SSL Version Range API
This API should be used to control SSL 3.0 & TLS support instead of
the older SSLSocket.set\_ssl\_option() API; however,
SSLSocket.set\_ssl\_option() API MUST still be used to control SSL 2.0
support. In this version of libssl, SSL 3.0 and TLS 1.0 are enabled by
default. Future versions of libssl may change which versions of the
protocol are enabled by default.
The protocol_variant enums (SSL_VARIANT_STREAM, SSL_VARIANT_DATAGRAM)
indicates whether the protocol is of type stream or datagram. This
must be provided to the functions that do not take an fd. Functions
which take an fd will get the variant from the fd.
Using the new version range API in conjunction with the older
SSLSocket.set\_ssl\_option() API for controlling the enabled protocol
versions may cause unexpected results. Going forward, we guarantee
only the following:
SSLSocket.get_ssl_option(ssl.SSL_ENABLE_TLS) will return True if
ANY versions of TLS are enabled.
SSLSocket.set_ssl_option(ssl.SSL_ENABLE_TLS, False) will disable
ALL versions of TLS, including TLS 1.0 and later.
The above two properties provide compatibility for applications that
use SSLSocket.set\_ssl\_option() to implement the insecure fallback
from TLS 1.x to SSL 3.0.
SSLSocket.set_ssl_option(ssl.SSL_ENABLE_TLS, True) will enable TLS
1.0, and may also enable some later versions of TLS, if it is
necessary to do so in order to keep the set of enabled versions
contiguous. For example, if TLS 1.2 is enabled, then after
SSLSocket.set_ssl_option(ss.SSL_ENABLE_TLS, True), TLS 1.0, TLS
1.1, and TLS 1.2 will be enabled, and the call will have no effect on
whether SSL 3.0 is enabled. If no later versions of TLS are enabled at
the time SSLSocket.set_ssl_option(ssl.SSL_ENABLE_TLS, True) is
called, then no later versions of TLS will be enabled by the call.
SSLSocket.set_ssl_option(ssl.SSL_ENABLE_SSL3, False) will disable
SSL 3.0, and will not change the set of TLS versions that are enabled.
SSLSocket.set_ssl_option(ssl.SSL_ENABLE_SSL3, True) will enable SSL
3.0, and may also enable some versions of TLS if TLS 1.1 or later is
enabled at the time of the call, the same way
SSLSocket.set_ssl_option(ssl.SSL_ENABLE_TLS, True) works, in order
to keep the set of enabled versions contiguous.
|
clear_session_cache()
You must call ssl.clear_session_cache() after you use one of the SSL
Export Policy Functions to change cipher suite policy settings or use
ssl.set_default_cipher_pref() to enable or disable any cipher
suite. |
|
|
|
config_mp_server_sid_cache(max_cache_entries=0,
ssl2_timeout=0,
ssl3_timeout=0,
directory=None)
This function sets up a Server Session ID (SID) cache that is safe for
access by multiple processes on the same system. |
|
|
|
config_server_session_id_cache(max_cache_entries=0,
ssl2_timeout=0,
ssl3_timeout=0,
directory=None)
If you are writing an application which will use SSL sockets to
handshake as a server, you must call config_server_session_id_cache()
to configure the session caches for server sessions. |
|
|
|
config_server_session_id_cache_with_opt(max_cache_entries=0,
max_cert_cache_entries=0,
max_server_name_cache_entries=0,
ssl2_timeout=0,
ssl3_timeout=0,
directory=None,
enable_mp_cache=False)
Configure a secure server's session-id cache. |
|
|
policy
|
|
SSLCipherSuiteInfo
|
|
enabled
|
get_default_cipher_pref(cipher)
Returns the application default preference for the specified SSL2,
SSL3, or TLS cipher. |
|
|
(min_version, max_version)
|
get_default_ssl_version_range(protocol_variant=SSL_VARIANT_STREAM,
repr_kind=AsEnum)
Returns the range of SSL3/TLS versions enabled by default for the given
protocol variant. |
|
|
int
|
|
|
get_ssl_default_option(value)
Gets the default value of a specified SSL option for all
subsequently opened sockets as long as the current application program
