Package nss :: Module ssl
[hide private]
[frames] | no frames]

Module ssl

This module implements the SSL functionality in NSS

SSL Version Range API

This API should be used to control SSL 3.0 & TLS support instead of the older SSLSocket.set\_ssl\_option() API; however, SSLSocket.set\_ssl\_option() API MUST still be used to control SSL 2.0 support. In this version of libssl, SSL 3.0 and TLS 1.0 are enabled by default. Future versions of libssl may change which versions of the protocol are enabled by default.

The protocol_variant enums (SSL_VARIANT_STREAM, SSL_VARIANT_DATAGRAM) indicates whether the protocol is of type stream or datagram. This must be provided to the functions that do not take an fd. Functions which take an fd will get the variant from the fd.

Using the new version range API in conjunction with the older SSLSocket.set\_ssl\_option() API for controlling the enabled protocol versions may cause unexpected results. Going forward, we guarantee only the following:

SSLSocket.get_ssl_option(ssl.SSL_ENABLE_TLS) will return True if ANY versions of TLS are enabled.

SSLSocket.set_ssl_option(ssl.SSL_ENABLE_TLS, False) will disable ALL versions of TLS, including TLS 1.0 and later.

The above two properties provide compatibility for applications that use SSLSocket.set\_ssl\_option() to implement the insecure fallback from TLS 1.x to SSL 3.0.

SSLSocket.set_ssl_option(ssl.SSL_ENABLE_TLS, True) will enable TLS 1.0, and may also enable some later versions of TLS, if it is necessary to do so in order to keep the set of enabled versions contiguous. For example, if TLS 1.2 is enabled, then after SSLSocket.set_ssl_option(ss.SSL_ENABLE_TLS, True), TLS 1.0, TLS 1.1, and TLS 1.2 will be enabled, and the call will have no effect on whether SSL 3.0 is enabled. If no later versions of TLS are enabled at the time SSLSocket.set_ssl_option(ssl.SSL_ENABLE_TLS, True) is called, then no later versions of TLS will be enabled by the call.

SSLSocket.set_ssl_option(ssl.SSL_ENABLE_SSL3, False) will disable SSL 3.0, and will not change the set of TLS versions that are enabled.

SSLSocket.set_ssl_option(ssl.SSL_ENABLE_SSL3, True) will enable SSL 3.0, and may also enable some versions of TLS if TLS 1.1 or later is enabled at the time of the call, the same way SSLSocket.set_ssl_option(ssl.SSL_ENABLE_TLS, True) works, in order to keep the set of enabled versions contiguous.

Classes [hide private]
SSLChannelInfo
SSLChannelInformation(obj)
SSLCipherSuiteInfo
SSLCipherSuiteInformation(obj)
SSLSocket
SSLSocket(family=PR_AF_INET, type=PR_DESC_SOCKET_TCP)
Functions [hide private]
 
clear_session_cache()
You must call ssl.clear_session_cache() after you use one of the SSL Export Policy Functions to change cipher suite policy settings or use ssl.set_default_cipher_pref() to enable or disable any cipher suite.
 
config_mp_server_sid_cache(max_cache_entries=0, ssl2_timeout=0, ssl3_timeout=0, directory=None)
This function sets up a Server Session ID (SID) cache that is safe for access by multiple processes on the same system.
 
config_server_session_id_cache(max_cache_entries=0, ssl2_timeout=0, ssl3_timeout=0, directory=None)
If you are writing an application which will use SSL sockets to handshake as a server, you must call config_server_session_id_cache() to configure the session caches for server sessions.
 
config_server_session_id_cache_with_opt(max_cache_entries=0, max_cert_cache_entries=0, max_server_name_cache_entries=0, ssl2_timeout=0, ssl3_timeout=0, directory=None, enable_mp_cache=False)
Configure a secure server's session-id cache.
policy
get_cipher_policy(cipher)
Returns the cipher policy.
SSLCipherSuiteInfo
get_cipher_suite_info(suite)
Returns a ssl.SSLCipherSuiteInfo.
enabled
get_default_cipher_pref(cipher)
Returns the application default preference for the specified SSL2, SSL3, or TLS cipher.
(min_version, max_version)
get_default_ssl_version_range(protocol_variant=SSL_VARIANT_STREAM, repr_kind=AsEnum)
Returns the range of SSL3/TLS versions enabled by default for the given protocol variant.
int
get_max_server_cache_locks()
Get the configured maximum number of mutexes used for the server's store of SSL sessions.
 
