Link Search Menu Expand Document

ssl

Provides OpenSSL bindings for Blade

Properties

ssl.SSL_FILETYPE_PEM
SSL_FILETYPE_PEM
ssl.SSL_FILETYPE_ASN1
SSL_FILETYPE_ASN1
ssl.SSL_VERIFY_NONE

  • Server mode: the server will not send a client certificate request to the client, so the client will not send a certificate.

  • Client mode: if not using an anonymous cipher (by default disabled), the server will send a certificate which will be checked. The handshake will be continued regardless of the verification result.

ssl.SSL_VERIFY_PEER

  • Server mode: the server sends a client certificate request to the client. The certificate returned (if any) is checked. If the verification process fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. The behaviour can be controlled by the additional SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_VERIFY_CLIENT_ONCE and SSL_VERIFY_POST_HANDSHAKE flags.

  • Client mode: the server certificate is verified. If the verification process fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. If no server certificate is sent, because an anonymous cipher is used, SSL_VERIFY_PEER is ignored.

ssl.SSL_VERIFY_FAIL_IF_NO_PEER_CERT

  • Server mode: if the client did not return a certificate, the TLS/SSL handshake is immediately terminated with a “handshake failure” alert. This flag must be used together with SSL_VERIFY_PEER.

  • Client mode: ignored

ssl.SSL_VERIFY_CLIENT_ONCE

  • Server mode: only request a client certificate once during the connection. Do not ask for a client certificate again during renegotiation or post-authentication if a certificate was requested during the initial handshake. This flag must be used together with SSL_VERIFY_PEER.

  • Client mode: ignored

ssl.SSL_VERIFY_POST_HANDSHAKE

  • Server mode: the server will not send a client certificate request during the initial handshake, but will send the request via SSL_verify_client_post_handshake(). This allows the SSL_CTX or SSL to be configured for post-handshake peer verification before the handshake occurs. This flag must be used together with SSL_VERIFY_PEER. TLSv1.3 only; no effect on pre-TLSv1.3 connections.

  • Client mode: ignored

ssl.TLS_method
TLS method
ssl.TLS_client_method
TLS client method
ssl.TLS_server_method
TLS server method
ssl.SSLv23_method
SSLv23 method
ssl.SSLv23_client_method
SSLv23 client method
ssl.SSLv23_server_method
SSLv23 server method
ssl.BIO_CLOSE
BIO_CLOSE
ssl.BIO_NOCLOSE
BIO_NOCLOSE
ssl.BIO_f_ssl
SSL BIO method f_ssl

I/O performed on an SSL BIO communicates using the SSL protocol with the SSLs read and write BIOs. If an SSL connection is not established then an attempt is made to establish one on the first I/O call.

ssl.BIO_s_connect
SSL BIO method connect

Using connect BIOs, TCP/IP connections can be made and data transferred using only BIO routines. In this way any platform specific operations are hidden by the BIO abstraction.

ssl.BIO_s_accept
SSL BIO method accept

Using accept BIOs, TCP/IP connections can be accepted and data transferred using only BIO routines. In this way any platform specific operations are hidden by the BIO abstraction.

Classes

class SSL

SSL interface class

class SSL methods

SSL(context: SSLContext)
constructor
set_connect_state()
puts this SSL instance in the connected mode.
set_accept_state()
puts this SSL instance in the accept mode.
get_fd()
returns the current socket file descriptor. It returns -1 on failure or a positive integer on success.
return number
set_fd(fd: int)
sets the socket file descriptor for this SSL
accept()
begins accepting data on SSL
free()
frees this SSL and all associated resources
get_pointer()
returns the raw OpenSSl SSL pointer
return ptr

class SSLSocket < Socket

SSLSocket is an SSL/TLS enabled socket. @extends Socket

class SSLSocket methods

SSLSocket(method: ptr)
constructor
  • method must be a valid method pointer defined in the ssl module
connect(host: string, port: int [, timeout: int])
Initiates a connection to the given host on the specified port. If host is nil, it will connect on to the current hostn specified on the socket.
default timeout = 300,000ms (i.e. 300 seconds)
return bool
accept()
Accepts a connection on a socket

This method extracts the first connection request on the queue of pending connections, creates a new socket with the same properties of the current socket, and allocates a new file descriptor for the socket. If no pending connections are present on the queue, and the socket is not marked as non-blocking, accept() blocks the caller until a connection is present. If the socket is marked non-blocking and no pending connections are present on the queue, accept() returns an error as described below.

  • The accepted socket may not be used to accept more connections.
  • The original socket socket, remains open.
return Socket
send(message: string | file | bytes, flags: int)
Sends the specified message to the socket. When this methods accepts a file as a message, the file is read and the resultant bytes of the file content is streamed to the socket.
  • the flags parameter is currently redundant and is kept only to remanin compatible with future plans for this method.
return number greater than -1 if successful indicating the total number of bytes sent or -1 if it fails.
receive([length: int [, flags: int]])
Receives bytes of the given length from the socket. If the length is not given, it default length of -1 indicating that the total available data on the socket stream will be read. If no data is available for read on the socket, the socket will wait to receive data or until the receive_timeout which is also equal to the SO_RCVTIMEO setting of the socket has elapsed before or until it has received the total number of bytes required (whichever comes first).
  • the flags parameter is currently redundant and is kept only to remanin compatible with future plans for this method.
return string
read([length: int])
Reads bytes of the given length from the socket. If the length is not given, it default length of -1 indicating that the total available data on the socket stream will be read.