is running. |
|
|
Object
|
get_ssl_version_from_major_minor(major,
minor,
repr_kind=AsString)
Given the major and minor SSL protocol versions return the SSL version
it's according to repr_kind |
|
|
(min_version, max_version)
|
get_supported_ssl_version_range(protocol_variant=SSL_VARIANT_STREAM,
repr_kind=AsEnum)
Returns the range of SSL3/TLS versions supported for the
given protocol variant by the version of libssl linked-to at runtime. |
|
|
|
set_cipher_policy(cipher,
enabled)
Tells the SSL library that the specified cipher suite is allowed by
the application's export license, or is not allowed by the
application's export license, or is allowed to be used only with a
Step-Up certificate. |
|
|
|
set_default_cipher_pref(cipher,
enabled)
Sets the application default preference for the specified SSL2, SSL3,
or TLS cipher. |
|
|
|
set_default_ssl_version_range(min_version,
max_version,
protocol_variant=SSL_VARIANT_STREAM)
Sets the range of SSL3/TLS versions enabled by default for the given
protocol variant. |
|
|
|
|
|
|
|
set_france_policy()
Configures the SSL cipher suites to conform with French import
regulations related to software products with encryption features. |
|
|
|
|
|
set_ssl_default_option(option,
value)
Changes the default value of a specified SSL option for all
subsequently opened sockets as long as the current application program
is running. |
|
|
|
shutdown_server_session_id_cache() |
|
|
int
|
ssl_cipher_suite_from_name(name)
Given the name of a SSL cipher constant
return it's integer constant
The string comparison is case insensitive. |
|
|
string
|
|
int
|
ssl_library_version_from_name(name)
Given the name of a SSL_LIBRARY_VERSION
return it's integer constant
The string comparison is case insensitive. |
|
|
string
|
ssl_library_version_name(ssl_library_version,
repr_kind=AsEnumName)
Given a SSL_LIBRARY_VERSION constant
return it's according to repr_kind |
|
|
|
SRTP_AES128_CM_HMAC_SHA1_32 = 2
|
|
SRTP_AES128_CM_HMAC_SHA1_80 = 1
|
|
SRTP_NULL_HMAC_SHA1_32 = 6
|
|
SRTP_NULL_HMAC_SHA1_80 = 5
|
|
SSL_ALLOWED = 1
|
|
SSL_BYPASS_PKCS11 = 16
|
|
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 = 7
|
|
SSL_CK_DES_64_CBC_WITH_MD5 = 6
|
|
SSL_CK_IDEA_128_CBC_WITH_MD5 = 5
|
|
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 4
|
|
SSL_CK_RC2_128_CBC_WITH_MD5 = 3
|
|
SSL_CK_RC4_128_EXPORT40_WITH_MD5 = 2
|
|
SSL_CK_RC4_128_WITH_MD5 = 1
|
|
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 17
|
|
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 19
|
|
SSL_DHE_DSS_WITH_DES_CBC_SHA = 18
|
|
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 20
|
|
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 22
|
|
SSL_DHE_RSA_WITH_DES_CBC_SHA = 21
|
|
SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 25
|
|
SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 23
|
|
SSL_DH_ANON_WITH_3DES_EDE_CBC_SHA = 27
|
|
SSL_DH_ANON_WITH_DES_CBC_SHA = 26
|
|
SSL_DH_ANON_WITH_RC4_128_MD5 = 24
|
|
SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 11
|
|
SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA = 13
|
|
SSL_DH_DSS_WITH_DES_CBC_SHA = 12
|
|
SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 14
|
|
SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA = 16
|
|
SSL_DH_RSA_WITH_DES_CBC_SHA = 15
|
|
SSL_ENABLE_FDX = 11
|
|
SSL_ENABLE_SSL2 = 7
|
|
SSL_ENABLE_SSL3 = 8
|
|
SSL_ENABLE_TLS = 13
|
|
SSL_EN_DES_192_EDE3_CBC_WITH_MD5 = 65287
|
|
SSL_EN_DES_64_CBC_WITH_MD5 = 65286
|
|
SSL_EN_IDEA_128_CBC_WITH_MD5 = 65285
|
|
SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 = 65284
|
|
SSL_EN_RC2_128_CBC_WITH_MD5 = 65283
|
|
SSL_EN_RC4_128_EXPORT40_WITH_MD5 = 65282
|
|
SSL_EN_RC4_128_WITH_MD5 = 65281
|
|
SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA = 29
|
|
SSL_FORTEZZA_DMS_WITH_NULL_SHA = 28
