Link Search Menu Expand Document

ssl

Provides OpenSSL bindings for Blade

Properties


ssl.SSL_FILETYPE_PEM
SSL_FILETYPE_PEM
ssl.SSL_FILETYPE_ASN1
SSL_FILETYPE_ASN1
ssl.SSL_VERIFY_NONE
  • Server mode: the server will not send a client certificate request to the client, so the client will not send a certificate.

  • Client mode: if not using an anonymous cipher (by default disabled), the server will send a certificate which will be checked. The handshake will be continued regardless of the verification result.

ssl.SSL_VERIFY_PEER
  • Server mode: the server sends a client certificate request to the client. The certificate returned (if any) is checked. If the verification process fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. The behaviour can be controlled by the additional SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_VERIFY_CLIENT_ONCE and SSL_VERIFY_POST_HANDSHAKE flags.

  • Client mode: the server certificate is verified. If the verification process fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. If no server certificate is sent, because an anonymous cipher is used, SSL_VERIFY_PEER is ignored.

ssl.SSL_VERIFY_FAIL_IF_NO_PEER_CERT
  • Server mode: if the client did not return a certificate, the TLS/SSL handshake is immediately terminated with a “handshake failure” alert. This flag must be used together with SSL_VERIFY_PEER.

  • Client mode: ignored

ssl.SSL_VERIFY_CLIENT_ONCE
  • Server mode: only request a client certificate once during the connection. Do not ask for a client certificate again during renegotiation or post-authentication if a certificate was requested during the initial handshake. This flag must be used together with SSL_VERIFY_PEER.

  • Client mode: ignored

ssl.SSL_VERIFY_POST_HANDSHAKE
  • Server mode: the server will not send a client certificate request during the initial handshake, but will send the request via SSL_verify_client_post_handshake(). This allows the SSL_CTX or SSL to be configured for post-handshake peer verification before the handshake occurs. This flag must be used together with SSL_VERIFY_PEER. TLSv1.3 only; no effect on pre-TLSv1.3 connections.

  • Client mode: ignored

ssl.TLS_method
TLS method
ssl.TLS_client_method
TLS client method
ssl.TLS_server_method
TLS server method
ssl.SSLv23_method
SSLv23 method
ssl.SSLv23_client_method
SSLv23 client method
ssl.SSLv23_server_method
SSLv23 server method
ssl.BIO_CLOSE
BIO_CLOSE
ssl.BIO_NOCLOSE
BIO_NOCLOSE
ssl.BIO_f_ssl
SSL BIO method f_ssl

I/O performed on an SSL BIO communicates using the SSL protocol with the SSLs read and write BIOs. If an SSL connection is not established then an attempt is made to establish one on the first I/O call.

ssl.BIO_s_connect
SSL BIO method connect

Using connect BIOs, TCP/IP connections can be made and data transferred using only BIO routines. In this way any platform specific operations are hidden by the BIO abstraction.

ssl.BIO_s_accept
SSL BIO method accept

Using accept BIOs, TCP/IP connections can be accepted and data transferred using only BIO routines. In this way any platform specific operations are hidden by the BIO abstraction.

Classes


class SSL


SSL interface class

class SSL methods


SSL(context: SSLContext)
constructor
set_connect_state()
puts this SSL instance in the connected mode.
set_accept_state()
puts this SSL instance in the accept mode.
get_fd()
returns the current socket file descriptor. It returns -1 on failure or a positive integer on success.
return number
set_fd(fd: int)
sets the socket file descriptor for this SSL
accept()
begins accepting data on SSL
connect()
connects to an SSL server instance
write(data: string | bytes)
writes data to the current I/O stream.
return int representing the total bytes written
read([length: int])
reads data off the I/O and returns it
default length = -1
return string
error([code: int])
returns the last SSL error number
return int
shutdown()
shutdown the SSL object
free()
frees this SSL and all associated resources
get_pointer()
returns the raw OpenSSl SSL pointer
return ptr