Unlike with plain Socket, this is basically a wrapper for the receive() method.

default Length = 1024
return string
close()
Closes the socket
return bool
get_context()
returns the underlying SSLContext instance
return SSLContext

class TLSSocket < SSLSocket

TLSSocket is the generic TLS SSL Socket

class TLSSocket methods

TLSSocket()
constructor

class BIO

SSL Binary Input/Output

class BIO methods

BIO(method: ptr)
constructor
  • method must be a valid SSL BIO_* method
set_ssl(ssl: SSL [, option: int])
sets the working SSL instance for this BIO
  • option must be one of the BIO constants if given.
  • default option = BIO_NOCLOSE
set_conn_hostname(name: string)
sets the hostname for the current connected BIO socket
set_accept_name(name: string)
sets the address name for the current accepted BIO socket
set_conn_address(address: string)
sets the address for the current connected BIO socket
set_conn_port(port: int | string)
sets the port for the current connected BIO socket
set_accept_port(port: int | string)
sets the port for the current accepted BIO socket
set_conn_family(family: int)
sets the socket family for the current connected BIO socket
set_accept_family(family: int)
sets the socket family for the current accepted BIO socket
get_conn_hostname()
returns the hostname for the current connected BIO socket
return string
get_accept_name()
returns the hostname for the current accepted BIO socket
return string
get_conn_address()
returns the address for the current connected BIO socket
return string
get_conn_port()
returns the port for the current connected BIO socket
return string
get_accept_port()
returns the port for the current accepted BIO socket
return string
get_conn_family()
returns the family for the current connected BIO socket
return int
get_accept_family()
returns the family for the current accepted BIO socket
return int
get_fd()
returns the current socket file descriptor. It returns -1 on failure or a positive integer on success.
return number
set_fd(fd: int [, opt: int])
sets the socket file descriptor for this BIO
default opt = BIO_NOCLOSE
set_non_blocking([b: bool])
converts the BIO into a non-blocking I/O stream if b is true, otherwise converts it into a blocking stream.
default true
push(b: BIO)
it appends b, which may be a single BIO or a chain of BIOs, to the current BIO stack (unless the current pinter is nil). It then makes a control call on BIO b and returns it.
false
write(data: string | bytes)
writes data to the current I/O stream.
return int representing the total bytes read
read([length: int])
reads data off the I/O and returns it
default length = 1024
return string
should_retry()
returns true if this BIO needs to retry its last operation. false otherwise.
do_connect()
attempts to establish a connection to the host.
do_accept()
attempts to accept the connected socket.
error()
returns the last SSL error number
return int
error_string()
returns the last SSL error as string
return string
free()
frees this BIO and all associated resources
get_pointer()
returns the raw OpenSSl BIO pointer
return ptr

class SSLBIO < BIO

SSLBIO is a generic BIO for SSL I/O

class SSLBIO methods

ConnectBIO()
constructor

class ConnectBIO < BIO

ConnectBIO is a generic BIO for new secured connections

class ConnectBIO methods

ConnectBIO()
constructor

class AcceptedBIO < BIO

AcceptedBIO is a generic BIO for accepting new secured connections from a TLS server

class AcceptedBIO methods

AcceptedBIO()
constructor

class SSLContext

SSL context representation class

class SSLContext methods

SSLContext(method: ptr)
constructor
  • method must be a valid SSL method pointer
set_verify(mode: int)
sets the verification flags for ctx to be the given mode.
  • The verification of certificates can be controlled by a set of logically or’ed mode flags.
  • If the mode is SSL_VERIFY_NONE none of the other flags may be set.
set_verify_locations(locations: string)
set default locations for trusted CA certificates
load_certs(cert_file: string | file, private_key_file: string | file)
loads the given SSL/TLS certificate pairs for the given SSL/TLS context.
return bool
free()
frees this Context and all associated resources
get_pointer()
returns the raw OpenSSl SSL_CTX pointer
return ptr

class TLSContext < SSLContext

TLSContext is a specialized Context providing generic TLS support for both client and server mode.

class TLSContext methods

TLSContext()
constructor

class TLSClientContext < SSLContext

TLSClientContext is a specialized Context for supporting TLS clients.

class TLSClientContext methods

TLSClientContext()
constructor

class TLSServerContext < SSLContext

TLSServerContext is a specialized Context for supporting TLS servers.

class TLSServerContext methods

TLSServerContext()
constructor

class SSLv23Context < SSLContext

SSLv23Context is a specialized Context providing generic SSLv23 support for both client and server mode.

class SSLv23Context methods

SSLv23Context()
constructor

class SSLv23ClientContext < SSLContext

SSLv23ClientContext is a specialized Context for supporting SSLv23 clients.

class SSLv23ClientContext methods

TLSClientContext()
constructor

class SSLv23ServerContext < SSLContext

SSLv23ServerContext is a specialized Context for supporting SSLv23 servers.

class SSLv23ServerContext methods

SSLv23ServerContext()
constructor

Back to top

Copyright © 2021 Ore Richard Muyiwa. Distributed under the MIT license.

Edit this page on GitHub.