17.3. ssl
— TLS/SSL wrapper for socket objects¶
New in version 2.6.
Source code: Lib/ssl.py
This module provides access to Transport Layer Security (often known as “Secure Sockets Layer”) encryption and peer authentication facilities for network sockets, both client-side and server-side. This module uses the OpenSSL library. It is available on all modern Unix systems, Windows, Mac OS X, and probably additional platforms, as long as OpenSSL is installed on that platform.
Note
Some behavior may be platform dependent, since calls are made to the operating system socket APIs. The installed version of OpenSSL may also cause variations in behavior. For example, TLSv1.1 and TLSv1.2 come with openssl version 1.0.1.
Warning
Don’t use this module without reading the Security considerations. Doing so may lead to a false sense of security, as the default settings of the ssl module are not necessarily appropriate for your application.
This section documents the objects and functions in the ssl
module; for more
general information about TLS, SSL, and certificates, the reader is referred to
the documents in the “See Also” section at the bottom.
This module provides a class, ssl.SSLSocket
, which is derived from the
socket.socket
type, and provides a socket-like wrapper that also
encrypts and decrypts the data going over the socket with SSL. It supports
additional methods such as getpeercert()
, which retrieves the
certificate of the other side of the connection, and cipher()
,which
retrieves the cipher being used for the secure connection.
For more sophisticated applications, the ssl.SSLContext
class
helps manage settings and certificates, which can then be inherited
by SSL sockets created through the SSLContext.wrap_socket()
method.
17.3.1. Functions, Constants, and Exceptions¶
-
exception
ssl.
SSLError
¶ Raised to signal an error from the underlying SSL implementation (currently provided by the OpenSSL library). This signifies some problem in the higher-level encryption and authentication layer that’s superimposed on the underlying network connection. This error is a subtype of
socket.error
, which in turn is a subtype ofIOError
. The error code and message ofSSLError
instances are provided by the OpenSSL library.-
library
¶ A string mnemonic designating the OpenSSL submodule in which the error occurred, such as
SSL
,PEM
orX509
. The range of possible values depends on the OpenSSL version.New in version 2.7.9.
-
reason
¶ A string mnemonic designating the reason this error occurred, for example
CERTIFICATE_VERIFY_FAILED
. The range of possible values depends on the OpenSSL version.New in version 2.7.9.
-
-
exception
ssl.
SSLZeroReturnError
¶ A subclass of
SSLError
raised when trying to read or write and the SSL connection has been closed cleanly. Note that this doesn’t mean that the underlying transport (read TCP) has been closed.New in version 2.7.9.
-
exception
ssl.
SSLWantReadError
¶ A subclass of
SSLError
raised by a non-blocking SSL socket when trying to read or write data, but more data needs to be received on the underlying TCP transport before the request can be fulfilled.New in version 2.7.9.
-
exception
ssl.
SSLWantWriteError
¶ A subclass of
SSLError
raised by a non-blocking SSL socket when trying to read or write data, but more data needs to be sent on the underlying TCP transport before the request can be fulfilled.New in version 2.7.9.
-
exception
ssl.
SSLSyscallError
¶ A subclass of
SSLError
raised when a system error was encountered while trying to fulfill an operation on a SSL socket. Unfortunately, there is no easy way to inspect the original errno number.New in version 2.7.9.
-
exception
ssl.
SSLEOFError
¶ A subclass of
SSLError
raised when the SSL connection has been terminated abruptly. Generally, you shouldn’t try to reuse the underlying transport when this error is encountered.New in version 2.7.9.
-
exception
ssl.
CertificateError
¶ Raised to signal an error with a certificate (such as mismatching hostname). Certificate errors detected by OpenSSL, though, raise an
SSLError
.
17.3.1.1. Socket creation¶
The following function allows for standalone socket creation. Starting from
Python 2.7.9, it can be more flexible to use SSLContext.wrap_socket()
instead.