get_ssl_default_option(value)
Gets the default value of a specified SSL option for all subsequently opened sockets as long as the current application program is running.
Object
get_ssl_version_from_major_minor(major, minor, repr_kind=AsString)
Given the major and minor SSL protocol versions return the SSL version it's according to repr_kind
(min_version, max_version)
get_supported_ssl_version_range(protocol_variant=SSL_VARIANT_STREAM, repr_kind=AsEnum)
Returns the range of SSL3/TLS versions supported for the given protocol variant by the version of libssl linked-to at runtime.
 
set_cipher_policy(cipher, enabled)
Tells the SSL library that the specified cipher suite is allowed by the application's export license, or is not allowed by the application's export license, or is allowed to be used only with a Step-Up certificate.
 
set_default_cipher_pref(cipher, enabled)
Sets the application default preference for the specified SSL2, SSL3, or TLS cipher.
 
set_default_ssl_version_range(min_version, max_version, protocol_variant=SSL_VARIANT_STREAM)
Sets the range of SSL3/TLS versions enabled by default for the given protocol variant.
 
set_domestic_policy()
Configures cipher suites to conform with current U.S.
 
set_export_policy()
Configures the SSL cipher suites to conform with current U.S.
 
set_france_policy()
Configures the SSL cipher suites to conform with French import regulations related to software products with encryption features.
 
set_max_server_cache_locks(max_locks)
Set the configured maximum number of mutexes used for the server's store of SSL sessions.
 
set_ssl_default_option(option, value)
Changes the default value of a specified SSL option for all subsequently opened sockets as long as the current application program is running.
 
