ssl
Provides OpenSSL bindings for Blade
Properties
- ssl.SSL_FILETYPE_PEM
- SSL_FILETYPE_PEM
- ssl.SSL_FILETYPE_ASN1
- SSL_FILETYPE_ASN1
- ssl.SSL_VERIFY_NONE
-
-
Server mode
: the server will not send a client certificate request to the client, so the client will not send a certificate. -
Client mode
: if not using an anonymous cipher (by default disabled), the server will send a certificate which will be checked. The handshake will be continued regardless of the verification result.
-
- ssl.SSL_VERIFY_PEER
-
-
Server mode
: the server sends a client certificate request to the client. The certificate returned (if any) is checked. If the verification process fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. The behaviour can be controlled by the additional SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_VERIFY_CLIENT_ONCE and SSL_VERIFY_POST_HANDSHAKE flags. -
Client mode
: the server certificate is verified. If the verification process fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. If no server certificate is sent, because an anonymous cipher is used, SSL_VERIFY_PEER is ignored.
-
- ssl.SSL_VERIFY_FAIL_IF_NO_PEER_CERT
-
-
Server mode
: if the client did not return a certificate, the TLS/SSL handshake is immediately terminated with a “handshake failure” alert. This flag must be used together with SSL_VERIFY_PEER. -
Client mode
: ignored
-
- ssl.SSL_VERIFY_CLIENT_ONCE
-
-
Server mode
: only request a client certificate once during the connection. Do not ask for a client certificate again during renegotiation or post-authentication if a certificate was requested during the initial handshake. This flag must be used together with SSL_VERIFY_PEER. -
Client mode
: ignored
-
- ssl.SSL_VERIFY_POST_HANDSHAKE
-
-
Server mode
: the server will not send a client certificate request during the initial handshake, but will send the request via SSL_verify_client_post_handshake(). This allows the SSL_CTX or SSL to be configured for post-handshake peer verification before the handshake occurs. This flag must be used together with SSL_VERIFY_PEER. TLSv1.3 only; no effect on pre-TLSv1.3 connections. -
Client mode
: ignored
-
- ssl.TLS_method
- TLS method
- ssl.TLS_client_method
- TLS client method
- ssl.TLS_server_method
- TLS server method
- ssl.SSLv23_method
- SSLv23 method
- ssl.SSLv23_client_method
- SSLv23 client method
- ssl.SSLv23_server_method
- SSLv23 server method
- ssl.BIO_CLOSE
- BIO_CLOSE
- ssl.BIO_NOCLOSE
- BIO_NOCLOSE
- ssl.BIO_f_ssl
- SSL BIO method f_ssl
I/O performed on an SSL BIO communicates using the SSL protocol with the SSLs read and write BIOs. If an SSL connection is not established then an attempt is made to establish one on the first I/O call.
- ssl.BIO_s_connect
- SSL BIO method connect
Using connect BIOs, TCP/IP connections can be made and data transferred using only BIO routines. In this way any platform specific operations are hidden by the BIO abstraction.
- ssl.BIO_s_accept
- SSL BIO method accept
Using accept BIOs, TCP/IP connections can be accepted and data transferred using only BIO routines. In this way any platform specific operations are hidden by the BIO abstraction.
Classes
class SSL
SSL interface class
class SSL methods
- SSL(context: SSLContext)
- constructor
- set_connect_state()
- puts this SSL instance in the connected mode.
- set_accept_state()
- puts this SSL instance in the accept mode.
- get_fd()
- returns the current socket file descriptor. It returns
-1
on failure or a positive integer on success.return number - set_fd(fd: int)
- sets the socket file descriptor for this SSL
- accept()
- begins accepting data on SSL
- free()
- frees this SSL and all associated resources
- get_pointer()
- returns the raw OpenSSl SSL pointer return ptr
class SSLSocket < Socket
SSLSocket is an SSL/TLS enabled socket. @extends Socket
class SSLSocket methods
- SSLSocket(method: ptr)
- constructor
- method must be a valid method pointer defined in the ssl module
- connect(host: string, port: int [, timeout: int])
- Initiates a connection to the given host on the specified port. If host is
nil
, it will connect on to the current hostn specified on the socket.default timeout = 300,000ms (i.e. 300 seconds)return bool - accept()
- Accepts a connection on a socket
This method extracts the first connection request on the queue of pending connections, creates a new socket with the same properties of the current socket, and allocates a new file descriptor for the socket. If no pending connections are present on the queue, and the socket is not marked as non-blocking, accept() blocks the caller until a connection is present. If the socket is marked non-blocking and no pending connections are present on the queue, accept() returns an error as described below.
- The accepted socket may not be used to accept more connections.
- The original socket socket, remains open.
return Socket - send(message: string | file | bytes, flags: int)
- Sends the specified message to the socket. When this methods accepts a file as a message, the file is read and the resultant bytes of the file content is streamed to the socket.
- the flags parameter is currently redundant and is kept only to remanin compatible with future plans for this method.
return number greater than -1 if successful indicating the total number of bytes sent or -1 if it fails. - receive([length: int [, flags: int]])
- Receives bytes of the given length from the socket. If the length is not given, it default length of -1 indicating that the total available data on the socket stream will be read. If no data is available for read on the socket, the socket will wait to receive data or until the
receive_timeout
which is also equal to theSO_RCVTIMEO
setting of the socket has elapsed before or until it has received the total number of bytes required (whichever comes first).- the flags parameter is currently redundant and is kept only to remanin compatible with future plans for this method.
return string - read([length: int])
- Reads bytes of the given length from the socket. If the length is not given, it default length of -1 indicating that the total available data on the socket stream will be read.
