><span class="versionmodified">New in version 3.2.</span></span></p></div></dd></dl><dl class="attribute"><dt id="ssl.SSLSocket.server_hostname"><span class="yiyi-st" id="yiyi-479"> <code class="descclassname">SSLSocket.</code><code class="descname">server_hostname</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-480">Hostname of the server: <a class="reference internal" href="stdtypes.html#str" title="str"><code class="xref py py-class docutils literal"><span class="pre">str</span></code></a> type, or <code class="docutils literal"><span class="pre">None</span></code> for server-side socket or if the hostname was not specified in the constructor.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-481"><span class="versionmodified">New in version 3.2.</span></span></p></div></dd></dl></div><div class="section" id="ssl-contexts"><h2><span class="yiyi-st" id="yiyi-482">18.2.3. </span><span class="yiyi-st" id="yiyi-483">SSL Contexts</span></h2><div class="versionadded"><p><span class="yiyi-st" id="yiyi-484"><span class="versionmodified">New in version 3.2.</span></span></p></div><p><span class="yiyi-st" id="yiyi-485">An SSL context holds various data longer-lived than single SSL connections, such as SSL configuration options, certificate(s) and private key(s). </span><span class="yiyi-st" id="yiyi-486">It also manages a cache of SSL sessions for server-side sockets, in order to speed up repeated connections from the same clients.</span></p><dl class="class"><dt id="ssl.SSLContext"><span class="yiyi-st" id="yiyi-487"> <em class="property">class </em><code class="descclassname">ssl.</code><code class="descname">SSLContext</code><span class="sig-paren">(</span><em>protocol</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-488">Create a new SSL context. </span><span class="yiyi-st" id="yiyi-489">You must pass <em>protocol</em> which must be one of the <code class="docutils literal"><span class="pre">PROTOCOL_*</span></code> constants defined in this module. </span><span class="yiyi-st" id="yiyi-490"><a class="reference internal" href="#ssl.PROTOCOL_SSLv23" title="ssl.PROTOCOL_SSLv23"><code class="xref py py-data docutils literal"><span class="pre">PROTOCOL_SSLv23</span></code></a> is currently recommended for maximum interoperability.</span></p><div class="admonition seealso"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-491">See also</span></p><p class="last"><span class="yiyi-st" id="yiyi-492"><a class="reference internal" href="#ssl.create_default_context" title="ssl.create_default_context"><code class="xref py py-func docutils literal"><span class="pre">create_default_context()</span></code></a> lets the <a class="reference internal" href="#module-ssl" title="ssl: TLS/SSL wrapper for socket objects"><code class="xref py py-mod docutils literal"><span class="pre">ssl</span></code></a> module choose security settings for a given purpose.</span></p></div></dd></dl><p><span class="yiyi-st" id="yiyi-493"><a class="reference internal" href="#ssl.SSLContext" title="ssl.SSLContext"><code class="xref py py-class docutils literal"><span class="pre">SSLContext</span></code></a> objects have the following methods and attributes:</span></p><dl class="method"><dt id="ssl.SSLContext.cert_store_stats"><span class="yiyi-st" id="yiyi-494"> <code class="descclassname">SSLContext.</code><code class="descname">cert_store_stats</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-495">Get statistics about quantities of loaded X.509 certificates, count of X.509 certificates flagged as CA certificates and certificate revocation lists as dictionary.</span></p><p><span class="yiyi-st" id="yiyi-496">Example for a context with one CA cert and one other cert:</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">context</span><span class="o">.</span><span class="n">cert_store_stats</span><span class="p">()</span>
<span class="go">{'crl': 0, 'x509_ca': 1, 'x509': 2}</span>
</code></pre><div class="versionadded"><p><span class="yiyi-st" id="yiyi-497"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLContext.load_cert_chain"><span class="yiyi-st" id="yiyi-498"> <code class="descclassname">SSLContext.</code><code class="descname">load_cert_chain</code><span class="sig-paren">(</span><em>certfile</em>, <em>keyfile=None</em>, <em>password=None</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-499">Load a private key and the corresponding certificate. </span><span class="yiyi-st" id="yiyi-500">The <em>certfile</em> string must be the path to a single file in PEM format containing the certificate as well as any number of CA certificates needed to establish the certificates authenticity. </span><span class="yiyi-st" id="yiyi-501">The <em>keyfile</em> string, if present, must point to a file containing the private key in. </span><span class="yiyi-st" id="yiyi-502">Otherwise the private key will be taken from <em>certfile</em> as well. </span><span class="yiyi-st" id="yiyi-503">See the discussion of <a class="reference internal" href="#ssl-certificates"><span>Certificates</span></a> for more information on how the certificate is stored in the <em>certfile</em>.</span></p><p><span class="yiyi-st" id="yiyi-504">The <em>password</em> argument may be a function to call to get the password for decrypting the private key. </span><span class="yiyi-st" id="yiyi-505">It will only be called if the private key is encrypted and a password is necessary. </span><span class="yiyi-st" id="yiyi-506">It will be called with no arguments, and it should return a string, bytes, or bytearray. </span><span class="yiyi-st" id="yiyi-507">If the return value is a string it will be encoded as UTF-8 before using it to decrypt the key. </span><span class="yiyi-st" id="yiyi-508">Alternatively a string, bytes, or bytearray value may be supplied directly as the <em>password</em> argument. </span><span class="yiyi-st" id="yiyi-509">It will be ignored if the private key is not encrypted and no password is needed.</span></p><p><span class="yiyi-st" id="yiyi-510">If the <em>password</em> argument is not specified and a password is required, OpenSSLs built-in password prompting mechanism will be used to interactively prompt the user for a password.</span></p><p><span class="yiyi-st" id="yiyi-511">An <a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-class docutils literal"><span class="pre">SSLError</span></code></a> is raised if the private key doesnt match with the certificate.</span></p><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-512"><span class="versionmodified">Changed in version 3.3: </span>New optional argument <em>password</em>.</span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLContext.load_default_certs"><span class="yiyi-st" id="yiyi-513"> <code class="descclassname">SSLContext.</code><code class="descname">load_default_certs</code><span class="sig-paren">(</span><em>purpose=Purpose.SERVER_AUTH</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-514">Load a set of default “certification authority” (CA) certificates from default locations. </span><span class="yiyi-st" id="yiyi-515">On Windows it loads CA certs from the <code class="docutils literal"><span class="pre">CA</span></code> and <code class="docutils literal"><span class="pre">ROOT</span></code> system stores. </span><span class="yiyi-st" id="yiyi-516">On other systems it calls <a class="reference internal" href="#ssl.SSLContext.set_default_verify_paths" title="ssl.SSLContext.set_default_verify_paths"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.set_default_verify_paths()</span></code></a>. </span><span class="yiyi-st" id="yiyi-517">In the future the method may load CA certificates from other locations, too.</span></p><p><span class="yiyi-st" id="yiyi-518">The <em>purpose</em> flag specifies what kind of CA certificates are loaded. </span><span class="yiyi-st" id="yiyi-519">The default settings <a class="reference internal" href="#ssl.Purpose.SERVER_AUTH" title="ssl.Purpose.SERVER_AUTH"><code class="xref py py-data docutils literal"><span class="pre">Purpose.SERVER_AUTH</span></code></a> loads certificates, that are flagged and trusted for TLS web server authentication (client side sockets). </span><span class="yiyi-st" id="yiyi-520"><a class="reference internal" href="#ssl.Purpose.CLIENT_AUTH" title="ssl.Purpose.CLIENT_AUTH"><code class="xref py py-data docutils literal"><span class="pre">Purpose.CLIENT_AUTH</span></code></a> loads CA certificates for client certificate verification on the server side.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-521"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLContext.load_verify_locations"><span class="yiyi-st" id="yiyi-522"> <code class="descclassname">SSLContext.</code><code class="descname">load_verify_locations</code><span class="sig-paren">(</span><em>cafile=None</em>, <em>capath=None</em>, <em>cadata=None</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-523">Load a set of “certification authority” (CA) certificates used to validate other peers certificates when <a class="reference internal" href="#ssl.SSLContext.verify_mode" title="ssl.SSLContext.verify_mode"><code class="xref py py-data docutils literal"><span class="pre">verify_mode</span></code></a> is other than <a class="reference internal" href="#ssl.CERT_NONE" title="ssl.CERT_NONE"><code class="xref py py-data docutils literal"><span class="pre">CERT_NONE</span></code></a>. </span><span class="yiyi-st" id="yiyi-524">At least one of <em>cafile</em> or <em>capath</em> must be specified.</span></p><p><span class="yiyi-st" id="yiyi-525">This method can also load certification revocation lists (CRLs) in PEM or DER format. </span><span class="yiyi-st" id="yiyi-526">In order to make use of CRLs, <a class="reference internal" href="#ssl.SSLContext.verify_flags" title="ssl.SSLContext.verify_flags"><code class="xref py py-attr docutils literal"><span class="pre">SSLContext.verify_flags</span></code></a> must be configured properly.</span></p><p><span class="yiyi-st" id="yiyi-527">The <em>cafile</em> string, if present, is the path to a file of concatenated CA certificates in PEM format. </span><span class="yiyi-st" id="yiyi-528">See the discussion of <a class="reference internal" href="#ssl-certificates"><span>Certificates</span></a> for more information about how to arrange the certificates in this file.</span></p><p><span class="yiyi-st" id="yiyi-529">The <em>capath</em> string, if present, is the path to a directory containing several CA certificates in PEM format, following an <a class="reference external" href="https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html">OpenSSL specific layout</a>.</span></p><p><span class="yiyi-st" id="yiyi-530">The <em>cadata</em> object, if present, is either an ASCII string of one or more PEM-encoded certificates or a <a class="reference internal" href="../glossary.html#term-bytes-like-object"><span class="xref std std-term">bytes-like object</span></a> of DER-encoded certificates. </span><span class="yiyi-st" id="yiyi-531">Like with <em>capath</em> extra lines around PEM-encoded certificates are ignored but at least one certificate must be present.</span></p><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-532"><span class="versionmodified">Changed in version 3.4: </span>New optional argument <em>cadata</em></span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLContext.get_ca_certs"><span class="yiyi-st" id="yiyi-533"> <code class="descclassname">SSLContext.</code><code class="descname">get_ca_certs</code><span class="sig-paren">(</span><em>binary_form=False</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-534">Get a list of loaded “certification authority” (CA) certificates. </span><span class="yiyi-st" id="yiyi-535">If the <code class="docutils literal"><span class="pre">binary_form</span></code> parameter is <a class="reference internal" href="constants.html#False" title="False"><code class="xref py py-const docutils literal"><span class="pre">False</span></code></a> each list entry is a dict like the output of <a class="reference internal" href="#ssl.SSLSocket.getpeercert" title="ssl.SSLSocket.getpeercert"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.getpeercert()</span></code></a>. </span><span class="yiyi-st" id="yiyi-536">Otherwise the method returns a list of DER-encoded certificates. </span><span class="yiyi-st" id="yiyi-537">The returned list does not contain certificates from <em>capath</em> unless a certificate was requested and loaded by a SSL connection.</span></p><div class="admonition note"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-538">Note</span></p><p class="last"><span class="yiyi-st" id="yiyi-539">Certificates in a capath directory arent loaded unless they have been used at least once.</span></p></div><div class="versionadded"><p><span class="yiyi-st" id="yiyi-540"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLContext.set_default_verify_paths"><span class="yiyi-st" id="yiyi-541"> <code class="descclassname">SSLContext.</code><code class="descname">set_default_verify_paths</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-542">Load a set of default “certification authority” (CA) certificates from a filesystem path defined when building the OpenSSL library. </span><span class="yiyi-st" id="yiyi-543">Unfortunately, theres no easy way to know whether this method succeeds: no error is returned if no certificates are to be found. </span><span class="yiyi-st" id="yiyi-544">When the OpenSSL library is provided as part of the operating system, though, it is likely to be configured properly.