-
ssl.
wrap_socket
(sock, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, ssl_version={see docs}, ca_certs=None, do_handshake_on_connect=True, suppress_ragged_eofs=True, ciphers=None)¶ Takes an instance
sock
ofsocket.socket
, and returns an instance ofssl.SSLSocket
, a subtype ofsocket.socket
, which wraps the underlying socket in an SSL context.sock
must be aSOCK_STREAM
socket; other socket types are unsupported.For client-side sockets, the context construction is lazy; if the underlying socket isn’t connected yet, the context construction will be performed after
connect()
is called on the socket. For server-side sockets, if the socket has no remote peer, it is assumed to be a listening socket, and the server-side SSL wrapping is automatically performed on client connections accepted via theaccept()
method.wrap_socket()
may raiseSSLError
.The
keyfile
andcertfile
parameters specify optional files which contain a certificate to be used to identify the local side of the connection. See the discussion of Certificates for more information on how the certificate is stored in thecertfile
.The parameter
server_side
is a boolean which identifies whether server-side or client-side behavior is desired from this socket.The parameter
cert_reqs
specifies whether a certificate is required from the other side of the connection, and whether it will be validated if provided. It must be one of the three valuesCERT_NONE
(certificates ignored),CERT_OPTIONAL
(not required, but validated if provided), orCERT_REQUIRED
(required and validated). If the value of this parameter is notCERT_NONE
, then theca_certs
parameter must point to a file of CA certificates.The
ca_certs
file contains a set of concatenated “certification authority” certificates, which are used to validate certificates passed from the other end of the connection. See the discussion of Certificates for more information about how to arrange the certificates in this file.The parameter
ssl_version
specifies which version of the SSL protocol to use. Typically, the server chooses a particular protocol version, and the client must adapt to the server’s choice. Most of the versions are not interoperable with the other versions. If not specified, the default isPROTOCOL_SSLv23
; it provides the most compatibility with other versions.Here’s a table showing which versions in a client (down the side) can connect to which versions in a server (along the top):
client / server SSLv2 SSLv3 SSLv23 TLSv1 TLSv1.1 TLSv1.2 SSLv2 yes no yes no no no SSLv3 no yes yes no no no SSLv23 no yes yes yes yes yes TLSv1 no no yes yes no no TLSv1.1 no no yes no yes no TLSv1.2 no no yes no no yes Note
Which connections succeed will vary depending on the version of OpenSSL. For example, before OpenSSL 1.0.0, an SSLv23 client would always attempt SSLv2 connections.
The ciphers parameter sets the available ciphers for this SSL object. It should be a string in the OpenSSL cipher list format.
The parameter
do_handshake_on_connect
specifies whether to do the SSL handshake automatically after doing asocket.connect()
, or whether the application program will call it explicitly, by invoking theSSLSocket.do_handshake()
method. CallingSSLSocket.do_handshake()
explicitly gives the program control over the blocking behavior of the socket I/O involved in the handshake.The parameter
suppress_ragged_eofs
specifies how theSSLSocket.read()
method should signal unexpected EOF from the other end of the connection. If specified asTrue
(the default), it returns a normal EOF (an empty bytes object) in response to unexpected EOF errors raised from the underlying socket; ifFalse
, it will raise the exceptions back to the caller.Changed in version 2.7: New optional argument ciphers.
17.3.1.2. Context creation¶
A convenience function helps create SSLContext
objects for common
purposes.
-
ssl.
create_default_context
(purpose=Purpose.SERVER_AUTH, cafile=None, capath=None, cadata=None)¶ Return a new
SSLContext
object with default settings for the given purpose. The settings are chosen by thessl
module, and usually represent a higher security level than when calling theSSLContext
constructor directly.cafile, capath, cadata represent optional CA certificates to trust for certificate verification, as in
SSLContext.load_verify_locations()
. If all three areNone
, this function can choose to trust the system’s default CA certificates instead.The settings are:
PROTOCOL_SSLv23
,OP_NO_SSLv2
, andOP_NO_SSLv3
with high encryption cipher suites without RC4 and without unauthenticated cipher suites. PassingSERVER_AUTH
as purpose setsverify_mode
toCERT_REQUIRED
and either loads CA certificates (when at least one of cafile, capath or cadata is given) or usesSSLContext.load_default_certs()
to load default CA certificates.Note
The protocol, options, cipher and other settings may change to more restrictive values anytime without prior deprecation. The values represent a fair balance between compatibility and security.