Unlike with plain
Socket
, this is basically a wrapper for thereceive()
method.default Length = 1024return string - close()
- Closes the socket return bool
- get_context()
- returns the underlying SSLContext instance return SSLContext
class TLSSocket < SSLSocket
TLSSocket is the generic TLS SSL Socket
class TLSSocket methods
- TLSSocket()
- constructor
class BIO
SSL Binary Input/Output
class BIO methods
- BIO(method: ptr)
- constructor
- method must be a valid SSL BIO_* method
- set_ssl(ssl: SSL [, option: int])
- sets the working SSL instance for this BIO
- option must be one of the BIO constants if given.
- default option = BIO_NOCLOSE
- set_conn_hostname(name: string)
- sets the hostname for the current connected BIO socket
- set_accept_name(name: string)
- sets the address name for the current accepted BIO socket
- set_conn_address(address: string)
- sets the address for the current connected BIO socket
- set_conn_port(port: int | string)
- sets the port for the current connected BIO socket
- set_accept_port(port: int | string)
- sets the port for the current accepted BIO socket
- set_conn_family(family: int)
- sets the socket family for the current connected BIO socket
- set_accept_family(family: int)
- sets the socket family for the current accepted BIO socket
- get_conn_hostname()
- returns the hostname for the current connected BIO socket return string
- get_accept_name()
- returns the hostname for the current accepted BIO socket return string
- get_conn_address()
- returns the address for the current connected BIO socket return string
- get_conn_port()
- returns the port for the current connected BIO socket return string
- get_accept_port()
- returns the port for the current accepted BIO socket return string
- get_conn_family()
- returns the family for the current connected BIO socket return int
- get_accept_family()
- returns the family for the current accepted BIO socket return int
- get_fd()
- returns the current socket file descriptor. It returns
-1
on failure or a positive integer on success.return number - set_fd(fd: int [, opt: int])
- sets the socket file descriptor for this BIO default opt = BIO_NOCLOSE
- set_non_blocking([b: bool])
- converts the BIO into a non-blocking I/O stream if b is
true
, otherwise converts it into a blocking stream.default true - push(b: BIO)
- it appends b, which may be a single BIO or a chain of BIOs, to the current BIO stack (unless the current pinter is
nil
). It then makes a control call on BIO b and returns it. - false
- write(data: string | bytes)
- writes data to the current I/O stream. return int representing the total bytes read
- read([length: int])
- reads data off the I/O and returns it default length = 1024return string
- should_retry()
- returns
true
if this BIO needs to retry its last operation.false
otherwise. - do_connect()
- attempts to establish a connection to the host.
- do_accept()
- attempts to accept the connected socket.
- error()
- returns the last SSL error number return int
- error_string()
- returns the last SSL error as string return string
- free()
- frees this BIO and all associated resources
- get_pointer()
- returns the raw OpenSSl BIO pointer return ptr
class SSLBIO < BIO
SSLBIO is a generic BIO for SSL I/O
class SSLBIO methods
- ConnectBIO()
- constructor
class ConnectBIO < BIO
ConnectBIO is a generic BIO for new secured connections
class ConnectBIO methods
- ConnectBIO()
- constructor
class AcceptedBIO < BIO
AcceptedBIO is a generic BIO for accepting new secured connections from a TLS server
class AcceptedBIO methods
- AcceptedBIO()
- constructor
class SSLContext
SSL context representation class
class SSLContext methods
- SSLContext(method: ptr)
- constructor
- method must be a valid SSL method pointer
- set_verify(mode: int)
- sets the verification flags for ctx to be the given mode.
- The verification of certificates can be controlled by a set of logically or’ed mode flags.
- If the mode is SSL_VERIFY_NONE none of the other flags may be set.
- set_verify_locations(locations: string)
- set default locations for trusted CA certificates
- load_certs(cert_file: string | file, private_key_file: string | file)
- loads the given SSL/TLS certificate pairs for the given SSL/TLS context. return bool
- free()
- frees this Context and all associated resources
- get_pointer()
- returns the raw OpenSSl SSL_CTX pointer return ptr
class TLSContext < SSLContext
TLSContext is a specialized Context providing generic TLS support for both client and server mode.
class TLSContext methods
- TLSContext()
- constructor
class TLSClientContext < SSLContext
TLSClientContext is a specialized Context for supporting TLS clients.
class TLSClientContext methods
- TLSClientContext()
- constructor
class TLSServerContext < SSLContext
TLSServerContext is a specialized Context for supporting TLS servers.
class TLSServerContext methods
- TLSServerContext()
- constructor
class SSLv23Context < SSLContext
SSLv23Context is a specialized Context providing generic SSLv23 support for both client and server mode.
class SSLv23Context methods
- SSLv23Context()
- constructor
class SSLv23ClientContext < SSLContext
SSLv23ClientContext is a specialized Context for supporting SSLv23 clients.
class SSLv23ClientContext methods
- TLSClientContext()
- constructor
class SSLv23ServerContext < SSLContext
SSLv23ServerContext is a specialized Context for supporting SSLv23 servers.
class SSLv23ServerContext methods
- SSLv23ServerContext()
- constructor