</span></p></dd></dl><dl class="method"><dt id="ssl.SSLContext.set_ciphers"><span class="yiyi-st" id="yiyi-545"> <code class="descclassname">SSLContext.</code><code class="descname">set_ciphers</code><span class="sig-paren">(</span><em>ciphers</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-546">Set the available ciphers for sockets created with this context. </span><span class="yiyi-st" id="yiyi-547">It should be a string in the <a class="reference external" href="https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT">OpenSSL cipher list format</a>. </span><span class="yiyi-st" id="yiyi-548">If no cipher can be selected (because compile-time options or other configuration forbids use of all the specified ciphers), an <a class="reference internal" href="#ssl.SSLError" title="ssl.SSLError"><code class="xref py py-class docutils literal"><span class="pre">SSLError</span></code></a> will be raised.</span></p><div class="admonition note"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-549">Note</span></p><p class="last"><span class="yiyi-st" id="yiyi-550">when connected, the <a class="reference internal" href="#ssl.SSLSocket.cipher" title="ssl.SSLSocket.cipher"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.cipher()</span></code></a> method of SSL sockets will give the currently selected cipher.</span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLContext.set_alpn_protocols"><span class="yiyi-st" id="yiyi-551"> <code class="descclassname">SSLContext.</code><code class="descname">set_alpn_protocols</code><span class="sig-paren">(</span><em>protocols</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-552">Specify which protocols the socket should advertise during the SSL/TLS handshake. </span><span class="yiyi-st" id="yiyi-553">It should be a list of ASCII strings, like <code class="docutils literal"><span class="pre">['http/1.1',</span> <span class="pre">'spdy/2']</span></code>, ordered by preference. </span><span class="yiyi-st" id="yiyi-554">The selection of a protocol will happen during the handshake, and will play out according to <span class="target" id="index-12"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc7301.html"><strong>RFC 7301</strong></a>. </span><span class="yiyi-st" id="yiyi-555">After a successful handshake, the <a class="reference internal" href="#ssl.SSLSocket.selected_alpn_protocol" title="ssl.SSLSocket.selected_alpn_protocol"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.selected_alpn_protocol()</span></code></a> method will return the agreed-upon protocol.</span></p><p><span class="yiyi-st" id="yiyi-556">This method will raise <a class="reference internal" href="exceptions.html#NotImplementedError" title="NotImplementedError"><code class="xref py py-exc docutils literal"><span class="pre">NotImplementedError</span></code></a> if <a class="reference internal" href="#ssl.HAS_ALPN" title="ssl.HAS_ALPN"><code class="xref py py-data docutils literal"><span class="pre">HAS_ALPN</span></code></a> is False.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-557"><span class="versionmodified">New in version 3.5.</span></span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLContext.set_npn_protocols"><span class="yiyi-st" id="yiyi-558"> <code class="descclassname">SSLContext.</code><code class="descname">set_npn_protocols</code><span class="sig-paren">(</span><em>protocols</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-559">Specify which protocols the socket should advertise during the SSL/TLS handshake. </span><span class="yiyi-st" id="yiyi-560">It should be a list of strings, like <code class="docutils literal"><span class="pre">['http/1.1',</span> <span class="pre">'spdy/2']</span></code>, ordered by preference. </span><span class="yiyi-st" id="yiyi-561">The selection of a protocol will happen during the handshake, and will play out according to the <a class="reference external" href="https://tools.ietf.org/html/draft-agl-tls-nextprotoneg">NPN draft specification</a>. </span><span class="yiyi-st" id="yiyi-562">After a successful handshake, the <a class="reference internal" href="#ssl.SSLSocket.selected_npn_protocol" title="ssl.SSLSocket.selected_npn_protocol"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.selected_npn_protocol()</span></code></a> method will return the agreed-upon protocol.</span></p><p><span class="yiyi-st" id="yiyi-563">This method will raise <a class="reference internal" href="exceptions.html#NotImplementedError" title="NotImplementedError"><code class="xref py py-exc docutils literal"><span class="pre">NotImplementedError</span></code></a> if <a class="reference internal" href="#ssl.HAS_NPN" title="ssl.HAS_NPN"><code class="xref py py-data docutils literal"><span class="pre">HAS_NPN</span></code></a> is False.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-564"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLContext.set_servername_callback"><span class="yiyi-st" id="yiyi-565"> <code class="descclassname">SSLContext.</code><code class="descname">set_servername_callback</code><span class="sig-paren">(</span><em>server_name_callback</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-566">Register a callback function that will be called after the TLS Client Hello handshake message has been received by the SSL/TLS server when the TLS client specifies a server name indication. </span><span class="yiyi-st" id="yiyi-567">The server name indication mechanism is specified in <span class="target" id="index-13"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6066.html"><strong>RFC 6066</strong></a> section 3 - Server Name Indication.</span></p><p><span class="yiyi-st" id="yiyi-568">Only one callback can be set per <code class="docutils literal"><span class="pre">SSLContext</span></code>. </span><span class="yiyi-st" id="yiyi-569">If <em>server_name_callback</em> is <code class="docutils literal"><span class="pre">None</span></code> then the callback is disabled. </span><span class="yiyi-st" id="yiyi-570">Calling this function a subsequent time will disable the previously registered callback.</span></p><p><span class="yiyi-st" id="yiyi-571">The callback function, <em>server_name_callback</em>, will be called with three arguments; the first being the <a class="reference internal" href="#ssl.SSLSocket" title="ssl.SSLSocket"><code class="xref py py-class docutils literal"><span class="pre">ssl.SSLSocket</span></code></a>, the second is a string that represents the server name that the client is intending to communicate (or <a class="reference internal" href="constants.html#None" title="None"><code class="xref py py-const docutils literal"><span class="pre">None</span></code></a> if the TLS Client Hello does not contain a server name) and the third argument is the original <a class="reference internal" href="#ssl.SSLContext" title="ssl.SSLContext"><code class="xref py py-class docutils literal"><span class="pre">SSLContext</span></code></a>. </span><span class="yiyi-st" id="yiyi-572">The server name argument is the IDNA decoded server name.</span></p><p><span class="yiyi-st" id="yiyi-573">A typical use of this callback is to change the <a class="reference internal" href="#ssl.SSLSocket" title="ssl.SSLSocket"><code class="xref py py-class docutils literal"><span class="pre">ssl.SSLSocket</span></code></a>s <a class="reference internal" href="#ssl.SSLSocket.context" title="ssl.SSLSocket.context"><code class="xref py py-attr docutils literal"><span class="pre">SSLSocket.context</span></code></a> attribute to a new object of type <a class="reference internal" href="#ssl.SSLContext" title="ssl.SSLContext"><code class="xref py py-class docutils literal"><span class="pre">SSLContext</span></code></a> representing a certificate chain that matches the server name.</span></p><p><span class="yiyi-st" id="yiyi-574">Due to the early negotiation phase of the TLS connection, only limited methods and attributes are usable like <a class="reference internal" href="#ssl.SSLSocket.selected_alpn_protocol" title="ssl.SSLSocket.selected_alpn_protocol"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.selected_alpn_protocol()</span></code></a> and <a class="reference internal" href="#ssl.SSLSocket.context" title="ssl.SSLSocket.context"><code class="xref py py-attr docutils literal"><span class="pre">SSLSocket.context</span></code></a>. </span><span class="yiyi-st" id="yiyi-575"><a class="reference internal" href="#ssl.SSLSocket.getpeercert" title="ssl.SSLSocket.getpeercert"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.getpeercert()</span></code></a>, <a class="reference internal" href="#ssl.SSLSocket.getpeercert" title="ssl.SSLSocket.getpeercert"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.getpeercert()</span></code></a>, <a class="reference internal" href="#ssl.SSLSocket.cipher" title="ssl.SSLSocket.cipher"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.cipher()</span></code></a> and <code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.compress()</span></code> methods require that the TLS connection has progressed beyond the TLS Client Hello and therefore will not contain return meaningful values nor can they be called safely.</span></p><p><span class="yiyi-st" id="yiyi-576">The <em>server_name_callback</em> function must return <code class="docutils literal"><span class="pre">None</span></code> to allow the TLS negotiation to continue. </span><span class="yiyi-st" id="yiyi-577">If a TLS failure is required, a constant <a class="reference internal" href="#ssl.ALERT_DESCRIPTION_INTERNAL_ERROR" title="ssl.ALERT_DESCRIPTION_INTERNAL_ERROR"><code class="xref py py-const docutils literal"><span class="pre">ALERT_DESCRIPTION_*</span></code></a> can be returned. </span><span class="yiyi-st" id="yiyi-578">Other return values will result in a TLS fatal error with <a class="reference internal" href="#ssl.ALERT_DESCRIPTION_INTERNAL_ERROR" title="ssl.ALERT_DESCRIPTION_INTERNAL_ERROR"><code class="xref py py-const docutils literal"><span class="pre">ALERT_DESCRIPTION_INTERNAL_ERROR</span></code></a>.</span></p><p><span class="yiyi-st" id="yiyi-579">If there is an IDNA decoding error on the server name, the TLS connection will terminate with an <a class="reference internal" href="#ssl.ALERT_DESCRIPTION_INTERNAL_ERROR" title="ssl.ALERT_DESCRIPTION_INTERNAL_ERROR"><code class="xref py py-const docutils literal"><span class="pre">ALERT_DESCRIPTION_INTERNAL_ERROR</span></code></a> fatal TLS alert message to the client.</span></p><p><span class="yiyi-st" id="yiyi-580">If an exception is raised from the <em>server_name_callback</em> function the TLS connection will terminate with a fatal TLS alert message <a class="reference internal" href="#ssl.ALERT_DESCRIPTION_HANDSHAKE_FAILURE" title="ssl.ALERT_DESCRIPTION_HANDSHAKE_FAILURE"><code class="xref py py-const docutils literal"><span class="pre">ALERT_DESCRIPTION_HANDSHAKE_FAILURE</span></code></a>.</span></p><p><span class="yiyi-st" id="yiyi-581">This method will raise <a class="reference internal" href="exceptions.html#NotImplementedError" title="NotImplementedError"><code class="xref py py-exc docutils literal"><span class="pre">NotImplementedError</span></code></a> if the OpenSSL library had OPENSSL_NO_TLSEXT defined when it was built.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-582"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLContext.load_dh_params"><span class="yiyi-st" id="yiyi-583"> <code class="descclassname">SSLContext.</code><code class="descname">load_dh_params</code><span class="sig-paren">(</span><em>dhfile</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-584">Load the key generation parameters for Diffie-Helman (DH) key exchange. </span><span class="yiyi-st" id="yiyi-585">Using DH key exchange improves forward secrecy at the expense of computational resources (both on the server and on the client). </span><span class="yiyi-st" id="yiyi-586">The <em>dhfile</em> parameter should be the path to a file containing DH parameters in PEM format.</span></p><p><span class="yiyi-st" id="yiyi-587">This setting doesnt apply to client sockets. </span><span class="yiyi-st" id="yiyi-588">You can also use the <a class="reference internal" href="#ssl.OP_SINGLE_DH_USE" title="ssl.OP_SINGLE_DH_USE"><code class="xref py py-data docutils literal"><span class="pre">OP_SINGLE_DH_USE</span></code></a> option to further improve security.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-589"><span class="versionmodified">New in version 3.3.</span></span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLContext.set_ecdh_curve"><span class="yiyi-st" id="yiyi-590"> <code class="descclassname">SSLContext.</code><code class="descname">set_ecdh_curve</code><span class="sig-paren">(</span><em>curve_name</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-591">Set the curve name for Elliptic Curve-based Diffie-Hellman (ECDH) key exchange. </span><span class="yiyi-st" id="yiyi-592">ECDH is significantly faster than regular DH while arguably as secure. </span><span class="yiyi-st" id="yiyi-593">The <em>curve_name</em> parameter should be a string describing a well-known elliptic curve, for example <code class="docutils literal"><span class="pre">prime256v1</span></code> for a widely supported curve.</span></p><p><span class="yiyi-st" id="yiyi-594">This setting doesnt apply to client sockets. </span><span class="yiyi-st" id="yiyi-595">You can also use the <a class="reference internal" href="#ssl.OP_SINGLE_ECDH_USE" title="ssl.OP_SINGLE_ECDH_USE"><code class="xref py py-data docutils literal"><span class="pre">OP_SINGLE_ECDH_USE</span></code></a> option to further improve security.