class TLSSocket


TLS enabled Socket version powered by OpenSSL. @printable

class TLSSocket properties


TLSSocket.host
This property holds the host bound, to be bound to or connected to by the current socket. Whenever a host is not given, the host will default to localhost.
TLSSocket.port
The port currently bound or connected to by the socket
TLSSocket.family
The socket family (which must be one of the AF_ variables). The default family for the socket is AF_INET
TLSSocket.type
The type of socket stream used by the socket. The default socket type is SOCK_STREAM
TLSSocket.protocol
The current operating protocol of the socket that controls the underlying behavior of the socket. The default is IPPROTO_TCP.
TLSSocket.id
The file descriptor id of the current socket on the host machine.
TLSSocket.is_client
true when the socket is a client to a server socket, false otherwise.
TLSSocket.is_bound
true when the socket is bound to a given port on the device, false otherwise.
TLSSocket.is_connected
true when the socket is connected to a server socket, false otherwise.
TLSSocket.is_listening
true when the socket is currently listening on a host device port as a server, false otherwise.
TLSSocket.is_closed
true when the socket is closed, false otherwise.
TLSSocket.is_shutdown
true when the socket is shutdown, false otherwise.
TLSSocket.is_blocking
true when the socket is running in a blocking mode, false otherwise.
TLSSocket.shutdown_reason
The property holds the reason for which the last shutdown operation was called or -1 if shutdown was never requested.
TLSSocket.send_timeout
The amount of time in milliseconds that the socket waits before it terminates a send operation. This is equal to the SO_SNDTIMEO.
TLSSocket.receive_timeout
The amount of time in milliseconds that the socket waits before it terminates a receive operation. This is equal to the SO_RCVTIMEO.

class TLSSocket methods


TLSSocket([socket: Socket [, context: SSLContext [, ssl: SSL]]])
constructor
connect(host: string, port: int [, timeout: int])
Initiates a connection to the given host on the specified port. If host is nil, it will connect on to the current hostn specified on the socket.
default timeout = 300,000ms (i.e. 300 seconds)
return bool
bind(port: int [, host: string])
Binds this socket to the given port on the given host. If host is nil or not specified, it will connect on to the current hostn specified on the socket.
return bool
send(message: string | file | bytes, flags: int)
Sends the specified message to the socket. When this methods accepts a file as a message, the file is read and the resultant bytes of the file content is streamed to the socket.
  • the flags parameter is currently redundant and is kept only to remanin compatible with future plans for this method.
return number greater than -1 if successful indicating the total number of bytes sent or -1 if it fails.
receive([length: int [, flags: int]])
Receives bytes of the given length from the socket. If the length is not given, it default length of -1 indicating that the total available data on the socket stream will be read. If no data is available for read on the socket, the socket will wait to receive data or until the receive_timeout which is also equal to the SO_RCVTIMEO setting of the socket has elapsed before or until it has received the total number of bytes required (whichever comes first).
  • the flags parameter is currently redundant and is kept only to remanin compatible with future plans for this method.
return string
read([length: int])
Reads bytes of the given length from the socket. If the length is not given, it default length of -1 indicating that the total available data on the socket stream will be read.

This method differs from receive() in that it does not check for a socket having data to read or not and will block until data of length have been read or no more data is available for reading.

  • Only use this function after a call to receive() has succeeded.
default Length = 1024
return string
listen([queue_length: int])
Listen for connections on a socket

This method puts the socket in a state where it is willing to accept incoming connections and creates a queue limit of queue_length for incoming connections. If a connection request arrives with the queue full, the client may receive an error with an indication of ECONNREFUSED. Alternatively, if the underlying protocol supports retransmission, the request may be ignored so that retries may succeed.

When the queue_length is ommited or set to -1, the method will use the default queue limit of the current platform which is usually equal to SOMAXCONN.

  • listen() call applies only to sockets of type SOCK_STREAM (which is the default)
return bool
accept()
Accepts a connection on a socket

This method extracts the first connection request on the queue of pending connections, creates a new socket with the same properties of the current socket, and allocates a new file descriptor for the socket. If no pending connections are present on the queue, and the socket is not marked as non-blocking, accept() blocks the caller until a connection is present. If the socket is marked non-blocking and no pending connections are present on the queue, accept() returns an error as described below.

The accepted socket may not be used to accept more connections. The original socket remains open.

return TLSSocket
close()
Closes the socket
return bool
shutdown()
The shutdown() call causes all or part of a full-duplex connection on the socket associated with socket to be shut down.
return bool
set_option(option: int, value: any)
Sets the options of the current socket.
  • Only SO_ variables are valid option types
return bool
get_option(option: int)
Gets the options set on the current socket
return any
set_blocking(mode: bool)
Sets if the socket should operate in blocking or non-blocking mode. true for blocking (default) and false for non-blocking.
info()
Returns a dictionary containing the address, port and family of the current socket or an empty dictionary if the socket information could not be retrieved.
return dictionary
get_socket()
returns the underlying Socket instance
return Socket
get_context()
returns the underlying SSLContext instance
return SSLContext

