Package tlslite :: Module tlsconnection :: Class TLSConnection
[hide private]
[frames] | no frames]

type TLSConnection

source code


This class wraps a socket and provides TLS handshaking and data transfer.

To use this class, create a new instance, passing a connected socket into the constructor. Then call some handshake function. If the handshake completes without raising an exception, then a TLS connection has been negotiated. You can transfer data over this connection as if it were a socket.

This class provides both synchronous and asynchronous versions of its key functions. The synchronous versions should be used when writing single-or multi-threaded code using blocking sockets. The asynchronous versions should be used when performing asynchronous, event-based I/O with non-blocking sockets.

Asynchronous I/O is a complicated subject; typically, you should not use the asynchronous functions directly, but should use some framework like asyncore or Twisted which TLS Lite integrates with (see tlslite.integration.tlsasyncdispatchermixin.TLSAsyncDispatcherMixIn).

Instance Methods [hide private]
 
__init__(self, sock)
Create a new TLSConnection instance.
source code
 
_clientFinished(self, premasterSecret, clientRandom, serverRandom, cipherSuite, cipherImplementations, nextProto) source code
 
_clientGetKeyFromChain(self, certificate, settings, tackExt=None) source code
 
_clientGetServerHello(self, settings, clientHello) source code
 
_clientKeyExchange(self, settings, cipherSuite, clientCertChain, privateKey, certificateType, tackExt, clientRandom, serverRandom, keyExchange)
Perform the client side of key exchange
source code
 
_clientResume(self, session, serverHello, clientRandom, cipherImplementations, nextProto) source code
 
_clientSelectNextProto(self, nextProtos, serverHello) source code
 
_clientSendClientHello(self, settings, session, srpUsername, srpParams, certParams, anonParams, serverName, nextProtos, reqTack, alpn) source code
 
_getFinished(self, masterSecret, cipherSuite=None, expect_next_protocol=False, nextProto=None) source code
 
_handshakeClientAsync(self, srpParams=(), certParams=(), anonParams=(), session=None, settings=None, checker=None, nextProtos=None, serverName=None, reqTack=True, alpn=None) source code
 
_handshakeClientAsyncHelper(self, srpParams, certParams, anonParams, session, settings, serverName, nextProtos, reqTack, alpn) source code
 
_handshakeServerAsyncHelper(self, verifierDB, certChain, privateKey, reqCert, sessionCache, settings, reqCAs, tacks, activationFlags, nextProtos, anon, alpn) source code
 
_handshakeWrapperAsync(self, handshaker, checker) source code
 
_sendFinished(self, masterSecret, cipherSuite=None, nextProto=None) source code
 
_serverAnonKeyExchange(self, serverHello, keyExchange, cipherSuite) source code
 
_serverCertKeyExchange(self, clientHello, serverHello, serverCertChain, keyExchange, reqCert, reqCAs, cipherSuite, settings) source code
 
_serverFinished(self, premasterSecret, clientRandom, serverRandom, cipherSuite, cipherImplementations, nextProtos) source code
 
_serverGetClientHello(self, settings, certChain, verifierDB, sessionCache, anon, alpn) source code
 
_serverSRPKeyExchange(self, clientHello, serverHello, verifierDB, cipherSuite, privateKey, serverCertChain, settings)
Perform the server side of SRP key exchange
source code
None or an iterable
handshakeClientAnonymous(self, session=None, settings=None, checker=None, serverName=None, async=False)
Perform an anonymous handshake in the role of client.
source code
None or an iterable
handshakeClientCert(self, certChain=None, privateKey=None, session=None, settings=None, checker=None, nextProtos=None, reqTack=True, serverName=None, async=False, alpn=None)
Perform a certificate-based handshake in the role of client.
source code
None or an iterable
handshakeClientSRP(self, username, password, session=None, settings=None, checker=None, reqTack=True, serverName=None, async=False)
Perform an SRP handshake in the role of client.
source code
 
handshakeServer(self, verifierDB=None, certChain=None, privateKey=None, reqCert=False, sessionCache=None, settings=None, checker=None, reqCAs=None, tacks=None, activationFlags=0, nextProtos=None, anon=False, alpn=None)
Perform a handshake in the role of server.
source code
iterable
handshakeServerAsync(self, verifierDB=None, certChain=None, privateKey=None, reqCert=False, sessionCache=None, settings=None, checker=None, reqCAs=None, tacks=None, activationFlags=0, nextProtos=None, anon=False, alpn=None)
Start a server handshake operation on the TLS connection.
source code
 
keyingMaterialExporter(self, label, length=20)
Return keying material as described in RFC 5705
source code

Inherited from tlsrecordlayer.TLSRecordLayer: clearReadBuffer, clearWriteBuffer, close, closeAsync, fileno, getCipherImplementation, getCipherName, getVersionName, getpeername, getsockname, gettimeout, makefile, read, readAsync, recv, recv_into, send, sendall, setsockopt, settimeout, shutdown, unread, write, writeAsync

Static Methods [hide private]
 
_curveNamesToList(settings)
Convert list of acceptable curves to array identifiers
source code
 
_groupNamesToList(settings)
Convert list of acceptable ff groups to TLS identifiers.
source code
 
_pickServerKeyExchangeSig(settings, clientHello)
Pick a hash that matches most closely the supported ones
source code
 
_sigHashesToList(settings)
Convert list of valid signature hashes to array of tuples
source code
Instance Variables [hide private]

Inherited from tlsrecordlayer.TLSRecordLayer: allegedSrpUsername, closeSocket, closed, encryptThenMAC, ignoreAbruptClose, recordSize, resumed, session, sock, version

Properties [hide private]

Inherited from tlsrecordlayer.TLSRecordLayer (private): _client

Method Details [hide private]

__init__(self, sock)
(Constructor)

source code 

Create a new TLSConnection instance.