</span></p><p><span class="yiyi-st" id="yiyi-596">This method is not available if <a class="reference internal" href="#ssl.HAS_ECDH" title="ssl.HAS_ECDH"><code class="xref py py-data docutils literal"><span class="pre">HAS_ECDH</span></code></a> is False.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-597"><span class="versionmodified">New in version 3.3.</span></span></p></div><div class="admonition seealso"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-598">See also</span></p><dl class="last docutils"><dt><span class="yiyi-st" id="yiyi-599"><a class="reference external" href="http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html">SSL/TLS &amp; Perfect Forward Secrecy</a></span></dt><dd><span class="yiyi-st" id="yiyi-600">Vincent Bernat.</span></dd></dl></div></dd></dl><dl class="method"><dt id="ssl.SSLContext.wrap_socket"><span class="yiyi-st" id="yiyi-601"> <code class="descclassname">SSLContext.</code><code class="descname">wrap_socket</code><span class="sig-paren">(</span><em>sock</em>, <em>server_side=False</em>, <em>do_handshake_on_connect=True</em>, <em>suppress_ragged_eofs=True</em>, <em>server_hostname=None</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-602">Wrap an existing Python socket <em>sock</em> and return an <a class="reference internal" href="#ssl.SSLSocket" title="ssl.SSLSocket"><code class="xref py py-class docutils literal"><span class="pre">SSLSocket</span></code></a> object. </span><span class="yiyi-st" id="yiyi-603"><em>sock</em> must be a <a class="reference internal" href="socket.html#socket.SOCK_STREAM" title="socket.SOCK_STREAM"><code class="xref py py-data docutils literal"><span class="pre">SOCK_STREAM</span></code></a> socket; other socket types are unsupported.</span></p><p><span class="yiyi-st" id="yiyi-604">The returned SSL socket is tied to the context, its settings and certificates. </span><span class="yiyi-st" id="yiyi-605">The parameters <em>server_side</em>, <em>do_handshake_on_connect</em> and <em>suppress_ragged_eofs</em> have the same meaning as in the top-level <a class="reference internal" href="#ssl.wrap_socket" title="ssl.wrap_socket"><code class="xref py py-func docutils literal"><span class="pre">wrap_socket()</span></code></a> function.</span></p><p><span class="yiyi-st" id="yiyi-606">On client connections, the optional parameter <em>server_hostname</em> specifies the hostname of the service which we are connecting to. </span><span class="yiyi-st" id="yiyi-607">This allows a single server to host multiple SSL-based services with distinct certificates, quite similarly to HTTP virtual hosts. </span><span class="yiyi-st" id="yiyi-608">Specifying <em>server_hostname</em> will raise a <a class="reference internal" href="exceptions.html#ValueError" title="ValueError"><code class="xref py py-exc docutils literal"><span class="pre">ValueError</span></code></a> if <em>server_side</em> is true.</span></p><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-609"><span class="versionmodified">Changed in version 3.5: </span>Always allow a server_hostname to be passed, even if OpenSSL does not have SNI.</span></p></div></dd></dl><dl class="method"><dt id="ssl.SSLContext.wrap_bio"><span class="yiyi-st" id="yiyi-610"> <code class="descclassname">SSLContext.</code><code class="descname">wrap_bio</code><span class="sig-paren">(</span><em>incoming</em>, <em>outgoing</em>, <em>server_side=False</em>, <em>server_hostname=None</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-611">Create a new <a class="reference internal" href="#ssl.SSLObject" title="ssl.SSLObject"><code class="xref py py-class docutils literal"><span class="pre">SSLObject</span></code></a> instance by wrapping the BIO objects <em>incoming</em> and <em>outgoing</em>. </span><span class="yiyi-st" id="yiyi-612">The SSL routines will read input data from the incoming BIO and write data to the outgoing BIO.</span></p><p><span class="yiyi-st" id="yiyi-613">The <em>server_side</em> and <em>server_hostname</em> parameters have the same meaning as in <a class="reference internal" href="#ssl.SSLContext.wrap_socket" title="ssl.SSLContext.wrap_socket"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.wrap_socket()</span></code></a>.</span></p></dd></dl><dl class="method"><dt id="ssl.SSLContext.session_stats"><span class="yiyi-st" id="yiyi-614"> <code class="descclassname">SSLContext.</code><code class="descname">session_stats</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-615">Get statistics about the SSL sessions created or managed by this context. </span><span class="yiyi-st" id="yiyi-616">A dictionary is returned which maps the names of each <a class="reference external" href="https://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html">piece of information</a> to their numeric values. </span><span class="yiyi-st" id="yiyi-617">For example, here is the total number of hits and misses in the session cache since the context was created:</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">stats</span> <span class="o">=</span> <span class="n">context</span><span class="o">.</span><span class="n">session_stats</span><span class="p">()</span>
<span class="gp">&gt;&gt;&gt; </span><span class="n">stats</span><span class="p">[</span><span class="s1">'hits'</span><span class="p">],</span> <span class="n">stats</span><span class="p">[</span><span class="s1">'misses'</span><span class="p">]</span>
<span class="go">(0, 0)</span>
</code></pre></dd></dl><dl class="attribute"><dt id="ssl.SSLContext.check_hostname"><span class="yiyi-st" id="yiyi-618"> <code class="descclassname">SSLContext.</code><code class="descname">check_hostname</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-619">Whether to match the peer certs hostname with <a class="reference internal" href="#ssl.match_hostname" title="ssl.match_hostname"><code class="xref py py-func docutils literal"><span class="pre">match_hostname()</span></code></a> in <a class="reference internal" href="#ssl.SSLSocket.do_handshake" title="ssl.SSLSocket.do_handshake"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.do_handshake()</span></code></a>. </span><span class="yiyi-st" id="yiyi-620">The contexts <a class="reference internal" href="#ssl.SSLContext.verify_mode" title="ssl.SSLContext.verify_mode"><code class="xref py py-attr docutils literal"><span class="pre">verify_mode</span></code></a> must be set to <a class="reference internal" href="#ssl.CERT_OPTIONAL" title="ssl.CERT_OPTIONAL"><code class="xref py py-data docutils literal"><span class="pre">CERT_OPTIONAL</span></code></a> or <a class="reference internal" href="#ssl.CERT_REQUIRED" title="ssl.CERT_REQUIRED"><code class="xref py py-data docutils literal"><span class="pre">CERT_REQUIRED</span></code></a>, and you must pass <em>server_hostname</em> to <a class="reference internal" href="#ssl.SSLContext.wrap_socket" title="ssl.SSLContext.wrap_socket"><code class="xref py py-meth docutils literal"><span class="pre">wrap_socket()</span></code></a> in order to match the hostname.</span></p><p><span class="yiyi-st" id="yiyi-621">Example:</span></p><pre><code class="language-python"><span></span><span class="kn">import</span> <span class="nn">socket</span><span class="o">,</span> <span class="nn">ssl</span>
<span class="n">context</span> <span class="o">=</span> <span class="n">ssl</span><span class="o">.</span><span class="n">SSLContext</span><span class="p">(</span><span class="n">ssl</span><span class="o">.</span><span class="n">PROTOCOL_TLSv1</span><span class="p">)</span>
<span class="n">context</span><span class="o">.</span><span class="n">verify_mode</span> <span class="o">=</span> <span class="n">ssl</span><span class="o">.</span><span class="n">CERT_REQUIRED</span>
<span class="n">context</span><span class="o">.</span><span class="n">check_hostname</span> <span class="o">=</span> <span class="kc">True</span>
<span class="n">context</span><span class="o">.</span><span class="n">load_default_certs</span><span class="p">()</span>
<span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="o">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="o">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="o">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span>
<span class="n">ssl_sock</span> <span class="o">=</span> <span class="n">context</span><span class="o">.</span><span class="n">wrap_socket</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">server_hostname</span><span class="o">=</span><span class="s1">'www.verisign.com'</span><span class="p">)</span>
<span class="n">ssl_sock</span><span class="o">.</span><span class="n">connect</span><span class="p">((</span><span class="s1">'www.verisign.com'</span><span class="p">,</span> <span class="mi">443</span><span class="p">))</span>
</code></pre><div class="versionadded"><p><span class="yiyi-st" id="yiyi-622"><span class="versionmodified">New in version 3.4.</span></span></p></div><div class="admonition note"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-623">Note</span></p><p class="last"><span class="yiyi-st" id="yiyi-624">This features requires OpenSSL 0.9.8f or newer.</span></p></div></dd></dl><dl class="attribute"><dt id="ssl.SSLContext.options"><span class="yiyi-st" id="yiyi-625"> <code class="descclassname">SSLContext.</code><code class="descname">options</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-626">An integer representing the set of SSL options enabled on this context. </span><span class="yiyi-st" id="yiyi-627">The default value is <a class="reference internal" href="#ssl.OP_ALL" title="ssl.OP_ALL"><code class="xref py py-data docutils literal"><span class="pre">OP_ALL</span></code></a>, but you can specify other options such as <a class="reference internal" href="#ssl.OP_NO_SSLv2" title="ssl.OP_NO_SSLv2"><code class="xref py py-data docutils literal"><span class="pre">OP_NO_SSLv2</span></code></a> by ORing them together.</span></p><div class="admonition note"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-628">Note</span></p><p class="last"><span class="yiyi-st" id="yiyi-629">With versions of OpenSSL older than 0.9.8m, it is only possible to set options, not to clear them. </span><span class="yiyi-st" id="yiyi-630">Attempting to clear an option (by resetting the corresponding bits) will raise a <code class="docutils literal"><span class="pre">ValueError</span></code>.</span></p></div></dd></dl><dl class="attribute"><dt id="ssl.SSLContext.protocol"><span class="yiyi-st" id="yiyi-631"> <code class="descclassname">SSLContext.</code><code class="descname">protocol</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-632">The protocol version chosen when constructing the context. </span><span class="yiyi-st" id="yiyi-633">This attribute is read-only.</span></p></dd></dl><dl class="attribute"><dt id="ssl.SSLContext.verify_flags"><span class="yiyi-st" id="yiyi-634"> <code class="descclassname">SSLContext.</code><code class="descname">verify_flags</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-635">The flags for certificate verification operations. </span><span class="yiyi-st" id="yiyi-636">You can set flags like <a class="reference internal" href="#ssl.VERIFY_CRL_CHECK_LEAF" title="ssl.VERIFY_CRL_CHECK_LEAF"><code class="xref py py-data docutils literal"><span class="pre">VERIFY_CRL_CHECK_LEAF</span></code></a> by ORing them together. </span><span class="yiyi-st" id="yiyi-637">By default OpenSSL does neither require nor verify certificate revocation lists (CRLs). </span><span class="yiyi-st" id="yiyi-638">Available only with openssl version 0.9.8+.</span></p><div class="versionadded"><p><span class="yiyi-st" id="yiyi-639"><span class="versionmodified">New in version 3.4.</span></span></p></div></dd></dl><dl class="attribute"><dt id="ssl.SSLContext.verify_mode"><span class="yiyi-st" id="yiyi-640"> <code class="descclassname">SSLContext.</code><code class="descname">verify_mode</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-641">Whether to try to verify other peers certificates and how to behave if verification fails. </span><span class="yiyi-st" id="yiyi-642">This attribute must be one of <a class="reference internal" href="#ssl.CERT_NONE" title="ssl.CERT_NONE"><code class="xref py py-data docutils literal"><span class="pre">CERT_NONE</span></code></a>, <a class="reference internal" href="#ssl.CERT_OPTIONAL" title="ssl.CERT_OPTIONAL"><code class="xref py py-data docutils literal"><span class="pre">CERT_OPTIONAL</span></code></a> or <a class="reference internal" href="#ssl.CERT_REQUIRED" title="ssl.CERT_REQUIRED"><code class="xref py py-data docutils literal"><span class="pre">CERT_REQUIRED</span></code></a>.</span></p></dd></dl></div><div class="section" id="certificates"><h2><span class="yiyi-st" id="yiyi-643">18.2.4. </span><span class="yiyi-st" id="yiyi-644">Certificates</span></h2><p><span class="yiyi-st" id="yiyi-645">Certificates in general are part of a public-key / private-key system. </span><span class="yiyi-st" id="yiyi-646">In this system, each <em>principal</em>, (which may be a machine, or a person, or an organization) is assigned a unique two-part encryption key. </span><span class="yiyi-st" id="yiyi-647">One part of the key is public, and is called the <em>public key</em>; the other part is kept secret, and is called the <em>private key</em>. </span><span class="yiyi-st" id="yiyi-648">The two parts are related, in that if you encrypt a message with one of the parts, you can decrypt it with the other part, and <strong>only</strong> with the other part.