shutdown_server_session_id_cache()
int
ssl_cipher_suite_from_name(name)
Given the name of a SSL cipher constant return it's integer constant The string comparison is case insensitive.
string
ssl_cipher_suite_name(cipher)
Given an enumerated SSL Cipher constant return it's name as a string
int
ssl_library_version_from_name(name)
Given the name of a SSL_LIBRARY_VERSION return it's integer constant The string comparison is case insensitive.
string
ssl_library_version_name(ssl_library_version, repr_kind=AsEnumName)
Given a SSL_LIBRARY_VERSION constant return it's according to repr_kind
Variables [hide private]
  SRTP_AES128_CM_HMAC_SHA1_32 = 2
  SRTP_AES128_CM_HMAC_SHA1_80 = 1
  SRTP_NULL_HMAC_SHA1_32 = 6
  SRTP_NULL_HMAC_SHA1_80 = 5
  SSL_ALLOWED = 1
  SSL_BYPASS_PKCS11 = 16
  SSL_CK_DES_192_EDE3_CBC_WITH_MD5 = 7
  SSL_CK_DES_64_CBC_WITH_MD5 = 6
  SSL_CK_IDEA_128_CBC_WITH_MD5 = 5
  SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 4
  SSL_CK_RC2_128_CBC_WITH_MD5 = 3
  SSL_CK_RC4_128_EXPORT40_WITH_MD5 = 2
  SSL_CK_RC4_128_WITH_MD5 = 1
  SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 17
  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 19
  SSL_DHE_DSS_WITH_DES_CBC_SHA = 18
  SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 20
  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 22
  SSL_DHE_RSA_WITH_DES_CBC_SHA = 21
  SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 25
  SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 23
  SSL_DH_ANON_WITH_3DES_EDE_CBC_SHA = 27
  SSL_DH_ANON_WITH_DES_CBC_SHA = 26
  SSL_DH_ANON_WITH_RC4_128_MD5 = 24
  SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 11
  SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA = 13
  SSL_DH_DSS_WITH_DES_CBC_SHA = 12
  SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 14
  SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA = 16
  SSL_DH_RSA_WITH_DES_CBC_SHA = 15
  SSL_ENABLE_FDX = 11
  SSL_ENABLE_SSL2 = 7
  SSL_ENABLE_SSL3 = 8
  SSL_ENABLE_TLS = 13
  SSL_EN_DES_192_EDE3_CBC_WITH_MD5 = 65287
  SSL_EN_DES_64_CBC_WITH_MD5 = 65286
  SSL_EN_IDEA_128_CBC_WITH_MD5 = 65285
  SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 = 65284
  SSL_EN_RC2_128_CBC_WITH_MD5 = 65283
  SSL_EN_RC4_128_EXPORT40_WITH_MD5 = 65282
  SSL_EN_RC4_128_WITH_MD5 = 65281
  SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA = 29
  SSL_FORTEZZA_DMS_WITH_NULL_SHA = 28
  SSL_FORTEZZA_DMS_WITH_RC4_128_SHA = 30
  SSL_HANDSHAKE_AS_CLIENT = 5
  SSL_HANDSHAKE_AS_SERVER = 6
  SSL_LIBRARY_VERSION_2 = 2
  SSL_LIBRARY_VERSION_3_0 = 768
  SSL_LIBRARY_VERSION_TLS_1_0 = 769
  SSL_LIBRARY_VERSION_TLS_1_1 = 770
  SSL_LIBRARY_VERSION_TLS_1_2 = 771
  SSL_LIBRARY_VERSION_TLS_1_3 = 772
  SSL_NOT_ALLOWED = 0
  SSL_NO_CACHE = 9
  SSL_NO_LOCKS = 17
  SSL_NO_STEP_DOWN = 15
  SSL_NULL_WITH_NULL_NULL = 0
  SSL_REQUEST_CERTIFICATE = 3
  SSL_REQUIRE_ALWAYS = 1
  SSL_REQUIRE_CERTIFICATE = 10
  SSL_REQUIRE_FIRST_HANDSHAKE = 2
  SSL_REQUIRE_NEVER = 0
  SSL_REQUIRE_NO_ERROR = 3
  SSL_RESTRICTED = 2
  SSL_ROLLBACK_DETECTION = 14
  SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = 8
  SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 6
  SSL_RSA_EXPORT_WITH_RC4_40_MD5 = 3
  SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 65279
  SSL_RSA_FIPS_WITH_DES_CBC_SHA = 65278
  SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA = 65504
  SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA = 65505
  SSL_RSA_WITH_3DES_EDE_CBC_SHA = 10
  SSL_RSA_WITH_DES_CBC_SHA = 9
  SSL_RSA_WITH_IDEA_CBC_SHA = 7
  SSL_RSA_WITH_NULL_MD5 = 1
  SSL_RSA_WITH_NULL_SHA = 2
  SSL_RSA_WITH_RC4_128_MD5 = 4
  SSL_RSA_WITH_RC4_128_SHA = 5
  SSL_SECURITY = 1
  SSL_SECURITY_STATUS_NOOPT = -1
  SSL_SECURITY_STATUS_OFF = 0
  SSL_SECURITY_STATUS_ON_HIGH = 1
  SSL_SECURITY_STATUS_ON_LOW = 2
  SSL_SOCKS = 2
  SSL_V2_COMPATIBLE_HELLO = 12
  SSL_VARIANT_DATAGRAM = 1
  SSL_VARIANT_STREAM = 0
  TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 99
  TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 101
  TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 17
  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 19
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 50
  TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 162
  TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 56
  TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 68
  TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 135
  TLS_DHE_DSS_WITH_DES_CBC_SHA = 18
  TLS_DHE_DSS_WITH_RC4_128_SHA = 102
  TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 52397
  TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 20
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 22
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 51
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 103
  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 158