If your application needs specific settings, you should create a
SSLContext
and apply the settings yourself.Note
If you find that when certain older clients or servers attempt to connect with a
SSLContext
created by this function that they get an error stating “Protocol or cipher suite mismatch”, it may be that they only support SSL3.0 which this function excludes using theOP_NO_SSLv3
. SSL3.0 is widely considered to be completely broken. If you still wish to continue to use this function but still allow SSL 3.0 connections you can re-enable them using:ctx = ssl.create_default_context(Purpose.CLIENT_AUTH) ctx.options &= ~ssl.OP_NO_SSLv3
New in version 2.7.9.
Changed in version 2.7.10: RC4 was dropped from the default cipher string.
17.3.1.3. Random generation¶
-
ssl.
RAND_status
()¶ Return
True
if the SSL pseudo-random number generator has been seeded with ‘enough’ randomness, andFalse
otherwise. You can usessl.RAND_egd()
andssl.RAND_add()
to increase the randomness of the pseudo-random number generator.
-
ssl.
RAND_egd
(path)¶ If you are running an entropy-gathering daemon (EGD) somewhere, and path is the pathname of a socket connection open to it, this will read 256 bytes of randomness from the socket, and add it to the SSL pseudo-random number generator to increase the security of generated secret keys. This is typically only necessary on systems without better sources of randomness.
See http://egd.sourceforge.net/ or http://prngd.sourceforge.net/ for sources of entropy-gathering daemons.
Availability: not available with LibreSSL.
17.3.1.4. Certificate handling¶
-
ssl.
match_hostname
(cert, hostname)¶ Verify that cert (in decoded format as returned by
SSLSocket.getpeercert()
) matches the given hostname. The rules applied are those for checking the identity of HTTPS servers as outlined in RFC 2818 and RFC 6125, except that IP addresses are not currently supported. In addition to HTTPS, this function should be suitable for checking the identity of servers in various SSL-based protocols such as FTPS, IMAPS, POPS and others.CertificateError
is raised on failure. On success, the function returns nothing:>>> cert = {'subject': ((('commonName', 'example.com'),),)} >>> ssl.match_hostname(cert, "example.com") >>> ssl.match_hostname(cert, "example.org") Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/home/py3k/Lib/ssl.py", line 130, in match_hostname ssl.CertificateError: hostname 'example.org' doesn't match 'example.com'
New in version 2.7.9.
-
ssl.
cert_time_to_seconds
(cert_time)¶ Return the time in seconds since the Epoch, given the
cert_time
string representing the “notBefore” or “notAfter” date from a certificate in"%b %d %H:%M:%S %Y %Z"
strptime format (C locale).Here’s an example:
>>> import ssl >>> timestamp = ssl.cert_time_to_seconds("Jan 5 09:34:43 2018 GMT") >>> timestamp 1515144883 >>> from datetime import datetime >>> print(datetime.utcfromtimestamp(timestamp)) 2018-01-05 09:34:43
“notBefore” or “notAfter” dates must use GMT (RFC 5280).
Changed in version 2.7.9: Interpret the input time as a time in UTC as specified by ‘GMT’ timezone in the input string. Local timezone was used previously. Return an integer (no fractions of a second in the input format)
-
ssl.
get_server_certificate
(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None)¶ Given the address
addr
of an SSL-protected server, as a (hostname, port-number) pair, fetches the server’s certificate, and returns it as a PEM-encoded string. Ifssl_version
is specified, uses that version of the SSL protocol to attempt to connect to the server. Ifca_certs
is specified, it should be a file containing a list of root certificates, the same format as used for the same parameter inwrap_socket()
. The call will attempt to validate the server certificate against that set of root certificates, and will fail if the validation attempt fails.Changed in version 2.7.9: This function is now IPv6-compatible, and the default ssl_version is changed from
PROTOCOL_SSLv3
toPROTOCOL_SSLv23
for maximum compatibility with modern servers.
-
ssl.
DER_cert_to_PEM_cert
(DER_cert_bytes)¶ Given a certificate as a DER-encoded blob of bytes, returns a PEM-encoded string version of the same certificate.
-
ssl.
PEM_cert_to_DER_cert
(PEM_cert_string)¶ Given a certificate as an ASCII PEM string, returns a DER-encoded sequence of bytes for that same certificate.