</span></p><p><span class="yiyi-st" id="yiyi-649">A certificate contains information about two principals. </span><span class="yiyi-st" id="yiyi-650">It contains the name of a <em>subject</em>, and the subjects public key. </span><span class="yiyi-st" id="yiyi-651">It also contains a statement by a second principal, the <em>issuer</em>, that the subject is who he claims to be, and that this is indeed the subjects public key. </span><span class="yiyi-st" id="yiyi-652">The issuers statement is signed with the issuers private key, which only the issuer knows. </span><span class="yiyi-st" id="yiyi-653">However, anyone can verify the issuers statement by finding the issuers public key, decrypting the statement with it, and comparing it to the other information in the certificate. </span><span class="yiyi-st" id="yiyi-654">The certificate also contains information about the time period over which it is valid. </span><span class="yiyi-st" id="yiyi-655">This is expressed as two fields, called “notBefore” and “notAfter”.</span></p><p><span class="yiyi-st" id="yiyi-656">In the Python use of certificates, a client or server can use a certificate to prove who they are. </span><span class="yiyi-st" id="yiyi-657">The other side of a network connection can also be required to produce a certificate, and that certificate can be validated to the satisfaction of the client or server that requires such validation. </span><span class="yiyi-st" id="yiyi-658">The connection attempt can be set to raise an exception if the validation fails. </span><span class="yiyi-st" id="yiyi-659">Validation is done automatically, by the underlying OpenSSL framework; the application need not concern itself with its mechanics. </span><span class="yiyi-st" id="yiyi-660">But the application does usually need to provide sets of certificates to allow this process to take place.</span></p><p><span class="yiyi-st" id="yiyi-661">Python uses files to contain certificates. </span><span class="yiyi-st" id="yiyi-662">They should be formatted as “PEM” (see <span class="target" id="index-16"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc1422.html"><strong>RFC 1422</strong></a>), which is a base-64 encoded form wrapped with a header line and a footer line:</span></p><pre><code class="language-python"><span></span><span class="o">-----</span><span class="n">BEGIN</span> <span class="n">CERTIFICATE</span><span class="o">-----</span>
<span class="o">...</span> <span class="p">(</span><span class="n">certificate</span> <span class="ow">in</span> <span class="n">base64</span> <span class="n">PEM</span> <span class="n">encoding</span><span class="p">)</span> <span class="o">...</span>
<span class="o">-----</span><span class="n">END</span> <span class="n">CERTIFICATE</span><span class="o">-----</span>
</code></pre><div class="section" id="certificate-chains"><h3><span class="yiyi-st" id="yiyi-663">18.2.4.1. </span><span class="yiyi-st" id="yiyi-664">Certificate chains</span></h3><p><span class="yiyi-st" id="yiyi-665">The Python files which contain certificates can contain a sequence of certificates, sometimes called a <em>certificate chain</em>. </span><span class="yiyi-st" id="yiyi-666">This chain should start with the specific certificate for the principal who “is” the client or server, and then the certificate for the issuer of that certificate, and then the certificate for the issuer of <em>that</em> certificate, and so on up the chain till you get to a certificate which is <em>self-signed</em>, that is, a certificate which has the same subject and issuer, sometimes called a <em>root certificate</em>. </span><span class="yiyi-st" id="yiyi-667">The certificates should just be concatenated together in the certificate file. </span><span class="yiyi-st" id="yiyi-668">For example, suppose we had a three certificate chain, from our server certificate to the certificate of the certification authority that signed our server certificate, to the root certificate of the agency which issued the certification authoritys certificate:</span></p><pre><code class="language-python"><span></span><span class="o">-----</span><span class="n">BEGIN</span> <span class="n">CERTIFICATE</span><span class="o">-----</span>
<span class="o">...</span> <span class="p">(</span><span class="n">certificate</span> <span class="k">for</span> <span class="n">your</span> <span class="n">server</span><span class="p">)</span><span class="o">...</span>
<span class="o">-----</span><span class="n">END</span> <span class="n">CERTIFICATE</span><span class="o">-----</span>
<span class="o">-----</span><span class="n">BEGIN</span> <span class="n">CERTIFICATE</span><span class="o">-----</span>
<span class="o">...</span> <span class="p">(</span><span class="n">the</span> <span class="n">certificate</span> <span class="k">for</span> <span class="n">the</span> <span class="n">CA</span><span class="p">)</span><span class="o">...</span>
<span class="o">-----</span><span class="n">END</span> <span class="n">CERTIFICATE</span><span class="o">-----</span>
<span class="o">-----</span><span class="n">BEGIN</span> <span class="n">CERTIFICATE</span><span class="o">-----</span>
<span class="o">...</span> <span class="p">(</span><span class="n">the</span> <span class="n">root</span> <span class="n">certificate</span> <span class="k">for</span> <span class="n">the</span> <span class="n">CA</span><span class="s1">'s issuer)...</span>
<span class="o">-----</span><span class="n">END</span> <span class="n">CERTIFICATE</span><span class="o">-----</span>
</code></pre></div><div class="section" id="ca-certificates"><h3><span class="yiyi-st" id="yiyi-669">18.2.4.2. </span><span class="yiyi-st" id="yiyi-670">CA certificates</span></h3><p><span class="yiyi-st" id="yiyi-671">If you are going to require validation of the other side of the connections certificate, you need to provide a “CA certs” file, filled with the certificate chains for each issuer you are willing to trust. </span><span class="yiyi-st" id="yiyi-672">Again, this file just contains these chains concatenated together. </span><span class="yiyi-st" id="yiyi-673">For validation, Python will use the first chain it finds in the file which matches. </span><span class="yiyi-st" id="yiyi-674">The platforms certificates file can be used by calling <a class="reference internal" href="#ssl.SSLContext.load_default_certs" title="ssl.SSLContext.load_default_certs"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.load_default_certs()</span></code></a>, this is done automatically with <a class="reference internal" href="#ssl.create_default_context" title="ssl.create_default_context"><code class="xref py py-func docutils literal"><span class="pre">create_default_context()</span></code></a>.</span></p></div><div class="section" id="combined-key-and-certificate"><h3><span class="yiyi-st" id="yiyi-675">18.2.4.3. </span><span class="yiyi-st" id="yiyi-676">Combined key and certificate</span></h3><p><span class="yiyi-st" id="yiyi-677">Often the private key is stored in the same file as the certificate; in this case, only the <code class="docutils literal"><span class="pre">certfile</span></code> parameter to <a class="reference internal" href="#ssl.SSLContext.load_cert_chain" title="ssl.SSLContext.load_cert_chain"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.load_cert_chain()</span></code></a> and <a class="reference internal" href="#ssl.wrap_socket" title="ssl.wrap_socket"><code class="xref py py-func docutils literal"><span class="pre">wrap_socket()</span></code></a> needs to be passed. </span><span class="yiyi-st" id="yiyi-678">If the private key is stored with the certificate, it should come before the first certificate in the certificate chain:</span></p><pre><code class="language-python"><span></span><span class="o">-----</span><span class="n">BEGIN</span> <span class="n">RSA</span> <span class="n">PRIVATE</span> <span class="n">KEY</span><span class="o">-----</span>
<span class="o">...</span> <span class="p">(</span><span class="n">private</span> <span class="n">key</span> <span class="ow">in</span> <span class="n">base64</span> <span class="n">encoding</span><span class="p">)</span> <span class="o">...</span>
<span class="o">-----</span><span class="n">END</span> <span class="n">RSA</span> <span class="n">PRIVATE</span> <span class="n">KEY</span><span class="o">-----</span>
<span class="o">-----</span><span class="n">BEGIN</span> <span class="n">CERTIFICATE</span><span class="o">-----</span>
<span class="o">...</span> <span class="p">(</span><span class="n">certificate</span> <span class="ow">in</span> <span class="n">base64</span> <span class="n">PEM</span> <span class="n">encoding</span><span class="p">)</span> <span class="o">...</span>
<span class="o">-----</span><span class="n">END</span> <span class="n">CERTIFICATE</span><span class="o">-----</span>
</code></pre></div><div class="section" id="self-signed-certificates"><h3><span class="yiyi-st" id="yiyi-679">18.2.4.4. </span><span class="yiyi-st" id="yiyi-680">Self-signed certificates</span></h3><p><span class="yiyi-st" id="yiyi-681">If you are going to create a server that provides SSL-encrypted connection services, you will need to acquire a certificate for that service. </span><span class="yiyi-st" id="yiyi-682">There are many ways of acquiring appropriate certificates, such as buying one from a certification authority. </span><span class="yiyi-st" id="yiyi-683">Another common practice is to generate a self-signed certificate. </span><span class="yiyi-st" id="yiyi-684">The simplest way to do this is with the OpenSSL package, using something like the following:</span></p><pre><code class="language-python"><span></span><span class="o">%</span> <span class="n">openssl</span> <span class="n">req</span> <span class="o">-</span><span class="n">new</span> <span class="o">-</span><span class="n">x509</span> <span class="o">-</span><span class="n">days</span> <span class="mi">365</span> <span class="o">-</span><span class="n">nodes</span> <span class="o">-</span><span class="n">out</span> <span class="n">cert</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">keyout</span> <span class="n">cert</span><span class="o">.</span><span class="n">pem</span>
<span class="n">Generating</span> <span class="n">a</span> <span class="mi">1024</span> <span class="n">bit</span> <span class="n">RSA</span> <span class="n">private</span> <span class="n">key</span>
<span class="o">.......++++++</span>
<span class="o">.............................++++++</span>
<span class="n">writing</span> <span class="n">new</span> <span class="n">private</span> <span class="n">key</span> <span class="n">to</span> <span class="s1">'cert.pem'</span>
<span class="o">-----</span>
<span class="n">You</span> <span class="n">are</span> <span class="n">about</span> <span class="n">to</span> <span class="n">be</span> <span class="n">asked</span> <span class="n">to</span> <span class="n">enter</span> <span class="n">information</span> <span class="n">that</span> <span class="n">will</span> <span class="n">be</span> <span class="n">incorporated</span>
<span class="n">into</span> <span class="n">your</span> <span class="n">certificate</span> <span class="n">request</span><span class="o">.</span>
<span class="n">What</span> <span class="n">you</span> <span class="n">are</span> <span class="n">about</span> <span class="n">to</span> <span class="n">enter</span> <span class="ow">is</span> <span class="n">what</span> <span class="ow">is</span> <span class="n">called</span> <span class="n">a</span> <span class="n">Distinguished</span> <span class="n">Name</span> <span class="ow">or</span> <span class="n">a</span> <span class="n">DN</span><span class="o">.</span>
<span class="n">There</span> <span class="n">are</span> <span class="n">quite</span> <span class="n">a</span> <span class="n">few</span> <span class="n">fields</span> <span class="n">but</span> <span class="n">you</span> <span class="n">can</span> <span class="n">leave</span> <span class="n">some</span> <span class="n">blank</span>
<span class="n">For</span> <span class="n">some</span> <span class="n">fields</span> <span class="n">there</span> <span class="n">will</span> <span class="n">be</span> <span class="n">a</span> <span class="n">default</span> <span class="n">value</span><span class="p">,</span>
<span class="n">If</span> <span class="n">you</span> <span class="n">enter</span> <span class="s1">'.'</span><span class="p">,</span> <span class="n">the</span> <span class="n">field</span> <span class="n">will</span> <span class="n">be</span> <span class="n">left</span> <span class="n">blank</span><span class="o">.</span>
<span class="o">-----</span>
<span class="n">Country</span> <span class="n">Name</span> <span class="p">(</span><span class="mi">2</span> <span class="n">letter</span> <span class="n">code</span><span class="p">)</span> <span class="p">[</span><span class="n">AU</span><span class="p">]:</span><span class="n">US</span>
<span class="n">State</span> <span class="ow">or</span> <span class="n">Province</span> <span class="n">Name</span> <span class="p">(</span><span class="n">full</span> <span class="n">name</span><span class="p">)</span> <span class="p">[</span><span class="n">Some</span><span class="o">-</span><span class="n">State</span><span class="p">]:</span><span class="n">MyState</span>
<span class="n">Locality</span> <span class="n">Name</span> <span class="p">(</span><span class="n">eg</span><span class="p">,</span> <span class="n">city</span><span class="p">)</span> <span class="p">[]:</span><span class="n">Some</span> <span class="n">City</span>