|
|
SSL_FORTEZZA_DMS_WITH_RC4_128_SHA = 30
|
|
SSL_HANDSHAKE_AS_CLIENT = 5
|
|
SSL_HANDSHAKE_AS_SERVER = 6
|
|
SSL_LIBRARY_VERSION_2 = 2
|
|
SSL_LIBRARY_VERSION_3_0 = 768
|
|
SSL_LIBRARY_VERSION_TLS_1_0 = 769
|
|
SSL_LIBRARY_VERSION_TLS_1_1 = 770
|
|
SSL_LIBRARY_VERSION_TLS_1_2 = 771
|
|
SSL_LIBRARY_VERSION_TLS_1_3 = 772
|
|
SSL_NOT_ALLOWED = 0
|
|
SSL_NO_CACHE = 9
|
|
SSL_NO_LOCKS = 17
|
|
SSL_NO_STEP_DOWN = 15
|
|
SSL_NULL_WITH_NULL_NULL = 0
|
|
SSL_REQUEST_CERTIFICATE = 3
|
|
SSL_REQUIRE_ALWAYS = 1
|
|
SSL_REQUIRE_CERTIFICATE = 10
|
|
SSL_REQUIRE_FIRST_HANDSHAKE = 2
|
|
SSL_REQUIRE_NEVER = 0
|
|
SSL_REQUIRE_NO_ERROR = 3
|
|
SSL_RESTRICTED = 2
|
|
SSL_ROLLBACK_DETECTION = 14
|
|
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = 8
|
|
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 6
|
|
SSL_RSA_EXPORT_WITH_RC4_40_MD5 = 3
|
|
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 65279
|
|
SSL_RSA_FIPS_WITH_DES_CBC_SHA = 65278
|
|
SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA = 65504
|
|
SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA = 65505
|
|
SSL_RSA_WITH_3DES_EDE_CBC_SHA = 10
|
|
SSL_RSA_WITH_DES_CBC_SHA = 9
|
|
SSL_RSA_WITH_IDEA_CBC_SHA = 7
|
|
SSL_RSA_WITH_NULL_MD5 = 1
|
|
SSL_RSA_WITH_NULL_SHA = 2
|
|
SSL_RSA_WITH_RC4_128_MD5 = 4
|
|
SSL_RSA_WITH_RC4_128_SHA = 5
|
|
SSL_SECURITY = 1
|
|
SSL_SECURITY_STATUS_NOOPT = -1
|
|
SSL_SECURITY_STATUS_OFF = 0
|
|
SSL_SECURITY_STATUS_ON_HIGH = 1
|
|
SSL_SECURITY_STATUS_ON_LOW = 2
|
|
SSL_SOCKS = 2
|
|
SSL_V2_COMPATIBLE_HELLO = 12
|
|
SSL_VARIANT_DATAGRAM = 1
|
|
SSL_VARIANT_STREAM = 0
|
|
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 99
|
|
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 101
|
|
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 17
|
|
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 19
|
|
TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 50
|
|
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 162
|
|
TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 56
|
|
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 68
|
|
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 135
|
|
TLS_DHE_DSS_WITH_DES_CBC_SHA = 18
|
|
TLS_DHE_DSS_WITH_RC4_128_SHA = 102
|
|
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 52397
|
|
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 20
|
|
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 22
|
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 51
|
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 103
|
|
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 158
|
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 57
|
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 107
|
|
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 69
|
|
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 136
|
|
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 52394
|
|
TLS_DHE_RSA_WITH_DES_CBC_SHA = 21
|
|
TLS_DH_ANON_WITH_AES_128_CBC_SHA = 52
|
|
TLS_DH_ANON_WITH_AES_256_CBC_SHA = 58
|
|
TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 70
|
|
TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 137
|
|
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 11
|
|
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 13
|
|
TLS_DH_DSS_WITH_AES_128_CBC_SHA = 48
|
|
TLS_DH_DSS_WITH_AES_256_CBC_SHA = 54
|
|
TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 66
|
|
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 133
|
|
TLS_DH_DSS_WITH_DES_CBC_SHA = 12
|
|
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 14
|
|
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 16
|
|
TLS_DH_RSA_WITH_AES_128_CBC_SHA = 49
|
|
TLS_DH_RSA_WITH_AES_256_CBC_SHA = 55
|
|
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 67
|
|
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 134