-
ssl.
get_default_verify_paths
()¶ Returns a named tuple with paths to OpenSSL’s default cafile and capath. The paths are the same as used by
SSLContext.set_default_verify_paths()
. The return value is a named tupleDefaultVerifyPaths
:cafile
- resolved path to cafile or None if the file doesn’t exist,capath
- resolved path to capath or None if the directory doesn’t exist,openssl_cafile_env
- OpenSSL’s environment key that points to a cafile,openssl_cafile
- hard coded path to a cafile,openssl_capath_env
- OpenSSL’s environment key that points to a capath,openssl_capath
- hard coded path to a capath directory
New in version 2.7.9.
-
ssl.
enum_certificates
(store_name)¶ Retrieve certificates from Windows’ system cert store. store_name may be one of
CA
,ROOT
orMY
. Windows may provide additional cert stores, too.The function returns a list of (cert_bytes, encoding_type, trust) tuples. The encoding_type specifies the encoding of cert_bytes. It is either
x509_asn
for X.509 ASN.1 data orpkcs_7_asn
for PKCS#7 ASN.1 data. Trust specifies the purpose of the certificate as a set of OIDS or exactlyTrue
if the certificate is trustworthy for all purposes.Example:
>>> ssl.enum_certificates("CA") [(b'data...', 'x509_asn', {'1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2'}), (b'data...', 'x509_asn', True)]
Availability: Windows.
New in version 2.7.9.
-
ssl.
enum_crls
(store_name)¶ Retrieve CRLs from Windows’ system cert store. store_name may be one of
CA
,ROOT
orMY
. Windows may provide additional cert stores, too.The function returns a list of (cert_bytes, encoding_type, trust) tuples. The encoding_type specifies the encoding of cert_bytes. It is either
x509_asn
for X.509 ASN.1 data orpkcs_7_asn
for PKCS#7 ASN.1 data.Availability: Windows.
New in version 2.7.9.
17.3.1.5. Constants¶
-
ssl.
CERT_NONE
¶ Possible value for
SSLContext.verify_mode
, or thecert_reqs
parameter towrap_socket()
. In this mode (the default), no certificates will be required from the other side of the socket connection. If a certificate is received from the other end, no attempt to validate it is made.See the discussion of Security considerations below.
-
ssl.
CERT_OPTIONAL
¶ Possible value for
SSLContext.verify_mode
, or thecert_reqs
parameter towrap_socket()
. In this mode no certificates will be required from the other side of the socket connection; but if they are provided, validation will be attempted and anSSLError
will be raised on failure.Use of this setting requires a valid set of CA certificates to be passed, either to
SSLContext.load_verify_locations()
or as a value of theca_certs
parameter towrap_socket()
.
-
ssl.
CERT_REQUIRED
¶ Possible value for
SSLContext.verify_mode
, or thecert_reqs
parameter towrap_socket()
. In this mode, certificates are required from the other side of the socket connection; anSSLError
will be raised if no certificate is provided, or if its validation fails.Use of this setting requires a valid set of CA certificates to be passed, either to
SSLContext.load_verify_locations()
or as a value of theca_certs
parameter towrap_socket()
.
-
ssl.
VERIFY_DEFAULT
¶ Possible value for
SSLContext.verify_flags
. In this mode, certificate revocation lists (CRLs) are not checked. By default OpenSSL does neither require nor verify CRLs.New in version 2.7.9.
-
ssl.
VERIFY_CRL_CHECK_LEAF
¶ Possible value for
SSLContext.verify_flags
. In this mode, only the peer cert is check but non of the intermediate CA certificates. The mode requires a valid CRL that is signed by the peer cert’s issuer (its direct ancestor CA). If no proper has been loadedSSLContext.load_verify_locations
, validation will fail.New in version 2.7.9.
-
ssl.
VERIFY_CRL_CHECK_CHAIN
¶ Possible value for
SSLContext.verify_flags
. In this mode, CRLs of all certificates in the peer cert chain are checked.New in version 2.7.9.
-
ssl.
VERIFY_X509_STRICT
¶ Possible value for
SSLContext.verify_flags
to disable workarounds for broken X.509 certificates.New in version 2.7.9.