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 57
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 107
  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 69
  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 136
  TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 52394
  TLS_DHE_RSA_WITH_DES_CBC_SHA = 21
  TLS_DH_ANON_WITH_AES_128_CBC_SHA = 52
  TLS_DH_ANON_WITH_AES_256_CBC_SHA = 58
  TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 70
  TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 137
  TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 11
  TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 13
  TLS_DH_DSS_WITH_AES_128_CBC_SHA = 48
  TLS_DH_DSS_WITH_AES_256_CBC_SHA = 54
  TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 66
  TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 133
  TLS_DH_DSS_WITH_DES_CBC_SHA = 12
  TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 14
  TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 16
  TLS_DH_RSA_WITH_AES_128_CBC_SHA = 49
  TLS_DH_RSA_WITH_AES_256_CBC_SHA = 55
  TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 67
  TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 134
  TLS_DH_RSA_WITH_DES_CBC_SHA = 15
  TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 25
  TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 23
  TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 27
  TLS_DH_anon_WITH_AES_128_CBC_SHA = 52
  TLS_DH_anon_WITH_AES_256_CBC_SHA = 58
  TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = 70
  TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 137
  TLS_DH_anon_WITH_DES_CBC_SHA = 26
  TLS_DH_anon_WITH_RC4_128_MD5 = 24
  TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 49160
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 49161
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 49187
  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 49195
  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 49162
  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 52393
  TLS_ECDHE_ECDSA_WITH_NULL_SHA = 49158
  TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 49159
  TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 52396
  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 49170
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 49171
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 49191
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 49199
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 49172
  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 52392
  TLS_ECDHE_RSA_WITH_NULL_SHA = 49168
  TLS_ECDHE_RSA_WITH_RC4_128_SHA = 49169
  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 49155
  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 49156
  TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 49197
  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 49157
  TLS_ECDH_ECDSA_WITH_NULL_SHA = 49153
  TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 49154
  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 49165
  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 49166
  TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 49201
  TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 49167
  TLS_ECDH_RSA_WITH_NULL_SHA = 49163
  TLS_ECDH_RSA_WITH_RC4_128_SHA = 49164
  TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 49175
  TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 49176
  TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 49177
  TLS_ECDH_anon_WITH_NULL_SHA = 49173
  TLS_ECDH_anon_WITH_RC4_128_SHA = 49174
  TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 255
  TLS_FALLBACK_SCSV = 22016
  TLS_NULL_WITH_NULL_NULL = 0
  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 98
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 100
  TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 8
  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 6
  TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 3
  TLS_RSA_WITH_3DES_EDE_CBC_SHA = 10
  TLS_RSA_WITH_AES_128_CBC_SHA = 47
  TLS_RSA_WITH_AES_128_CBC_SHA256 = 60
  TLS_RSA_WITH_AES_128_GCM_SHA256 = 156
  TLS_RSA_WITH_AES_256_CBC_SHA = 53
  TLS_RSA_WITH_AES_256_CBC_SHA256 = 61
  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 65
  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 132
  TLS_RSA_WITH_DES_CBC_SHA = 9
  TLS_RSA_WITH_IDEA_CBC_SHA = 7
  TLS_RSA_WITH_NULL_MD5 = 1
  TLS_RSA_WITH_NULL_SHA = 2
  TLS_RSA_WITH_NULL_SHA256 = 59
  TLS_RSA_WITH_RC4_128_MD5 = 4
  TLS_RSA_WITH_RC4_128_SHA = 5
  TLS_RSA_WITH_SEED_CBC_SHA = 150
  _C_API = <capsule object "_C_API" at 0x7f1d05996f90>
  __package__ = None
  ssl2 = 2
  ssl3 = 768
  ssl_implemented_ciphers = (53249, 52396, 53250, 170, 52397, 17...
  tls1.0 = 769
  tls1.1 = 770
  tls1.2 = 771
  tls1.3 = 772
Function Details [hide private]