<span class="n">Organization</span> <span class="n">Name</span> <span class="p">(</span><span class="n">eg</span><span class="p">,</span> <span class="n">company</span><span class="p">)</span> <span class="p">[</span><span class="n">Internet</span> <span class="n">Widgits</span> <span class="n">Pty</span> <span class="n">Ltd</span><span class="p">]:</span><span class="n">My</span> <span class="n">Organization</span><span class="p">,</span> <span class="n">Inc</span><span class="o">.</span>
<span class="n">Organizational</span> <span class="n">Unit</span> <span class="n">Name</span> <span class="p">(</span><span class="n">eg</span><span class="p">,</span> <span class="n">section</span><span class="p">)</span> <span class="p">[]:</span><span class="n">My</span> <span class="n">Group</span>
<span class="n">Common</span> <span class="n">Name</span> <span class="p">(</span><span class="n">eg</span><span class="p">,</span> <span class="n">YOUR</span> <span class="n">name</span><span class="p">)</span> <span class="p">[]:</span><span class="n">myserver</span><span class="o">.</span><span class="n">mygroup</span><span class="o">.</span><span class="n">myorganization</span><span class="o">.</span><span class="n">com</span>
<span class="n">Email</span> <span class="n">Address</span> <span class="p">[]:</span><span class="n">ops</span><span class="nd">@myserver</span><span class="o">.</span><span class="n">mygroup</span><span class="o">.</span><span class="n">myorganization</span><span class="o">.</span><span class="n">com</span>
<span class="o">%</span>
</code></pre><p><span class="yiyi-st" id="yiyi-685">The disadvantage of a self-signed certificate is that it is its own root certificate, and no one else will have it in their cache of known (and trusted) root certificates.</span></p></div></div><div class="section" id="examples"><h2><span class="yiyi-st" id="yiyi-686">18.2.5. </span><span class="yiyi-st" id="yiyi-687">Examples</span></h2><div class="section" id="testing-for-ssl-support"><h3><span class="yiyi-st" id="yiyi-688">18.2.5.1. </span><span class="yiyi-st" id="yiyi-689">Testing for SSL support</span></h3><p><span class="yiyi-st" id="yiyi-690">To test for the presence of SSL support in a Python installation, user code should use the following idiom:</span></p><pre><code class="language-python"><span></span><span class="k">try</span><span class="p">:</span>
<span class="kn">import</span> <span class="nn">ssl</span>
<span class="k">except</span> <span class="ne">ImportError</span><span class="p">:</span>
<span class="k">pass</span>
<span class="k">else</span><span class="p">:</span>
<span class="o">...</span> <span class="c1"># do something that requires SSL support</span>
</code></pre></div><div class="section" id="client-side-operation"><h3><span class="yiyi-st" id="yiyi-691">18.2.5.2. </span><span class="yiyi-st" id="yiyi-692">Client-side operation</span></h3><p><span class="yiyi-st" id="yiyi-693">This example creates a SSL context with the recommended security settings for client sockets, including automatic certificate verification:</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">context</span> <span class="o">=</span> <span class="n">ssl</span><span class="o">.</span><span class="n">create_default_context</span><span class="p">()</span>
</code></pre><p><span class="yiyi-st" id="yiyi-694">If you prefer to tune security settings yourself, you might create a context from scratch (but beware that you might not get the settings right):</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">context</span> <span class="o">=</span> <span class="n">ssl</span><span class="o">.</span><span class="n">SSLContext</span><span class="p">(</span><span class="n">ssl</span><span class="o">.</span><span class="n">PROTOCOL_SSLv23</span><span class="p">)</span>
<span class="gp">&gt;&gt;&gt; </span><span class="n">context</span><span class="o">.</span><span class="n">verify_mode</span> <span class="o">=</span> <span class="n">ssl</span><span class="o">.</span><span class="n">CERT_REQUIRED</span>
<span class="gp">&gt;&gt;&gt; </span><span class="n">context</span><span class="o">.</span><span class="n">check_hostname</span> <span class="o">=</span> <span class="kc">True</span>
<span class="gp">&gt;&gt;&gt; </span><span class="n">context</span><span class="o">.</span><span class="n">load_verify_locations</span><span class="p">(</span><span class="s2">"/etc/ssl/certs/ca-bundle.crt"</span><span class="p">)</span>
</code></pre><p><span class="yiyi-st" id="yiyi-695">(this snippet assumes your operating system places a bundle of all CA certificates in <code class="docutils literal"><span class="pre">/etc/ssl/certs/ca-bundle.crt</span></code>; if not, youll get an error and have to adjust the location)</span></p><p><span class="yiyi-st" id="yiyi-696">When you use the context to connect to a server, <a class="reference internal" href="#ssl.CERT_REQUIRED" title="ssl.CERT_REQUIRED"><code class="xref py py-const docutils literal"><span class="pre">CERT_REQUIRED</span></code></a> validates the server certificate: it ensures that the server certificate was signed with one of the CA certificates, and checks the signature for correctness:</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">conn</span> <span class="o">=</span> <span class="n">context</span><span class="o">.</span><span class="n">wrap_socket</span><span class="p">(</span><span class="n">socket</span><span class="o">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="o">.</span><span class="n">AF_INET</span><span class="p">),</span>
<span class="gp">... </span> <span class="n">server_hostname</span><span class="o">=</span><span class="s2">"www.python.org"</span><span class="p">)</span>
<span class="gp">&gt;&gt;&gt; </span><span class="n">conn</span><span class="o">.</span><span class="n">connect</span><span class="p">((</span><span class="s2">"www.python.org"</span><span class="p">,</span> <span class="mi">443</span><span class="p">))</span>
</code></pre><p><span class="yiyi-st" id="yiyi-697">You may then fetch the certificate:</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">cert</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">getpeercert</span><span class="p">()</span>
</code></pre><p><span class="yiyi-st" id="yiyi-698">Visual inspection shows that the certificate does identify the desired service (that is, the HTTPS host <code class="docutils literal"><span class="pre">www.python.org</span></code>):</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">pprint</span><span class="o">.</span><span class="n">pprint</span><span class="p">(</span><span class="n">cert</span><span class="p">)</span>
<span class="go">{'OCSP': ('http://ocsp.digicert.com',),</span>
<span class="go"> 'caIssuers': ('http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt',),</span>
<span class="go"> 'crlDistributionPoints': ('http://crl3.digicert.com/sha2-ev-server-g1.crl',</span>
<span class="go"> 'http://crl4.digicert.com/sha2-ev-server-g1.crl'),</span>
<span class="go"> 'issuer': ((('countryName', 'US'),),</span>
<span class="go"> (('organizationName', 'DigiCert Inc'),),</span>
<span class="go"> (('organizationalUnitName', 'www.digicert.com'),),</span>
<span class="go"> (('commonName', 'DigiCert SHA2 Extended Validation Server CA'),)),</span>
<span class="go"> 'notAfter': 'Sep 9 12:00:00 2016 GMT',</span>
<span class="go"> 'notBefore': 'Sep 5 00:00:00 2014 GMT',</span>
<span class="go"> 'serialNumber': '01BB6F00122B177F36CAB49CEA8B6B26',</span>
<span class="go"> 'subject': ((('businessCategory', 'Private Organization'),),</span>
<span class="go"> (('1.3.6.1.4.1.311.60.2.1.3', 'US'),),</span>
<span class="go"> (('1.3.6.1.4.1.311.60.2.1.2', 'Delaware'),),</span>
<span class="go"> (('serialNumber', '3359300'),),</span>
<span class="go"> (('streetAddress', '16 Allen Rd'),),</span>
<span class="go"> (('postalCode', '03894-4801'),),</span>
<span class="go"> (('countryName', 'US'),),</span>
<span class="go"> (('stateOrProvinceName', 'NH'),),</span>
<span class="go"> (('localityName', 'Wolfeboro,'),),</span>
<span class="go"> (('organizationName', 'Python Software Foundation'),),</span>
<span class="go"> (('commonName', 'www.python.org'),)),</span>
<span class="go"> 'subjectAltName': (('DNS', 'www.python.org'),</span>
<span class="go"> ('DNS', 'python.org'),</span>
<span class="go"> ('DNS', 'pypi.python.org'),</span>
<span class="go"> ('DNS', 'docs.python.org'),</span>
<span class="go"> ('DNS', 'testpypi.python.org'),</span>
<span class="go"> ('DNS', 'bugs.python.org'),</span>
<span class="go"> ('DNS', 'wiki.python.org'),</span>
<span class="go"> ('DNS', 'hg.python.org'),</span>
<span class="go"> ('DNS', 'mail.python.org'),</span>
<span class="go"> ('DNS', 'packaging.python.org'),</span>
<span class="go"> ('DNS', 'pythonhosted.org'),</span>
<span class="go"> ('DNS', 'www.pythonhosted.org'),</span>
<span class="go"> ('DNS', 'test.pythonhosted.org'),</span>
<span class="go"> ('DNS', 'us.pycon.org'),</span>
<span class="go"> ('DNS', 'id.python.org')),</span>
<span class="go"> 'version': 3}</span>
</code></pre><p><span class="yiyi-st" id="yiyi-699">Now the SSL channel is established and the certificate verified, you can proceed to talk with the server:</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">conn</span><span class="o">.</span><span class="n">sendall</span><span class="p">(</span><span class="n">b</span><span class="s2">"HEAD / HTTP/1.0</span><span class="se">\r\n</span><span class="s2">Host: linuxfr.org</span><span class="se">\r\n\r\n</span><span class="s2">"</span><span class="p">)</span>
<span class="gp">&gt;&gt;&gt; </span><span class="n">pprint</span><span class="o">.</span><span class="n">pprint</span><span class="p">(</span><span class="n">conn</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="n">b</span><span class="s2">"</span><span class="se">\r\n</span><span class="s2">"</span><span class="p">))</span>
<span class="go">[b'HTTP/1.1 200 OK',</span>
<span class="go"> b'Date: Sat, 18 Oct 2014 18:27:20 GMT',</span>
<span class="go"> b'Server: nginx',</span>
<span class="go"> b'Content-Type: text/html; charset=utf-8',</span>
<span class="go"> b'X-Frame-Options: SAMEORIGIN',</span>
<span class="go"> b'Content-Length: 45679',</span>
<span class="go"> b'Accept-Ranges: bytes',</span>
<span class="go"> b'Via: 1.1 varnish',</span>
<span class="go"> b'Age: 2188',</span>
<span class="go"> b'X-Served-By: cache-lcy1134-LCY',</span>
<span class="go"> b'X-Cache: HIT',</span>
<span class="go"> b'X-Cache-Hits: 11',</span>
<span class="go"> b'Vary: Cookie',</span>
<span class="go"> b'Strict-Transport-Security: max-age=63072000; includeSubDomains',</span>
<span class="go"> b'Connection: close',</span>
<span class="go"> b'',</span>
<span class="go"> b'']</span>
</code></pre><p><span class="yiyi-st" id="yiyi-700">See the discussion of <a class="reference internal" href="#ssl-security"><span>Security considerations</span></a> below.</span></p></div><div class="section" id="server-side-operation"><h3><span class="yiyi-st" id="yiyi-701">18.2.5.3. </span><span class="yiyi-st" id="yiyi-702">Server-side operation</span></h3><p><span class="yiyi-st" id="yiyi-703">For server operation, typically youll need to have a server certificate, and private key, each in a file. </span><span class="yiyi-st" id="yiyi-704">Youll first create a context holding the key and the certificate, so that clients can check your authenticity. </span><span class="yiyi-st" id="yiyi-705">Then youll open a socket, bind it to a port, call <code class="xref py py-meth docutils literal"><span class="pre">listen()</span></code> on it, and start waiting for clients to connect:</span></p><pre><code class="language-python"><span></span><span class="kn">import</span> <span class="nn">socket</span><span class="o">,</span> <span class="nn">ssl</span>
<span class="n">context</span> <span class="o">=</span> <span class="n">ssl</span><span class="o">.</span><span class="n">create_default_context</span><span class="p">(</span><span class="n">ssl</span><span class="o">.</span><span class="n">Purpose</span><span class="o">.</span><span class="n">CLIENT_AUTH</span><span class="p">)</span>
<span class="n">context</span><span class="o">.</span><span class="n">load_cert_chain</span><span class="p">(</span><span class="n">certfile</span><span class="o">=</span><span class="s2">"mycertfile"</span><span class="p">,</span> <span class="n">keyfile</span><span class="o">=</span><span class="s2">"mykeyfile"</span><span class="p">)</span>
<span class="n">bindsocket</span> <span class="o">=</span> <span class="n">socket</span><span class="o">.</span><span class="n">socket</span><span class="p">()</span>
<span class="n">bindsocket</span><span class="o">.</span><span class="n">bind</span><span class="p">((</span><span class="s1">'myaddr.mydomain.com'</span><span class="p">,</span> <span class="mi">10023</span><span class="p">))</span>
<span class="n">bindsocket</span><span class="o">.</span><span class="n">listen</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span>
</code></pre><p><span class="yiyi-st" id="yiyi-706">When a client connects, youll call <code class="xref py py-meth docutils literal"><span class="pre">accept()</span></code> on the socket to get the new socket from the other end, and use the contexts <a class="reference internal" href="#ssl.SSLContext.wrap_socket" title="ssl.SSLContext.wrap_socket"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.wrap_socket()</span></code></a> method to create a server-side SSL socket for the connection:</span></p><pre><code class="language-python"><span></span><span class="k">while</span> <span class="kc">True</span><span class="p">:</span>
<span class="n">newsocket</span><span class="p">,</span> <span class="n">fromaddr</span> <span class="o">=</span> <span class="n">bindsocket</span><span class="o">.</span><span class="n">accept</span><span class="p">()</span>