-
ssl.
VERIFY_X509_TRUSTED_FIRST
¶ Possible value for
SSLContext.verify_flags
. It instructs OpenSSL to prefer trusted certificates when building the trust chain to validate a certificate. This flag is enabled by default.New in version 2.7.10.
-
ssl.
PROTOCOL_SSLv23
¶ Selects the highest protocol version that both the client and server support. Despite the name, this option can select “TLS” protocols as well as “SSL”.
-
ssl.
PROTOCOL_SSLv2
¶ Selects SSL version 2 as the channel encryption protocol.
This protocol is not available if OpenSSL is compiled with the
OPENSSL_NO_SSL2
flag.Warning
SSL version 2 is insecure. Its use is highly discouraged.
-
ssl.
PROTOCOL_SSLv3
¶ Selects SSL version 3 as the channel encryption protocol.
This protocol is not be available if OpenSSL is compiled with the
OPENSSL_NO_SSLv3
flag.Warning
SSL version 3 is insecure. Its use is highly discouraged.
-
ssl.
PROTOCOL_TLSv1
¶ Selects TLS version 1.0 as the channel encryption protocol.
-
ssl.
PROTOCOL_TLSv1_1
¶ Selects TLS version 1.1 as the channel encryption protocol. Available only with openssl version 1.0.1+.
New in version 2.7.9.
-
ssl.
PROTOCOL_TLSv1_2
¶ Selects TLS version 1.2 as the channel encryption protocol. This is the most modern version, and probably the best choice for maximum protection, if both sides can speak it. Available only with openssl version 1.0.1+.
New in version 2.7.9.
-
ssl.
OP_ALL
¶ Enables workarounds for various bugs present in other SSL implementations. This option is set by default. It does not necessarily set the same flags as OpenSSL’s
SSL_OP_ALL
constant.New in version 2.7.9.
-
ssl.
OP_NO_SSLv2
¶ Prevents an SSLv2 connection. This option is only applicable in conjunction with
PROTOCOL_SSLv23
. It prevents the peers from choosing SSLv2 as the protocol version.New in version 2.7.9.
-
ssl.
OP_NO_SSLv3
¶ Prevents an SSLv3 connection. This option is only applicable in conjunction with
PROTOCOL_SSLv23
. It prevents the peers from choosing SSLv3 as the protocol version.New in version 2.7.9.
-
ssl.
OP_NO_TLSv1
¶ Prevents a TLSv1 connection. This option is only applicable in conjunction with
PROTOCOL_SSLv23
. It prevents the peers from choosing TLSv1 as the protocol version.New in version 2.7.9.
-
ssl.
OP_NO_TLSv1_1
¶ Prevents a TLSv1.1 connection. This option is only applicable in conjunction with
PROTOCOL_SSLv23
. It prevents the peers from choosing TLSv1.1 as the protocol version. Available only with openssl version 1.0.1+.New in version 2.7.9.
-
ssl.
OP_NO_TLSv1_2
¶ Prevents a TLSv1.2 connection. This option is only applicable in conjunction with
PROTOCOL_SSLv23
. It prevents the peers from choosing TLSv1.2 as the protocol version. Available only with openssl version 1.0.1+.New in version 2.7.9.
-
ssl.
OP_CIPHER_SERVER_PREFERENCE
¶ Use the server’s cipher ordering preference, rather than the client’s. This option has no effect on client sockets and SSLv2 server sockets.
New in version 2.7.9.
-
ssl.
OP_SINGLE_DH_USE
¶ Prevents re-use of the same DH key for distinct SSL sessions. This improves forward secrecy but requires more computational resources. This option only applies to server sockets.
New in version 2.7.9.
-
ssl.
OP_SINGLE_ECDH_USE
¶ Prevents re-use of the same ECDH key for distinct SSL sessions. This improves forward secrecy but requires more computational resources. This option only applies to server sockets.
New in version 2.7.9.
-
ssl.
OP_NO_COMPRESSION
¶ Disable compression on the SSL channel. This is useful if the application protocol supports its own compression scheme.
This option is only available with OpenSSL 1.0.0 and later.
New in version 2.7.9.