class BIO


SSL Binary Input/Output

class BIO methods


BIO(method: ptr)
constructor
  • method must be a valid SSL BIO_* method
set_ssl(ssl: SSL [, option: int])
sets the working SSL instance for this BIO
  • option must be one of the BIO constants if given.
  • default option = BIO_NOCLOSE
set_conn_hostname(name: string)
sets the hostname for the current connected BIO socket
set_accept_name(name: string)
sets the address name for the current accepted BIO socket
set_conn_address(address: string)
sets the address for the current connected BIO socket
set_conn_port(port: int | string)
sets the port for the current connected BIO socket
set_accept_port(port: int | string)
sets the port for the current accepted BIO socket
set_conn_family(family: int)
sets the socket family for the current connected BIO socket
set_accept_family(family: int)
sets the socket family for the current accepted BIO socket
get_conn_hostname()
returns the hostname for the current connected BIO socket
return string
get_accept_name()
returns the hostname for the current accepted BIO socket
return string
get_conn_address()
returns the address for the current connected BIO socket
return string
get_conn_port()
returns the port for the current connected BIO socket
return string
get_accept_port()
returns the port for the current accepted BIO socket
return string
get_conn_family()
returns the family for the current connected BIO socket
return int
get_accept_family()
returns the family for the current accepted BIO socket
return int
get_fd()
returns the current socket file descriptor. It returns -1 on failure or a positive integer on success.
return number
set_fd(fd: int [, opt: int])
sets the socket file descriptor for this BIO
default opt = BIO_NOCLOSE
set_non_blocking([b: bool])
converts the BIO into a non-blocking I/O stream if b is true, otherwise converts it into a blocking stream.
default true
push(b: BIO)
it appends b, which may be a single BIO or a chain of BIOs, to the current BIO stack (unless the current pinter is nil). It then makes a control call on BIO b and returns it.
false
write(data: string | bytes)
writes data to the current I/O stream.
return int representing the total bytes written
read([length: int])
reads data off the I/O and returns it
default length = 1024
return string
should_retry()
returns true if this BIO needs to retry its last operation. false otherwise.
do_connect()
attempts to establish a connection to the host.
do_accept()
attempts to accept the connected socket.
error([code: int])
returns the last SSL error number
return int
error_string([code: int])
returns the last SSL error as string
return string
free()
frees this BIO and all associated resources
get_pointer()
returns the raw OpenSSl BIO pointer
return ptr

class SSLBIO < BIO


SSLBIO is a generic BIO for SSL I/O

class SSLBIO methods


ConnectBIO()
constructor

class ConnectBIO < BIO


ConnectBIO is a generic BIO for new secured connections

class ConnectBIO methods


ConnectBIO()
constructor

class AcceptedBIO < BIO


AcceptedBIO is a generic BIO for accepting new secured connections from a TLS server

class AcceptedBIO methods


AcceptedBIO()
constructor

class SSLContext


SSL context representation class

class SSLContext methods


SSLContext(method: ptr)
constructor
  • method must be a valid SSL method pointer
set_verify(mode: int)
sets the verification flags for ctx to be the given mode.
  • The verification of certificates can be controlled by a set of logically or’ed mode flags.
  • If the mode is SSL_VERIFY_NONE none of the other flags may be set.
set_verify_locations(locations: string)
set default locations for trusted CA certificates
load_certs(cert_file: string | file, private_key_file: string | file)
loads the given SSL/TLS certificate pairs for the given SSL/TLS context.
return bool
set_ciphers(ciphers: string)
sets the list of allowed ciphers. This list must be colon (:) separated.
return bool
free()
frees this Context and all associated resources
get_pointer()
returns the raw OpenSSl SSL_CTX pointer
return ptr

class TLSContext < SSLContext


TLSContext is a specialized Context providing generic TLS support for both client and server mode.

class TLSContext methods


TLSContext()
constructor

class TLSClientContext < SSLContext


TLSClientContext is a specialized Context for supporting TLS clients.

class TLSClientContext methods


TLSClientContext()
constructor

class TLSServerContext < SSLContext


TLSServerContext is a specialized Context for supporting TLS servers.

class TLSServerContext methods


TLSServerContext()
constructor

class SSLv23Context < SSLContext


SSLv23Context is a specialized Context providing generic SSLv23 support for both client and server mode.

class SSLv23Context methods


SSLv23Context()
constructor

class SSLv23ClientContext < SSLContext


SSLv23ClientContext is a specialized Context for supporting SSLv23 clients.

class SSLv23ClientContext methods


TLSClientContext()
constructor

class SSLv23ServerContext < SSLContext


SSLv23ServerContext is a specialized Context for supporting SSLv23 servers.

class SSLv23ServerContext methods


SSLv23ServerContext()
constructor

Back to top

Copyright © 2021 Ore Richard Muyiwa. Distributed under the MIT license.