<span class="n">connstream</span> <span class="o">=</span> <span class="n">context</span><span class="o">.</span><span class="n">wrap_socket</span><span class="p">(</span><span class="n">newsocket</span><span class="p">,</span> <span class="n">server_side</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">deal_with_client</span><span class="p">(</span><span class="n">connstream</span><span class="p">)</span>
<span class="k">finally</span><span class="p">:</span>
<span class="n">connstream</span><span class="o">.</span><span class="n">shutdown</span><span class="p">(</span><span class="n">socket</span><span class="o">.</span><span class="n">SHUT_RDWR</span><span class="p">)</span>
<span class="n">connstream</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</code></pre><p><span class="yiyi-st" id="yiyi-707">Then youll read data from the <code class="docutils literal"><span class="pre">connstream</span></code> and do something with it till you are finished with the client (or the client is finished with you):</span></p><pre><code class="language-python"><span></span><span class="k">def</span> <span class="nf">deal_with_client</span><span class="p">(</span><span class="n">connstream</span><span class="p">):</span>
<span class="n">data</span> <span class="o">=</span> <span class="n">connstream</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span>
<span class="c1"># empty data means the client is finished with us</span>
<span class="k">while</span> <span class="n">data</span><span class="p">:</span>
<span class="k">if</span> <span class="ow">not</span> <span class="n">do_something</span><span class="p">(</span><span class="n">connstream</span><span class="p">,</span> <span class="n">data</span><span class="p">):</span>
<span class="c1"># we'll assume do_something returns False</span>
<span class="c1"># when we're finished with client</span>
<span class="k">break</span>
<span class="n">data</span> <span class="o">=</span> <span class="n">connstream</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span>
<span class="c1"># finished with client</span>
</code></pre><p><span class="yiyi-st" id="yiyi-708">And go back to listening for new client connections (of course, a real server would probably handle each client connection in a separate thread, or put the sockets in <a class="reference internal" href="#ssl-nonblocking"><span>non-blocking mode</span></a> and use an event loop).</span></p></div></div><div class="section" id="notes-on-non-blocking-sockets"><h2><span class="yiyi-st" id="yiyi-709">18.2.6. </span><span class="yiyi-st" id="yiyi-710">Notes on non-blocking sockets</span></h2><p><span class="yiyi-st" id="yiyi-711">SSL sockets behave slightly different than regular sockets in non-blocking mode. </span><span class="yiyi-st" id="yiyi-712">When working with non-blocking sockets, there are thus several things you need to be aware of:</span></p><ul><li><p class="first"><span class="yiyi-st" id="yiyi-713">Most <a class="reference internal" href="#ssl.SSLSocket" title="ssl.SSLSocket"><code class="xref py py-class docutils literal"><span class="pre">SSLSocket</span></code></a> methods will raise either <a class="reference internal" href="#ssl.SSLWantWriteError" title="ssl.SSLWantWriteError"><code class="xref py py-exc docutils literal"><span class="pre">SSLWantWriteError</span></code></a> or <a class="reference internal" href="#ssl.SSLWantReadError" title="ssl.SSLWantReadError"><code class="xref py py-exc docutils literal"><span class="pre">SSLWantReadError</span></code></a> instead of <a class="reference internal" href="exceptions.html#BlockingIOError" title="BlockingIOError"><code class="xref py py-exc docutils literal"><span class="pre">BlockingIOError</span></code></a> if an I/O operation would block. </span><span class="yiyi-st" id="yiyi-714"><a class="reference internal" href="#ssl.SSLWantReadError" title="ssl.SSLWantReadError"><code class="xref py py-exc docutils literal"><span class="pre">SSLWantReadError</span></code></a> will be raised if a read operation on the underlying socket is necessary, and <a class="reference internal" href="#ssl.SSLWantWriteError" title="ssl.SSLWantWriteError"><code class="xref py py-exc docutils literal"><span class="pre">SSLWantWriteError</span></code></a> for a write operation on the underlying socket. </span><span class="yiyi-st" id="yiyi-715">Note that attempts to <em>write</em> to an SSL socket may require <em>reading</em> from the underlying socket first, and attempts to <em>read</em> from the SSL socket may require a prior <em>write</em> to the underlying socket.</span></p><div class="versionchanged"><p><span class="yiyi-st" id="yiyi-716"><span class="versionmodified">Changed in version 3.5: </span>In earlier Python versions, the <code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.send()</span></code> method returned zero instead of raising <a class="reference internal" href="#ssl.SSLWantWriteError" title="ssl.SSLWantWriteError"><code class="xref py py-exc docutils literal"><span class="pre">SSLWantWriteError</span></code></a> or <a class="reference internal" href="#ssl.SSLWantReadError" title="ssl.SSLWantReadError"><code class="xref py py-exc docutils literal"><span class="pre">SSLWantReadError</span></code></a>.</span></p></div></li><li><p class="first"><span class="yiyi-st" id="yiyi-717">Calling <a class="reference internal" href="select.html#select.select" title="select.select"><code class="xref py py-func docutils literal"><span class="pre">select()</span></code></a> tells you that the OS-level socket can be read from (or written to), but it does not imply that there is sufficient data at the upper SSL layer. </span><span class="yiyi-st" id="yiyi-718">For example, only part of an SSL frame might have arrived. </span><span class="yiyi-st" id="yiyi-719">Therefore, you must be ready to handle <code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.recv()</span></code> and <code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.send()</span></code> failures, and retry after another call to <a class="reference internal" href="select.html#select.select" title="select.select"><code class="xref py py-func docutils literal"><span class="pre">select()</span></code></a>.</span></p></li><li><p class="first"><span class="yiyi-st" id="yiyi-720">Conversely, since the SSL layer has its own framing, a SSL socket may still have data available for reading without <a class="reference internal" href="select.html#select.select" title="select.select"><code class="xref py py-func docutils literal"><span class="pre">select()</span></code></a> being aware of it. </span><span class="yiyi-st" id="yiyi-721">Therefore, you should first call <code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.recv()</span></code> to drain any potentially available data, and then only block on a <a class="reference internal" href="select.html#select.select" title="select.select"><code class="xref py py-func docutils literal"><span class="pre">select()</span></code></a> call if still necessary.</span></p><p><span class="yiyi-st" id="yiyi-722">(of course, similar provisions apply when using other primitives such as <a class="reference internal" href="select.html#select.poll" title="select.poll"><code class="xref py py-func docutils literal"><span class="pre">poll()</span></code></a>, or those in the <a class="reference internal" href="selectors.html#module-selectors" title="selectors: High-level I/O multiplexing."><code class="xref py py-mod docutils literal"><span class="pre">selectors</span></code></a> module)</span></p></li><li><p class="first"><span class="yiyi-st" id="yiyi-723">The SSL handshake itself will be non-blocking: the <a class="reference internal" href="#ssl.SSLSocket.do_handshake" title="ssl.SSLSocket.do_handshake"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.do_handshake()</span></code></a> method has to be retried until it returns successfully. </span><span class="yiyi-st" id="yiyi-724">Here is a synopsis using <a class="reference internal" href="select.html#select.select" title="select.select"><code class="xref py py-func docutils literal"><span class="pre">select()</span></code></a> to wait for the sockets readiness:</span></p><pre><code class="language-python"><span></span><span class="k">while</span> <span class="kc">True</span><span class="p">:</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">sock</span><span class="o">.</span><span class="n">do_handshake</span><span class="p">()</span>
<span class="k">break</span>
<span class="k">except</span> <span class="n">ssl</span><span class="o">.</span><span class="n">SSLWantReadError</span><span class="p">:</span>
<span class="n">select</span><span class="o">.</span><span class="n">select</span><span class="p">([</span><span class="n">sock</span><span class="p">],</span> <span class="p">[],</span> <span class="p">[])</span>
<span class="k">except</span> <span class="n">ssl</span><span class="o">.</span><span class="n">SSLWantWriteError</span><span class="p">:</span>
<span class="n">select</span><span class="o">.</span><span class="n">select</span><span class="p">([],</span> <span class="p">[</span><span class="n">sock</span><span class="p">],</span> <span class="p">[])</span>
</code></pre></li></ul><div class="admonition seealso"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-725">See also</span></p><p class="last"><span class="yiyi-st" id="yiyi-726">The <a class="reference internal" href="asyncio.html#module-asyncio" title="asyncio: Asynchronous I/O, event loop, coroutines and tasks."><code class="xref py py-mod docutils literal"><span class="pre">asyncio</span></code></a> module supports <a class="reference internal" href="#ssl-nonblocking"><span>non-blocking SSL sockets</span></a> and provides a higher level API. </span><span class="yiyi-st" id="yiyi-727">It polls for events using the <a class="reference internal" href="selectors.html#module-selectors" title="selectors: High-level I/O multiplexing."><code class="xref py py-mod docutils literal"><span class="pre">selectors</span></code></a> module and handles <a class="reference internal" href="#ssl.SSLWantWriteError" title="ssl.SSLWantWriteError"><code class="xref py py-exc docutils literal"><span class="pre">SSLWantWriteError</span></code></a>, <a class="reference internal" href="#ssl.SSLWantReadError" title="ssl.SSLWantReadError"><code class="xref py py-exc docutils literal"><span class="pre">SSLWantReadError</span></code></a> and <a class="reference internal" href="exceptions.html#BlockingIOError" title="BlockingIOError"><code class="xref py py-exc docutils literal"><span class="pre">BlockingIOError</span></code></a> exceptions. </span><span class="yiyi-st" id="yiyi-728">It runs the SSL handshake asynchronously as well.</span></p></div></div><div class="section" id="memory-bio-support"><h2><span class="yiyi-st" id="yiyi-729">18.2.7. </span><span class="yiyi-st" id="yiyi-730">Memory BIO Support</span></h2><div class="versionadded"><p><span class="yiyi-st" id="yiyi-731"><span class="versionmodified">New in version 3.5.</span></span></p></div><p><span class="yiyi-st" id="yiyi-732">Ever since the SSL module was introduced in Python 2.6, the <a class="reference internal" href="#ssl.SSLSocket" title="ssl.SSLSocket"><code class="xref py py-class docutils literal"><span class="pre">SSLSocket</span></code></a> class has provided two related but distinct areas of functionality:</span></p><ul class="simple"><li><span class="yiyi-st" id="yiyi-733">SSL protocol handling</span></li><li><span class="yiyi-st" id="yiyi-734">Network IO</span></li></ul><p><span class="yiyi-st" id="yiyi-735">The network IO API is identical to that provided by <a class="reference internal" href="socket.html#socket.socket" title="socket.socket"><code class="xref py py-class docutils literal"><span class="pre">socket.socket</span></code></a>, from which <a class="reference internal" href="#ssl.SSLSocket" title="ssl.SSLSocket"><code class="xref py py-class docutils literal"><span class="pre">SSLSocket</span></code></a> also inherits. </span><span class="yiyi-st" id="yiyi-736">This allows an SSL socket to be used as a drop-in replacement for a regular socket, making it very easy to add SSL support to an existing application.</span></p><p><span class="yiyi-st" id="yiyi-737">Combining SSL protocol handling and network IO usually works well, but there are some cases where it doesnt. </span><span class="yiyi-st" id="yiyi-738">An example is async IO frameworks that want to use a different IO multiplexing model than the “select/poll on a file descriptor” (readiness based) model that is assumed by <a class="reference internal" href="socket.html#socket.socket" title="socket.socket"><code class="xref py py-class docutils literal"><span class="pre">socket.socket</span></code></a> and by the internal OpenSSL socket IO routines. </span><span class="yiyi-st" id="yiyi-739">This is mostly relevant for platforms like Windows where this model is not efficient. </span><span class="yiyi-st" id="yiyi-740">For this purpose, a reduced scope variant of <a class="reference internal" href="#ssl.SSLSocket" title="ssl.SSLSocket"><code class="xref py py-class docutils literal"><span class="pre">SSLSocket</span></code></a> called <a class="reference internal" href="#ssl.SSLObject" title="ssl.SSLObject"><code class="xref py py-class docutils literal"><span class="pre">SSLObject</span></code></a> is provided.</span></p><dl class="class"><dt id="ssl.SSLObject"><span class="yiyi-st" id="yiyi-741"> <em class="property">class </em><code class="descclassname">ssl.