python-libtls
provides its functionality through two classes,
Context
and TLSSocket
. You won’t need to reference the
latter class directly, unless you want to subclass it for some reason.
Context
(**kwargs)¶This class is a high-level wrapper over the low-level functionality provided
by libtls
. Although you can access this low-level functionality through
python-libtls
, for the most part you can do what you need using
Context
. One of the things that it gives you is the ability to wrap a
socket with the TLS security layer, and you can then use this wrapped
like a normal socket.
Arguments are currently all provided as keyword arguments. Don’t be put off by the long list – for most usage, you only need to specify a few of these.
Common keyword parameters (client-side or server-side): | |
---|---|
Note If you don’t specify |
|
Client-side keyword parameters: | |
|
|
Server-side keyword parameters: | |
Note Sessions are intended to improve performance during handshake, but come at a cost of not maintaining forward secrecy. They should be disabled (the default) if possible. |
These are the most commonly used methods:
connect
(host, port, sock=None, hostname=None)¶This method of a client-side context is used to connect to a specified host and port.
Parameters: | |
---|---|
|
|
Keyword parameters: | |
|
|
Returns: | |
An instance of |
accept(sock):
This method of a server-side context is used to accept a socket which is connected to a client.
Parameters: | |
---|---|
|
|
Returns: | |
An instance of |
close
()¶This closes the context. It will not be usable after this call. If a socket
was provided in the connect()
call, it will be closed. Any libtls
resources used will be freed.
peer_cert_contains_name
(name)¶Whether the peer certificate contains the specified name.
Parameters: | |
---|---|
name (str) – The name to check. | |
Returns: | |
True if the name appears in the certificate, else False . |
process_ocsp_response
(response)¶This processes an OCSP response.
Parameters: | |
---|---|
response (bytes) – The response in DER format. | |
Returns: | |
An integer response code. |
wrap_socket
(sock, **kwargs)¶This method wraps the provided socket with a TLS wrapper. This method is
normally called by the connect()
and accept()
methods, so you
shouldn’t need to call it directly.
Parameters: | |
---|---|
|
|
Server-side keyword parameters: | |
|
|
Client-side keyword parameters: | |
|
|
Returns: | |
A |
conn_version
¶(str) - the TLS version which has been negotiated for the connection.
conn_servername
¶(str) - the server name for the connection.
conn_cipher
¶(str) - the cipher used for the connection.
conn_alpn_selected
¶(str) - the selected ALPN parameters for the connection.
peer_cert_provided
¶(bool) - whether the peer has provided a certificate.
peer_cert_issuer
¶(str) - the issuing CA for the peer’s certificate.
peer_cert_notbefore
¶(datetime) - the time before which the peer’s certificate is not valid.
peer_cert_notafter
¶(datetime) - the time after which the peer’s certificate is not valid.
peer_cert_subject
¶(str) - the subject of the peer’s certificate.
peer_cert_hash
¶(str) - the hash of the peer’s certificate. This is prefixed with the
hash algorithm used (e.g. SHA256:
) followed by the actual hash value as a
hex string.
peer_ocsp_response_status
¶(int) - the status of the peer’s OCSP response, which will be as per RFC 6960 section 2.3:
TLS_OCSP_RESPONSE_SUCCESSFUL
TLS_OCSP_RESPONSE_MALFORMED
TLS_OCSP_RESPONSE_INTERNALERROR
TLS_OCSP_RESPONSE_TRYLATER
TLS_OCSP_RESPONSE_SIGREQUIRED
TLS_OCSP_RESPONSE_UNAUTHORIZED
(These values are defined in the tls
package.)
peer_ocsp_cert_status
¶(int) - the OCSP status of the peer’s certificate, which will be as per RFC 6960 section 2.2:
TLS_OCSP_CERT_GOOD
TLS_OCSP_CERT_REVOKED
TLS_OCSP_CERT_UNKNOWN
(These values are defined in the tls
package.)
peer_ocsp_result
¶(str) - the summary of the OCSP status of the peer’s certificate. If there was a problem with the OCSP response, this will indicate what the problem was. If the certificate wasn’t revoked, then information about the certificate status will be provided. If the certificate was revoked, then the reason for revocation will be provided.
peer_ocsp_crl_reason
¶(int) - the reason the peer certificate was revoked, which will be as per RFC 5280 section 5.3.1:
TLS_CRL_REASON_UNSPECIFIED
TLS_CRL_REASON_KEY_COMPROMISE
TLS_CRL_REASON_CA_COMPROMISE
TLS_CRL_REASON_AFFILIATION_CHANGED
TLS_CRL_REASON_SUPERSEDED
TLS_CRL_REASON_CESSATION_OF_OPERATION
TLS_CRL_REASON_CERTIFICATE_HOLD
TLS_CRL_REASON_REMOVE_FROM_CRL
TLS_CRL_REASON_PRIVILEGE_WITHDRAWN
TLS_CRL_REASON_AA_COMPROMISE
(These values are defined in the tls
package.)
peer_ocsp_url
¶(str) - the URL of the OCSP provider for the peer.
peer_ocsp_this_update
¶(datetime) - the time of this OCSP update.
peer_ocsp_next_update
¶(datetime) - the time of the next OCSP update.
peer_ocsp_revocation_time
¶(datetime) - the time the peer certificate was revoked.
This class behaves like an ordinary streaming socket, except that it has an
additional do_handshake()
method which allows you to do the TLS handshake
explicitly. If you read from or write to the socket, a handshake will be done
automatically when needed, but it’s useful to do it explicitly when you need to
verify the connection and peer before doing any I/O for your application. You
don’t instantiate TLSSocket
instances directly: they’re created
internally by Context
instances and handed to you as the return value
from certain Context
methods.
do_handshake
()¶This initiates a handshake with the other end of the connection (if that has not already been done). A handshake is automatically done before doing any I/O with the peer; this method is for when you want to control handshaking explicitly, perhaps to perform verification of the peer at a time of your choosing.
python-libtls
raises library-specific exceptions. The following is the exception
class hierarchy.
Exception
└── TLSError
├── ConfigurationError
└── ConnectionError
└── VerificationError
The Exception
class is from the Python standard library. The
TLSError
is the base class for exceptions raised by python-libtls
. A
ConfigurationError
is raised when a configuration value is not
acceptable to libtls
. A ConnectionError
is raised when an error
related to connecting to a peer, or during I/O to or from a peer, occurs. A
VerificationError
is raised when an explicit handshake fails.
In addition to the TLSError
-based exceptions, python-libtls
may also raise
ValueError
, TypeError
and other standard library exceptions.