clear_session_cache()

 
You must call ssl.clear_session_cache() after you use one of the SSL Export Policy Functions to change cipher suite policy settings or use ssl.set_default_cipher_pref() to enable or disable any cipher suite. Otherwise, the old settings remain in the session cache and will be used instead of the new settings. This function clears only the client cache. The client cache is not configurable. It is located in RAM (not on disk).

config_mp_server_sid_cache(max_cache_entries=0, ssl2_timeout=0, ssl3_timeout=0, directory=None)

 

This function sets up a Server Session ID (SID) cache that is safe for access by multiple processes on the same system.

Like ssl.config\_server\_session\_id\_cache(), with one important difference. If the application will run multiple processes (as opposed to, or in addition to multiple threads), then it must call this function, instead of calling ssl.config\_server\_session\_id\_cache(). This has nothing to do with the number of processors, only processes.

Parameters:
  • max_cache_entries (integer) - The maximum number of entries in the cache. If ZERO the server default value is used (10,000).
  • ssl2_timeout (integer) - The lifetime in seconds of an SSL2 session. The minimum timeout value is 5 seconds and the maximum is 24 hours. Values outside this range are replaced by the server default value (100 seconds).
  • ssl3_timeout (integer) - The lifetime in seconds of an SSL3 session. The minimum timeout value is 5 seconds and the maximum is 24 hours. Values outside this range are replaced by the server default value (24 hours).
  • directory (string) - A string specifying the pathname of the directory that will contain the session cache. If None the server default value is used (/tmp (Unix) or temp (NT)).

config_server_session_id_cache(max_cache_entries=0, ssl2_timeout=0, ssl3_timeout=0, directory=None)

 

If you are writing an application which will use SSL sockets to handshake as a server, you must call config_server_session_id_cache() to configure the session caches for server sessions.

If your server application uses multiple processes (instead of or in addition to multiple threads), use ssl.config\_mp\_server\_sid\_cache() instead. You must use one of these functions to create a server cache.

This function creates two caches: the server session ID cache (also called the server session cache, or server cache), and the client-auth certificate cache (also called the client cert cache, or client auth cache). Both caches are used only for sessions where the program will handshakes as a server. The client-auth certificate cache is used to remember the certificates previously presented by clients for client certificate authentication.

A zero value or a value that is out of range for any of the parameters causes the server default value to be used in the server cache. Note, this function only affects the server cache, not the client cache.

Parameters:
  • max_cache_entries (integer) - The maximum number of entries in the cache. If ZERO the server default value is used (10,000).
  • ssl2_timeout (integer) - The lifetime in seconds of an SSL2 session. The minimum timeout value is 5 seconds and the maximum is 24 hours. Values outside this range are replaced by the server default value (100 seconds).
  • ssl3_timeout (integer) - The lifetime in seconds of an SSL3 session. The minimum timeout value is 5 seconds and the maximum is 24 hours. Values outside this range are replaced by the server default value (24 hours).
  • directory (string) - A string specifying the pathname of the directory that will contain the session cache. If None the server default value is used (/tmp (Unix) or temp (NT)).

config_server_session_id_cache_with_opt(max_cache_entries=0, max_cert_cache_entries=0, max_server_name_cache_entries=0, ssl2_timeout=0, ssl3_timeout=0, directory=None, enable_mp_cache=False)

 

Configure a secure server's session-id cache. Depends on value of enable_mp_cache, configures multi-proc or single proc cache.

A zero value or a value that is out of range for any of the parameters causes the server default value to be used in the server cache. Note, this function only affects the server cache, not the client cache.

Parameters:
  • max_cache_entries (integer) - The maximum number of entries in the cache. If ZERO the server default value is used (10,000).
  • max_cert_cache_entries (integer) - The maximum number of entries in the cert cache. If ZERO the server default value is used (10,000).
  • max_server_name_cache_entries (integer) - The maximum number of entries in the server name cache. If ZERO the server default value is used (10,000).
  • ssl2_timeout (integer) - The lifetime in seconds of an SSL2 session. The minimum timeout value is 5 seconds and the maximum is 24 hours. Values outside this range are replaced by the server default value (100 seconds).
  • ssl3_timeout (integer) - The lifetime in seconds of an SSL3 session. The minimum timeout value is 5 seconds and the maximum is 24 hours. Values outside this range are replaced by the server default value (24 hours).
  • directory (string) - A string specifying the pathname of the directory that will contain the session cache. If None the server default value is used (/tmp (Unix) or temp (NT)).
  • enable_mp_cache (bool) - If True enable the multi-process cache.