</code><code class="descname">SSLObject</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-742">A reduced-scope variant of <a class="reference internal" href="#ssl.SSLSocket" title="ssl.SSLSocket"><code class="xref py py-class docutils literal"><span class="pre">SSLSocket</span></code></a> representing an SSL protocol instance that does not contain any network IO methods. </span><span class="yiyi-st" id="yiyi-743">This class is typically used by framework authors that want to implement asynchronous IO for SSL through memory buffers.</span></p><p><span class="yiyi-st" id="yiyi-744">This class implements an interface on top of a low-level SSL object as implemented by OpenSSL. </span><span class="yiyi-st" id="yiyi-745">This object captures the state of an SSL connection but does not provide any network IO itself. </span><span class="yiyi-st" id="yiyi-746">IO needs to be performed through separate “BIO” objects which are OpenSSLs IO abstraction layer.</span></p><p><span class="yiyi-st" id="yiyi-747">An <a class="reference internal" href="#ssl.SSLObject" title="ssl.SSLObject"><code class="xref py py-class docutils literal"><span class="pre">SSLObject</span></code></a> instance can be created using the <a class="reference internal" href="#ssl.SSLContext.wrap_bio" title="ssl.SSLContext.wrap_bio"><code class="xref py py-meth docutils literal"><span class="pre">wrap_bio()</span></code></a> method. </span><span class="yiyi-st" id="yiyi-748">This method will create the <a class="reference internal" href="#ssl.SSLObject" title="ssl.SSLObject"><code class="xref py py-class docutils literal"><span class="pre">SSLObject</span></code></a> instance and bind it to a pair of BIOs. </span><span class="yiyi-st" id="yiyi-749">The <em>incoming</em> BIO is used to pass data from Python to the SSL protocol instance, while the <em>outgoing</em> BIO is used to pass data the other way around.</span></p><p><span class="yiyi-st" id="yiyi-750">The following methods are available:</span></p><ul class="simple"><li><span class="yiyi-st" id="yiyi-751"><a class="reference internal" href="#ssl.SSLSocket.context" title="ssl.SSLSocket.context"><code class="xref py py-attr docutils literal"><span class="pre">context</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-752"><a class="reference internal" href="#ssl.SSLSocket.server_side" title="ssl.SSLSocket.server_side"><code class="xref py py-attr docutils literal"><span class="pre">server_side</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-753"><a class="reference internal" href="#ssl.SSLSocket.server_hostname" title="ssl.SSLSocket.server_hostname"><code class="xref py py-attr docutils literal"><span class="pre">server_hostname</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-754"><a class="reference internal" href="#ssl.SSLSocket.read" title="ssl.SSLSocket.read"><code class="xref py py-meth docutils literal"><span class="pre">read()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-755"><a class="reference internal" href="#ssl.SSLSocket.write" title="ssl.SSLSocket.write"><code class="xref py py-meth docutils literal"><span class="pre">write()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-756"><a class="reference internal" href="#ssl.SSLSocket.getpeercert" title="ssl.SSLSocket.getpeercert"><code class="xref py py-meth docutils literal"><span class="pre">getpeercert()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-757"><a class="reference internal" href="#ssl.SSLSocket.selected_npn_protocol" title="ssl.SSLSocket.selected_npn_protocol"><code class="xref py py-meth docutils literal"><span class="pre">selected_npn_protocol()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-758"><a class="reference internal" href="#ssl.SSLSocket.cipher" title="ssl.SSLSocket.cipher"><code class="xref py py-meth docutils literal"><span class="pre">cipher()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-759"><a class="reference internal" href="#ssl.SSLSocket.shared_ciphers" title="ssl.SSLSocket.shared_ciphers"><code class="xref py py-meth docutils literal"><span class="pre">shared_ciphers()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-760"><a class="reference internal" href="#ssl.SSLSocket.compression" title="ssl.SSLSocket.compression"><code class="xref py py-meth docutils literal"><span class="pre">compression()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-761"><a class="reference internal" href="#ssl.SSLSocket.pending" title="ssl.SSLSocket.pending"><code class="xref py py-meth docutils literal"><span class="pre">pending()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-762"><a class="reference internal" href="#ssl.SSLSocket.do_handshake" title="ssl.SSLSocket.do_handshake"><code class="xref py py-meth docutils literal"><span class="pre">do_handshake()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-763"><a class="reference internal" href="#ssl.SSLSocket.unwrap" title="ssl.SSLSocket.unwrap"><code class="xref py py-meth docutils literal"><span class="pre">unwrap()</span></code></a></span></li><li><span class="yiyi-st" id="yiyi-764"><a class="reference internal" href="#ssl.SSLSocket.get_channel_binding" title="ssl.SSLSocket.get_channel_binding"><code class="xref py py-meth docutils literal"><span class="pre">get_channel_binding()</span></code></a></span></li></ul><p><span class="yiyi-st" id="yiyi-765">When compared to <a class="reference internal" href="#ssl.SSLSocket" title="ssl.SSLSocket"><code class="xref py py-class docutils literal"><span class="pre">SSLSocket</span></code></a>, this object lacks the following features:</span></p><ul class="simple"><li><span class="yiyi-st" id="yiyi-766">Any form of network IO incluging methods such as <code class="docutils literal"><span class="pre">recv()</span></code> and <code class="docutils literal"><span class="pre">send()</span></code>.</span></li><li><span class="yiyi-st" id="yiyi-767">There is no <em>do_handshake_on_connect</em> machinery. </span><span class="yiyi-st" id="yiyi-768">You must always manually call <a class="reference internal" href="#ssl.SSLSocket.do_handshake" title="ssl.SSLSocket.do_handshake"><code class="xref py py-meth docutils literal"><span class="pre">do_handshake()</span></code></a> to start the handshake.</span></li><li><span class="yiyi-st" id="yiyi-769">There is no handling of <em>suppress_ragged_eofs</em>. </span><span class="yiyi-st" id="yiyi-770">All end-of-file conditions that are in violation of the protocol are reported via the <a class="reference internal" href="#ssl.SSLEOFError" title="ssl.SSLEOFError"><code class="xref py py-exc docutils literal"><span class="pre">SSLEOFError</span></code></a> exception.</span></li><li><span class="yiyi-st" id="yiyi-771">The method <a class="reference internal" href="#ssl.SSLSocket.unwrap" title="ssl.SSLSocket.unwrap"><code class="xref py py-meth docutils literal"><span class="pre">unwrap()</span></code></a> call does not return anything, unlike for an SSL socket where it returns the underlying socket.</span></li><li><span class="yiyi-st" id="yiyi-772">The <em>server_name_callback</em> callback passed to <a class="reference internal" href="#ssl.SSLContext.set_servername_callback" title="ssl.SSLContext.set_servername_callback"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.set_servername_callback()</span></code></a> will get an <a class="reference internal" href="#ssl.SSLObject" title="ssl.SSLObject"><code class="xref py py-class docutils literal"><span class="pre">SSLObject</span></code></a> instance instead of a <a class="reference internal" href="#ssl.SSLSocket" title="ssl.SSLSocket"><code class="xref py py-class docutils literal"><span class="pre">SSLSocket</span></code></a> instance as its first parameter.</span></li></ul><p><span class="yiyi-st" id="yiyi-773">Some notes related to the use of <a class="reference internal" href="#ssl.SSLObject" title="ssl.SSLObject"><code class="xref py py-class docutils literal"><span class="pre">SSLObject</span></code></a>:</span></p><ul class="simple"><li><span class="yiyi-st" id="yiyi-774">All IO on an <a class="reference internal" href="#ssl.SSLObject" title="ssl.SSLObject"><code class="xref py py-class docutils literal"><span class="pre">SSLObject</span></code></a> is <a class="reference internal" href="#ssl-nonblocking"><span>non-blocking</span></a>. </span><span class="yiyi-st" id="yiyi-775">This means that for example <a class="reference internal" href="#ssl.SSLSocket.read" title="ssl.SSLSocket.read"><code class="xref py py-meth docutils literal"><span class="pre">read()</span></code></a> will raise an <a class="reference internal" href="#ssl.SSLWantReadError" title="ssl.SSLWantReadError"><code class="xref py py-exc docutils literal"><span class="pre">SSLWantReadError</span></code></a> if it needs more data than the incoming BIO has available.</span></li><li><span class="yiyi-st" id="yiyi-776">There is no module-level <code class="docutils literal"><span class="pre">wrap_bio()</span></code> call like there is for <a class="reference internal" href="#ssl.SSLContext.wrap_socket" title="ssl.SSLContext.wrap_socket"><code class="xref py py-meth docutils literal"><span class="pre">wrap_socket()</span></code></a>. </span><span class="yiyi-st" id="yiyi-777">An <a class="reference internal" href="#ssl.SSLObject" title="ssl.SSLObject"><code class="xref py py-class docutils literal"><span class="pre">SSLObject</span></code></a> is always created via an <a class="reference internal" href="#ssl.SSLContext" title="ssl.SSLContext"><code class="xref py py-class docutils literal"><span class="pre">SSLContext</span></code></a>.</span></li></ul></dd></dl><p><span class="yiyi-st" id="yiyi-778">An SSLObject communicates with the outside world using memory buffers. </span><span class="yiyi-st" id="yiyi-779">The class <a class="reference internal" href="#ssl.MemoryBIO" title="ssl.MemoryBIO"><code class="xref py py-class docutils literal"><span class="pre">MemoryBIO</span></code></a> provides a memory buffer that can be used for this purpose. </span><span class="yiyi-st" id="yiyi-780">It wraps an OpenSSL memory BIO (Basic IO) object:</span></p><dl class="class"><dt id="ssl.MemoryBIO"><span class="yiyi-st" id="yiyi-781"> <em class="property">class </em><code class="descclassname">ssl.</code><code class="descname">MemoryBIO</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-782">A memory buffer that can be used to pass data between Python and an SSL protocol instance.</span></p><dl class="attribute"><dt id="ssl.MemoryBIO.pending"><span class="yiyi-st" id="yiyi-783"> <code class="descname">pending</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-784">Return the number of bytes currently in the memory buffer.</span></p></dd></dl><dl class="attribute"><dt id="ssl.MemoryBIO.eof"><span class="yiyi-st" id="yiyi-785"> <code class="descname">eof</code></span></dt><dd><p><span class="yiyi-st" id="yiyi-786">A boolean indicating whether the memory BIO is current at the end-of-file position.</span></p></dd></dl><dl class="method"><dt id="ssl.MemoryBIO.read"><span class="yiyi-st" id="yiyi-787"> <code class="descname">read</code><span class="sig-paren">(</span><em>n=-1</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-788">Read up to <em>n</em> bytes from the memory buffer. </span><span class="yiyi-st" id="yiyi-789">If <em>n</em> is not specified or negative, all bytes are returned.</span></p></dd></dl><dl class="method"><dt id="ssl.MemoryBIO.write"><span class="yiyi-st" id="yiyi-790"> <code class="descname">write</code><span class="sig-paren">(</span><em>buf</em><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-791">Write the bytes from <em>buf</em> to the memory BIO. </span><span class="yiyi-st" id="yiyi-792">The <em>buf</em> argument must be an object supporting the buffer protocol.</span></p><p><span class="yiyi-st" id="yiyi-793">The return value is the number of bytes written, which is always equal to the length of <em>buf</em>.</span></p></dd></dl><dl class="method"><dt id="ssl.MemoryBIO.write_eof"><span class="yiyi-st" id="yiyi-794"> <code class="descname">write_eof</code><span class="sig-paren">(</span><span class="sig-paren">)</span></span></dt><dd><p><span class="yiyi-st" id="yiyi-795">Write an EOF marker to the memory BIO. </span><span class="yiyi-st" id="yiyi-796">After this method has been called, it is illegal to call <a class="reference internal" href="#ssl.MemoryBIO.write" title="ssl.MemoryBIO.write"><code class="xref py py-meth docutils literal"><span class="pre">write()</span></code></a>. </span><span class="yiyi-st" id="yiyi-797">The attribute <a class="reference internal" href="#ssl.MemoryBIO.eof" title="ssl.MemoryBIO.eof"><code class="xref py py-attr docutils literal"><span class="pre">eof</span></code></a> will become true after all data currently in the buffer has been read.</span></p></dd></dl></dd></dl></div><div class="section" id="security-considerations"><h2><span class="yiyi-st" id="yiyi-798">18.2.8. </span><span class="yiyi-st" id="yiyi-799">Security considerations</span></h2><div class="section" id="best-defaults"><h3><span class="yiyi-st" id="yiyi-800">18.2.8.1. </span><span class="yiyi-st" id="yiyi-801">Best defaults</span></h3><p><span class="yiyi-st" id="yiyi-802">For <strong>client use</strong>, if you dont have any special requirements for your security policy, it is highly recommended that you use the <a class="reference internal" href="#ssl.create_default_context" title="ssl.create_default_context"><code class="xref py py-func docutils literal"><span class="pre">create_default_context()</span></code></a> function to create your SSL context. </span><span class="yiyi-st" id="yiyi-803">It will load the systems trusted CA certificates, enable certificate validation and hostname checking, and try to choose reasonably secure protocol and cipher settings.</span></p><p><span class="yiyi-st" id="yiyi-804">For example, here is how you would use the <a class="reference internal" href="smtplib.html#smtplib.SMTP" title="smtplib.SMTP"><code class="xref py py-class docutils literal"><span class="pre">smtplib.SMTP</span></code></a> class to create a trusted, secure connection to a SMTP server:</span></p><pre><code class="language-python"><span></span><span class="gp">&gt;&gt;&gt; </span><span class="kn">import</span> <span class="nn">ssl</span><span class="o">,</span> <span class="nn">smtplib</span>
