Ϫf!ZdZddlmZddlmZmZmZddlmZddl m Z m Z dZ ee jGddZGd d eZee jGd d Zee j"gd ee j$DGdde j$Zee j"Gdde j&ZGdde j(ZGdde j*ZddlmZmZmZmZmZmZmZm Z m!Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*gdZ+y)a This module implements Transport Layer Security (TLS) support for Twisted. It requires U{PyOpenSSL }. If you wish to establish a TLS connection, please use one of the following APIs: - SSL endpoints for L{servers } and L{clients } - L{startTLS } - L{connectSSL } - L{listenSSL } These APIs all require a C{contextFactory} argument that specifies their security properties, such as certificate, private key, certificate authorities to verify the peer, allowed TLS protocol versions, cipher suites, and so on. The recommended value for this argument is a L{CertificateOptions} instance; see its documentation for an explanation of the available options. The C{contextFactory} name is a bit of an anachronism now, as context factories have been replaced with "connection creators", but these objects serve the same role. Be warned that implementing your own connection creator (i.e.: value for the C{contextFactory}) is both difficult and dangerous; the Twisted team has worked hard to make L{CertificateOptions}' API comprehensible and unsurprising, and the Twisted team is actively maintaining it to ensure that it becomes more secure over time. If you are really absolutely sure that you want to take on the risk of implementing your own connection creator based on the pyOpenSSL API, see the L{server connection creator } and L{client connection creator } interfaces. Developers using Twisted, please ignore the L{Port}, L{Connector}, and L{Client} classes defined here, as these are details of certain reactors' TLS implementations, exposed by accident (and remaining here only for compatibility reasons). If you wish to establish a TLS connection, please use one of the APIs listed above. @note: "SSL" (Secure Sockets Layer) is an antiquated synonym for "TLS" (Transport Layer Security). You may see these terms used interchangeably throughout the documentation. ) annotations) implementedBy implementerimplementer_only)SSL) interfacestcpTceZdZdZdZdZy)ContextFactoryz>A factory for SSL context objects, for server SSL connections.rct)z4Return a SSL.Context object. override in subclasses.NotImplementedErrorselfs 6/usr/lib/python3/dist-packages/twisted/internet/ssl.py getContextzContextFactory.getContextKs!!N)__name__ __module__ __qualname____doc__isClientrrrr r EsHH"rr c`eZdZdZdZej ejfdZdZ dZ dZ dZ y)DefaultOpenSSLContextFactoryaQ L{DefaultOpenSSLContextFactory} is a factory for server-side SSL context objects. These objects define certain parameters related to SSL handshakes and the subsequent connection. @ivar _contextFactory: A callable which will be used to create new context objects. This is typically L{OpenSSL.SSL.Context}. Nc\||_||_||_||_|j y)z @param privateKeyFileName: Name of a file containing a private key @param certificateFileName: Name of a file containing a certificate @param sslmethod: The SSL method to use N)privateKeyFileNamecertificateFileName sslmethod_contextFactory cacheContext)rrrrr s r__init__z%DefaultOpenSSLContextFactory.__init__\s1#5#6 ". rc |jx|j|j}|jtj |j |j|j|j||_yyN) _contextr r set_optionsr OP_NO_SSLv2use_certificate_fileruse_privatekey_filerrctxs rr!z)DefaultOpenSSLContextFactory.cacheContextrsf == &&t~~6C OOCOO ,  $ $T%=%= >  # #D$;$; <DM !rc@|jj}|d=|S)Nr%)__dict__copy)rds r __getstate__z)DefaultOpenSSLContextFactory.__getstate__|s MM    jMrc||_yr$)r-)rstates r __setstate__z)DefaultOpenSSLContextFactory.__setstate__s  rc|jS)z( Return an SSL context. )r%rs rrz'DefaultOpenSSLContextFactory.getContexts}}r) rrrrr%r TLS_METHODContextr"r!r0r3rrrrrrPs7H .. ,  rrcJeZdZdZdZej ZejZ dZ y)ClientContextFactoryz"A context factory for SSL clients.c|j|j}|jtjtj ztj ztjz|Sr$)r methodr&rr' OP_NO_SSLv3 OP_NO_TLSv1 OP_NO_TLSv1_1r*s rrzClientContextFactory.getContextsM""4;;/  OOcoo - ?#BSBS S  rN) rrrrrrr5r;r6r rrrrr8r8s#,H^^FkkOrr8c#HK|]}|tjk7s|ywr$)r ITLSTransport).0is r rCsLAa:3K3K.KaLs""ceZdZdZddZdZy)Clientz I am an SSL client. NcZ||_tjj||||||yr$) ctxFactoryr rEr")rhostport bindAddressrG connectorreactors rr"zClient.__init__s%$ D$k9gNrc|j|j|jtjj |yr$)startTLSrG startWritingr rE _connectDoners rrPzClient._connectDones0 doo&  %rr$)rrrrr"rPrrrrErEs O &rrEc(eZdZUdZded<dZdZy)Serverz I am an SSL server. Portserverctjj|g|i||j|jj yr$)r rRr"rNrTrG)rargskwargss rr"zServer.__init__s4 D24262 dkk,,-rctd)NzServer.getPeerCertificater rs rgetPeerCertificatezServer.getPeerCertificates!"=>>rN)rrrr__annotations__r"rYrrrrRrRs L.?rrRc(eZdZdZeZdZ ddZdZy)rSz I am an SSL port. TLSNcZtjj||||||||_yr$)r rSr"rG)rrIfactoryrGbacklog interfacerLs rr"z Port.__init__s' $gw 7K$rcHtjj||dzS)z| Override the normal prefix to include an annotation indicating this is a port for TLS connections. z (TLS))r rS _getLogPrefix)rr^s rrbzPort._getLogPrefixs xx%%dG4x??r)2N) rrrrrR transport_typer"rbrrrrSrSs%I ELP% @rrSceZdZ ddZdZy) ConnectorNc |||_tjj||||||||j yr$)contextFactoryr rhr"r)rrHrIr^rjtimeoutrJrLs rr"zConnector.__init__s9- tT4';PWX !!#rct|j|j|j|j||j Sr$)rErHrIrJrjrLrs r_makeTransportzConnector._makeTransports9 II II        LL   rr$)rrrr"rmrrrrhrhsQU$ rrh)DN CertificateCertificateRequestDistinguishedNameKeyPairOpenSSLAcceptableCiphersOpenSSLCertificateOptionsOpenSSLDefaultPathsOpenSSLDiffieHellmanParametersPrivateCertificateProtocolNegotiationSupport TLSVersionVerificationErroroptionsForClientTLS platformTrustprotocolNegotiationMechanismstrustRootFromCertificates)r rr8rqrnrorprwrrAcceptableCiphersCertificateOptionsDiffieHellmanParametersr|ruryrzr{rxr}r~N),r __future__rzope.interfacerrrOpenSSLrtwisted.internetrr supportedIOpenSSLContextFactoryr rr8 ISSLTransportrErRrSrhtwisted.internet._sslverifyrnrorprqrrrsrrtrrurvrrwrxryrzr{r|r}r~__all__rrrrs) 1f#GG-   Z . ./""0"8>8v Z . ./0$Lszz*L &SZZ &  &  Z % %& ?SZZ ?' ? @388@.   ,( r