get_cipher_policy(cipher)

 
Returns the cipher policy.
Parameters:
  • cipher (integer) - The cipher suite enumeration (e.g. SSL_RSA_WITH_NULL_MD5, etc.)
Returns: policy

get_cipher_suite_info(suite)

 
Returns a ssl.SSLCipherSuiteInfo.
Parameters:
  • suite (int) - a cipher suite enumerated constant
Returns: SSLCipherSuiteInfo

get_default_cipher_pref(cipher)

 
Returns the application default preference for the specified SSL2, SSL3, or TLS cipher.
Parameters:
  • cipher (integer) - The cipher suite enumeration (e.g. SSL_RSA_WITH_NULL_MD5, etc.)
Returns: enabled

get_default_ssl_version_range(protocol_variant=SSL_VARIANT_STREAM, repr_kind=AsEnum)

 
Returns the range of SSL3/TLS versions enabled by default for the given protocol variant. The result is a tuple of enumerations (min_version, max_version).
Parameters:
  • protocol_variant (int) - One of: SSL_VARIANT_STREAM or SSL_VARIANT_DATAGRAM enumerated constants
  • repr_kind (RepresentationKind constant) - Specifies what format the contents of the returned tuple will be in. May be one of:

    AsEnum
    The enumerated constant as an integer value.
    AsEnumName
    The name of the enumerated constant as a string.
    AsString
    A short friendly name for the enumerated constant.
Returns: (min_version, max_version)

get_max_server_cache_locks()

 
Get the configured maximum number of mutexes used for the server's store of SSL sessions. This value is used by the server session ID cache initialization functions.
Returns: int

get_ssl_default_option(value)

 
Gets the default value of a specified SSL option for all subsequently opened sockets as long as the current application program is running. Refer to the documentation for SSLSocket.set\_ssl\_option() for an explanation of the possible values.

get_ssl_version_from_major_minor(major, minor, repr_kind=AsString)

 

Given the major and minor SSL protocol versions return the SSL version it's according to repr_kind

Example:
get_ssl_version_from_major_minor(3, 1, nss.AsString) -> 'tls1.0'
Parameters:
  • major (int) - The major version number.
  • minor (int) - The minor version number.
  • repr_kind (RepresentationKind constant) - Specifies what format the return value will be in. May be one of:

    AsEnum
    The enumerated constant as an integer value.
    AsEnumName
    The name of the enumerated constant as a string.
    AsString
    A short friendly name for the enumerated constant.
Returns: Object

get_supported_ssl_version_range(protocol_variant=SSL_VARIANT_STREAM, repr_kind=AsEnum)

 
Returns the range of SSL3/TLS versions supported for the given protocol variant by the version of libssl linked-to at runtime. The result is a tuple of enumerations (min_version, max_version).
Parameters:
  • protocol_variant (int) - One of: SSL_VARIANT_STREAM or SSL_VARIANT_DATAGRAM enumerated constants
  • repr_kind (RepresentationKind constant) - Specifies what format the contents of the returned tuple will be in. May be one of:

    AsEnum
    The enumerated constant as an integer value.
    AsEnumName
    The name of the enumerated constant as a string.
    AsString
    A short friendly name for the enumerated constant.
Returns: (min_version, max_version)

set_cipher_policy(cipher, enabled)

 
Tells the SSL library that the specified cipher suite is allowed by the application's export license, or is not allowed by the application's export license, or is allowed to be used only with a Step-Up certificate. It overrides the factory default policy for that cipher suite. The default policy for all cipher suites is SSL_NOT_ALLOWED, meaning that the application's export license does not approve the use of this cipher suite. A U.S.domestic version of a product typically sets all cipher suites to SSL_ALLOWED. This setting is used to separate export and domestic versions of a product, and is not intended to express user cipher preferences.
Parameters:
  • cipher (integer) - The cipher suite enumeration (e.g. SSL_RSA_WITH_NULL_MD5, etc.)
  • enabled (bool) - Boolean value

set_default_cipher_pref(cipher, enabled)

 

Sets the application default preference for the specified SSL2, SSL3, or TLS cipher. A cipher suite is used only if the policy allows it and the preference for it is set to True.