<span class="gp">&gt;&gt;&gt; </span><span class="n">smtp</span> <span class="o">=</span> <span class="n">smtplib</span><span class="o">.</span><span class="n">SMTP</span><span class="p">(</span><span class="s2">"mail.python.org"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">587</span><span class="p">)</span>
<span class="gp">&gt;&gt;&gt; </span><span class="n">context</span> <span class="o">=</span> <span class="n">ssl</span><span class="o">.</span><span class="n">create_default_context</span><span class="p">()</span>
<span class="gp">&gt;&gt;&gt; </span><span class="n">smtp</span><span class="o">.</span><span class="n">starttls</span><span class="p">(</span><span class="n">context</span><span class="o">=</span><span class="n">context</span><span class="p">)</span>
<span class="go">(220, b'2.0.0 Ready to start TLS')</span>
</code></pre><p><span class="yiyi-st" id="yiyi-805">If a client certificate is needed for the connection, it can be added with <a class="reference internal" href="#ssl.SSLContext.load_cert_chain" title="ssl.SSLContext.load_cert_chain"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.load_cert_chain()</span></code></a>.</span></p><p><span class="yiyi-st" id="yiyi-806">By contrast, if you create the SSL context by calling the <a class="reference internal" href="#ssl.SSLContext" title="ssl.SSLContext"><code class="xref py py-class docutils literal"><span class="pre">SSLContext</span></code></a> constructor yourself, it will not have certificate validation nor hostname checking enabled by default. </span><span class="yiyi-st" id="yiyi-807">If you do so, please read the paragraphs below to achieve a good security level.</span></p></div><div class="section" id="manual-settings"><h3><span class="yiyi-st" id="yiyi-808">18.2.8.2. </span><span class="yiyi-st" id="yiyi-809">Manual settings</span></h3><div class="section" id="verifying-certificates"><h4><span class="yiyi-st" id="yiyi-810">18.2.8.2.1. </span><span class="yiyi-st" id="yiyi-811">Verifying certificates</span></h4><p><span class="yiyi-st" id="yiyi-812">When calling the <a class="reference internal" href="#ssl.SSLContext" title="ssl.SSLContext"><code class="xref py py-class docutils literal"><span class="pre">SSLContext</span></code></a> constructor directly, <a class="reference internal" href="#ssl.CERT_NONE" title="ssl.CERT_NONE"><code class="xref py py-const docutils literal"><span class="pre">CERT_NONE</span></code></a> is the default. </span><span class="yiyi-st" id="yiyi-813">Since it does not authenticate the other peer, it can be insecure, especially in client mode where most of time you would like to ensure the authenticity of the server youre talking to. </span><span class="yiyi-st" id="yiyi-814">Therefore, when in client mode, it is highly recommended to use <a class="reference internal" href="#ssl.CERT_REQUIRED" title="ssl.CERT_REQUIRED"><code class="xref py py-const docutils literal"><span class="pre">CERT_REQUIRED</span></code></a>. </span><span class="yiyi-st" id="yiyi-815">However, it is in itself not sufficient; you also have to check that the server certificate, which can be obtained by calling <a class="reference internal" href="#ssl.SSLSocket.getpeercert" title="ssl.SSLSocket.getpeercert"><code class="xref py py-meth docutils literal"><span class="pre">SSLSocket.getpeercert()</span></code></a>, matches the desired service. </span><span class="yiyi-st" id="yiyi-816">For many protocols and applications, the service can be identified by the hostname; in this case, the <a class="reference internal" href="#ssl.match_hostname" title="ssl.match_hostname"><code class="xref py py-func docutils literal"><span class="pre">match_hostname()</span></code></a> function can be used. </span><span class="yiyi-st" id="yiyi-817">This common check is automatically performed when <a class="reference internal" href="#ssl.SSLContext.check_hostname" title="ssl.SSLContext.check_hostname"><code class="xref py py-attr docutils literal"><span class="pre">SSLContext.check_hostname</span></code></a> is enabled.</span></p><p><span class="yiyi-st" id="yiyi-818">In server mode, if you want to authenticate your clients using the SSL layer (rather than using a higher-level authentication mechanism), youll also have to specify <a class="reference internal" href="#ssl.CERT_REQUIRED" title="ssl.CERT_REQUIRED"><code class="xref py py-const docutils literal"><span class="pre">CERT_REQUIRED</span></code></a> and similarly check the client certificate.</span></p><span class="yiyi-st" id="yiyi-819"> <blockquote> <div><div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">In client mode, <a class="reference internal" href="#ssl.CERT_OPTIONAL" title="ssl.CERT_OPTIONAL"><code class="xref py py-const docutils literal"><span class="pre">CERT_OPTIONAL</span></code></a> and <a class="reference internal" href="#ssl.CERT_REQUIRED" title="ssl.CERT_REQUIRED"><code class="xref py py-const docutils literal"><span class="pre">CERT_REQUIRED</span></code></a> are equivalent unless anonymous ciphers are enabled (they are disabled by default).</p> </div> </div></blockquote></span></div><div class="section" id="protocol-versions"><h4><span class="yiyi-st" id="yiyi-820">18.2.8.2.2. </span><span class="yiyi-st" id="yiyi-821">Protocol versions</span></h4><p><span class="yiyi-st" id="yiyi-822">SSL versions 2 and 3 are considered insecure and are therefore dangerous to use. </span><span class="yiyi-st" id="yiyi-823">If you want maximum compatibility between clients and servers, it is recommended to use <a class="reference internal" href="#ssl.PROTOCOL_SSLv23" title="ssl.PROTOCOL_SSLv23"><code class="xref py py-const docutils literal"><span class="pre">PROTOCOL_SSLv23</span></code></a> as the protocol version and then disable SSLv2 and SSLv3 explicitly using the <a class="reference internal" href="#ssl.SSLContext.options" title="ssl.SSLContext.options"><code class="xref py py-data docutils literal"><span class="pre">SSLContext.options</span></code></a> attribute:</span></p><pre><code class="language-python"><span></span><span class="n">context</span> <span class="o">=</span> <span class="n">ssl</span><span class="o">.</span><span class="n">SSLContext</span><span class="p">(</span><span class="n">ssl</span><span class="o">.</span><span class="n">PROTOCOL_SSLv23</span><span class="p">)</span>
<span class="n">context</span><span class="o">.</span><span class="n">options</span> <span class="o">|=</span> <span class="n">ssl</span><span class="o">.</span><span class="n">OP_NO_SSLv2</span>
<span class="n">context</span><span class="o">.</span><span class="n">options</span> <span class="o">|=</span> <span class="n">ssl</span><span class="o">.</span><span class="n">OP_NO_SSLv3</span>
</code></pre><p><span class="yiyi-st" id="yiyi-824">The SSL context created above will only allow TLSv1 and later (if supported by your system) connections.</span></p></div><div class="section" id="cipher-selection"><h4><span class="yiyi-st" id="yiyi-825">18.2.8.2.3. </span><span class="yiyi-st" id="yiyi-826">Cipher selection</span></h4><p><span class="yiyi-st" id="yiyi-827">If you have advanced security requirements, fine-tuning of the ciphers enabled when negotiating a SSL session is possible through the <a class="reference internal" href="#ssl.SSLContext.set_ciphers" title="ssl.SSLContext.set_ciphers"><code class="xref py py-meth docutils literal"><span class="pre">SSLContext.set_ciphers()</span></code></a> method. </span><span class="yiyi-st" id="yiyi-828">Starting from Python 3.2.3, the ssl module disables certain weak ciphers by default, but you may want to further restrict the cipher choice. </span><span class="yiyi-st" id="yiyi-829">Be sure to read OpenSSLs documentation about the <a class="reference external" href="https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT">cipher list format</a>. </span><span class="yiyi-st" id="yiyi-830">If you want to check which ciphers are enabled by a given cipher list, use the <code class="docutils literal"><span class="pre">openssl</span> <span class="pre">ciphers</span></code> command on your system.</span></p></div></div><div class="section" id="multi-processing"><h3><span class="yiyi-st" id="yiyi-831">18.2.8.3. </span><span class="yiyi-st" id="yiyi-832">Multi-processing</span></h3><p><span class="yiyi-st" id="yiyi-833">If using this module as part of a multi-processed application (using, for example the <a class="reference internal" href="multiprocessing.html#module-multiprocessing" title="multiprocessing: Process-based parallelism."><code class="xref py py-mod docutils literal"><span class="pre">multiprocessing</span></code></a> or <a class="reference internal" href="concurrent.futures.html#module-concurrent.futures" title="concurrent.futures: Execute computations concurrently using threads or processes."><code class="xref py py-mod docutils literal"><span class="pre">concurrent.futures</span></code></a> modules), be aware that OpenSSLs internal random number generator does not properly handle forked processes. </span><span class="yiyi-st" id="yiyi-834">Applications must change the PRNG state of the parent process if they use any SSL feature with <a class="reference internal" href="os.html#os.fork" title="os.fork"><code class="xref py py-func docutils literal"><span class="pre">os.fork()</span></code></a>. </span><span class="yiyi-st" id="yiyi-835">Any successful call of <a class="reference internal" href="#ssl.RAND_add" title="ssl.RAND_add"><code class="xref py py-func docutils literal"><span class="pre">RAND_add()</span></code></a>, <a class="reference internal" href="#ssl.RAND_bytes" title="ssl.RAND_bytes"><code class="xref py py-func docutils literal"><span class="pre">RAND_bytes()</span></code></a> or <a class="reference internal" href="#ssl.RAND_pseudo_bytes" title="ssl.RAND_pseudo_bytes"><code class="xref py py-func docutils literal"><span class="pre">RAND_pseudo_bytes()</span></code></a> is sufficient.</span></p><div class="admonition seealso"><p class="first admonition-title"><span class="yiyi-st" id="yiyi-836">See also</span></p><dl class="last docutils"><dt><span class="yiyi-st" id="yiyi-837">Class <a class="reference internal" href="socket.html#socket.socket" title="socket.socket"><code class="xref py py-class docutils literal"><span class="pre">socket.socket</span></code></a></span></dt><dd><span class="yiyi-st" id="yiyi-838">Documentation of underlying <a class="reference internal" href="socket.html#module-socket" title="socket: Low-level networking interface."><code class="xref py py-mod docutils literal"><span class="pre">socket</span></code></a> class</span></dd><dt><span class="yiyi-st" id="yiyi-839"><a class="reference external" href="https://httpd.apache.org/docs/trunk/en/ssl/ssl_intro.html">SSL/TLS Strong Encryption: An Introduction</a></span></dt><dd><span class="yiyi-st" id="yiyi-840">Intro from the Apache webserver documentation</span></dd><dt><span class="yiyi-st" id="yiyi-841"><a class="reference external" href="https://www.ietf.org/rfc/rfc1422">RFC 1422: Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management</a></span></dt><dd><span class="yiyi-st" id="yiyi-842">Steve Kent</span></dd><dt><span class="yiyi-st" id="yiyi-843"><a class="reference external" href="https://www.ietf.org/rfc/rfc1750">RFC 1750: Randomness Recommendations for Security</a></span></dt><dd><span class="yiyi-st" id="yiyi-844">D. Eastlake et. </span><span class="yiyi-st" id="yiyi-845">al.</span></dd><dt><span class="yiyi-st" id="yiyi-846"><a class="reference external" href="https://www.ietf.org/rfc/rfc3280">RFC 3280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile</a></span></dt><dd><span class="yiyi-st" id="yiyi-847">Housley et. </span><span class="yiyi-st" id="yiyi-848">al.</span></dd><dt><span class="yiyi-st" id="yiyi-849"><a class="reference external" href="https://www.ietf.org/rfc/rfc4366">RFC 4366: Transport Layer Security (TLS) Extensions</a></span></dt><dd><span class="yiyi-st" id="yiyi-850">Blake-Wilson et. </span><span class="yiyi-st" id="yiyi-851">al.</span></dd><dt><span class="yiyi-st" id="yiyi-852"><a class="reference external" href="https://tools.ietf.org/html/rfc5246">RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2</a></span></dt><dd><span class="yiyi-st" id="yiyi-853">T. Dierks et. </span><span class="yiyi-st" id="yiyi-854">al.</span></dd><dt><span class="yiyi-st" id="yiyi-855"><a class="reference external" href="https://tools.ietf.org/html/rfc6066">RFC 6066: Transport Layer Security (TLS) Extensions</a></span></dt><dd><span class="yiyi-st" id="yiyi-856">D. Eastlake</span></dd><dt><span class="yiyi-st" id="yiyi-857"><a class="reference external" href="https://www.iana.org/assignments/tls-parameters/tls-parameters.xml">IANA TLS: Transport Layer Security (TLS) Parameters</a></span></dt><dd><span class="yiyi-st" id="yiyi-858">IANA</span></dd></dl></div></div></div></div></div>
Reference in New Issue View Git Blame Copy Permalink