|
|
TLS_DH_RSA_WITH_DES_CBC_SHA = 15
|
|
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 25
|
|
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 23
|
|
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 27
|
|
TLS_DH_anon_WITH_AES_128_CBC_SHA = 52
|
|
TLS_DH_anon_WITH_AES_256_CBC_SHA = 58
|
|
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = 70
|
|
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 137
|
|
TLS_DH_anon_WITH_DES_CBC_SHA = 26
|
|
TLS_DH_anon_WITH_RC4_128_MD5 = 24
|
|
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 49160
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 49161
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 49187
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 49195
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 49162
|
|
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 52393
|
|
TLS_ECDHE_ECDSA_WITH_NULL_SHA = 49158
|
|
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 49159
|
|
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 52396
|
|
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 49170
|
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 49171
|
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 49191
|
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 49199
|
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 49172
|
|
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 52392
|
|
TLS_ECDHE_RSA_WITH_NULL_SHA = 49168
|
|
TLS_ECDHE_RSA_WITH_RC4_128_SHA = 49169
|
|
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 49155
|
|
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 49156
|
|
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 49197
|
|
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 49157
|
|
TLS_ECDH_ECDSA_WITH_NULL_SHA = 49153
|
|
TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 49154
|
|
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 49165
|
|
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 49166
|
|
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 49201
|
|
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 49167
|
|
TLS_ECDH_RSA_WITH_NULL_SHA = 49163
|
|
TLS_ECDH_RSA_WITH_RC4_128_SHA = 49164
|
|
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 49175
|
|
TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 49176
|
|
TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 49177
|
|
TLS_ECDH_anon_WITH_NULL_SHA = 49173
|
|
TLS_ECDH_anon_WITH_RC4_128_SHA = 49174
|
|
TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 255
|
|
TLS_FALLBACK_SCSV = 22016
|
|
TLS_NULL_WITH_NULL_NULL = 0
|
|
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 98
|
|
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 100
|
|
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 8
|
|
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 6
|
|
TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 3
|
|
TLS_RSA_WITH_3DES_EDE_CBC_SHA = 10
|
|
TLS_RSA_WITH_AES_128_CBC_SHA = 47
|
|
TLS_RSA_WITH_AES_128_CBC_SHA256 = 60
|
|
TLS_RSA_WITH_AES_128_GCM_SHA256 = 156
|
|
TLS_RSA_WITH_AES_256_CBC_SHA = 53
|
|
TLS_RSA_WITH_AES_256_CBC_SHA256 = 61
|
|
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 65
|
|
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 132
|
|
TLS_RSA_WITH_DES_CBC_SHA = 9
|
|
TLS_RSA_WITH_IDEA_CBC_SHA = 7
|
|
TLS_RSA_WITH_NULL_MD5 = 1
|
|
TLS_RSA_WITH_NULL_SHA = 2
|
|
TLS_RSA_WITH_NULL_SHA256 = 59
|
|
TLS_RSA_WITH_RC4_128_MD5 = 4
|
|
TLS_RSA_WITH_RC4_128_SHA = 5
|
|
TLS_RSA_WITH_SEED_CBC_SHA = 150
|
|
_C_API = <capsule object "_C_API" at 0x7f1d05996f90>
|
|
__package__ = None
|
|
ssl2 = 2
|
|
ssl3 = 768
|
|
ssl_implemented_ciphers = ( 53249, 52396, 53250, 170, 52397, 17...
|
|
tls1.0 = 769
|
|
tls1.1 = 770
|
|
tls1.2 = 771
|
|
tls1.3 = 772
|