This function must be called once for each cipher you want to enable or disable by default.

Note, which cipher suites are permitted or disallowed are modified by previous calls to one or more of the SSL Export Policy Functions.

Parameters:
  • cipher (integer) - The cipher suite enumeration (e.g. SSL_RSA_WITH_NULL_MD5, etc.)
  • enabled (bool) - Boolean value

set_default_ssl_version_range(min_version, max_version, protocol_variant=SSL_VARIANT_STREAM)

 
Sets the range of SSL3/TLS versions enabled by default for the given protocol variant.
Parameters:
  • min_version (int or string) - Either a SSL_LIBRARY_VERSION_* enumerated constant or it's string equivalent, see ssl\_library\_version\_from\_name()
  • max_version (int or string) - Either a SSL_LIBRARY_VERSION_* enumerated constant or it's string equivalent, see ssl\_library\_version\_from\_name()
  • protocol_variant (int) - One of: SSL_VARIANT_STREAM or SSL_VARIANT_DATAGRAM enumerated constants

set_domestic_policy()

 
Configures cipher suites to conform with current U.S. export regulations related to domestic software products with encryption features.

set_export_policy()

 
Configures the SSL cipher suites to conform with current U.S. export regulations related to international software products with encryption features.

set_max_server_cache_locks(max_locks)

 
Set the configured maximum number of mutexes used for the server's store of SSL sessions. This value is used by the server session ID cache initialization functions. Note that on some platforms, these mutexes are actually implemented with POSIX semaphores, or with unnamed pipes. The default value varies by platform. An attempt to set a too-low maximum will return an error and the configured value will not be changed.
Parameters:
  • max_locks (int) - Maximum number of locks

set_ssl_default_option(option, value)

 
Changes the default value of a specified SSL option for all subsequently opened sockets as long as the current application program is running. Refer to the documentation for SSLSocket.set\_ssl\_option() for an explanation of the possible values.

ssl_cipher_suite_from_name(name)

 
Given the name of a SSL cipher constant return it's integer constant The string comparison is case insensitive.
Parameters:
  • name (string) - name of SSL cipher enumerated constant
Returns: int

ssl_cipher_suite_name(cipher)

 
Given an enumerated SSL Cipher constant return it's name as a string
Parameters:
  • cipher (int) - SSL cipher enumerated constant
Returns: string

ssl_library_version_from_name(name)

 

Given the name of a SSL_LIBRARY_VERSION return it's integer constant The string comparison is case insensitive. In addition to the names of the SSL_LIBRARY_VERSION constants the following aliases are recognized:

Alias Constant
ssl2 SSL_LIBRARY_VERSION_2
ssl3 SSL_LIBRARY_VERSION_3_0
tls1.0 SSL_LIBRARY_VERSION_TLS_1_0
tls1.1 SSL_LIBRARY_VERSION_TLS_1_1
tls1.2 SSL_LIBRARY_VERSION_TLS_1_2
tls1.3 SSL_LIBRARY_VERSION_TLS_1_3
Parameters:
  • name (string) - name of SSL_LIBRARY_VERSION
Returns: int

ssl_library_version_name(ssl_library_version, repr_kind=AsEnumName)

 
Given a SSL_LIBRARY_VERSION constant return it's according to repr_kind
Parameters:
  • ssl_library_version (int) - SSL_LIBRARY_VERSION constant
  • repr_kind (RepresentationKind constant) - Specifies what format the contents of the returned tuple will be in. May be one of:

    AsEnum
    The enumerated constant as an integer value.
    AsEnumName
    The name of the enumerated constant as a string.
    AsString
    A short friendly name for the enumerated constant.
Returns: string

Variables Details [hide private]

ssl_implemented_ciphers

Value:
(53249,
 52396,
 53250,
 170,
 52397,
 171,
 49195,
 49199,
...