Parameters:
  • sock (socket.socket) - The socket data will be transmitted on. The socket should already be connected. It may be in blocking or non-blocking mode.
Overrides: tlsrecordlayer.TLSRecordLayer.__init__

handshakeClientAnonymous(self, session=None, settings=None, checker=None, serverName=None, async=False)

source code 

Perform an anonymous handshake in the role of client.

This function performs an SSL or TLS handshake using an anonymous Diffie Hellman ciphersuite.

Like any handshake function, this can be called on a closed TLS connection, or on a TLS connection that is already open. If called on an open connection it performs a re-handshake.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).

Parameters:
  • session (tlslite.Session.Session) - A TLS session to attempt to resume. If the resumption does not succeed, a full handshake will be performed.
  • settings (tlslite.HandshakeSettings.HandshakeSettings) - Various settings which can be used to control the ciphersuites, certificate types, and SSL/TLS versions offered by the client.
  • checker (tlslite.Checker.Checker) - A Checker instance. This instance will be invoked to examine the other party's authentication credentials, if the handshake completes succesfully.
  • serverName (string) - The ServerNameIndication TLS Extension.
  • async (bool) - If False, this function will block until the handshake is completed. If True, this function will return a generator. Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or will raise StopIteration if the handshake operation is completed.
Returns: None or an iterable
If 'async' is True, a generator object will be returned.
Raises:

handshakeClientCert(self, certChain=None, privateKey=None, session=None, settings=None, checker=None, nextProtos=None, reqTack=True, serverName=None, async=False, alpn=None)

source code 

Perform a certificate-based handshake in the role of client.

This function performs an SSL or TLS handshake. The server will authenticate itself using an X.509 certificate chain. If the handshake succeeds, the server's certificate chain will be stored in the session's serverCertChain attribute. Unless a checker object is passed in, this function does no validation or checking of the server's certificate chain.

If the server requests client authentication, the client will send the passed-in certificate chain, and use the passed-in private key to authenticate itself. If no certificate chain and private key were passed in, the client will attempt to proceed without client authentication. The server may or may not allow this.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).

Parameters:
  • certChain (tlslite.x509certchain.X509CertChain) - The certificate chain to be used if the server requests client authentication.
  • privateKey (tlslite.utils.rsakey.RSAKey) - The private key to be used if the server requests client authentication.
  • session (tlslite.session.Session) - A TLS session to attempt to resume. If the resumption does not succeed, a full handshake will be performed.
  • settings (tlslite.handshakesettings.HandshakeSettings) - Various settings which can be used to control the ciphersuites, certificate types, and SSL/TLS versions offered by the client.
  • checker (tlslite.checker.Checker) - A Checker instance. This instance will be invoked to examine the other party's authentication credentials, if the handshake completes succesfully.
  • nextProtos (list of strings.) - A list of upper layer protocols ordered by preference, to use in the Next-Protocol Negotiation Extension.
  • reqTack (bool) - Whether or not to send a "tack" TLS Extension, requesting the server return a TackExtension if it has one.
  • serverName (string) - The ServerNameIndication TLS Extension.
  • async (bool) - If False, this function will block until the handshake is completed. If True, this function will return a generator. Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or will raise StopIteration if the handshake operation is completed.
  • alpn (list of bytearrays) - protocol names to advertise to server as supported by client in the Application Layer Protocol Negotiation extension. Example items in the array include b'http/1.1' or b'h2'.
Returns: None or an iterable
If 'async' is True, a generator object will be returned.
Raises:

handshakeClientSRP(self, username, password, session=None, settings=None, checker=None, reqTack=True, serverName=None, async=False)

source code 

Perform an SRP handshake in the role of client.

This function performs a TLS/SRP handshake. SRP mutually authenticates both parties to each other using only a username and password. This function may also perform a combined SRP and server-certificate handshake, if the server chooses to authenticate itself with a certificate chain in addition to doing SRP.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).

Parameters:
  • username (bytearray) - The SRP username.
  • password (bytearray) - The SRP password.
  • session (tlslite.session.Session) - A TLS session to attempt to resume. This session must be an SRP session performed with the same username and password as were passed in. If the resumption does not succeed, a full SRP handshake will be performed.
  • settings (tlslite.handshakesettings.HandshakeSettings) - Various settings which can be used to control the ciphersuites, certificate types, and SSL/TLS versions offered by the client.
  • checker (tlslite.checker.Checker) - A Checker instance. This instance will be invoked to examine the other party's authentication credentials, if the handshake completes succesfully.
  • reqTack (bool) - Whether or not to send a "tack" TLS Extension, requesting the server return a TackExtension if it has one.
  • serverName (string) - The ServerNameIndication TLS Extension.
  • async (bool) - If False, this function will block until the handshake is completed. If True, this function will return a generator. Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or will raise StopIteration if the handshake operation is completed.
Returns: None or an iterable
If 'async' is True, a generator object will be returned.
Raises:

handshakeServer(self, verifierDB=None, certChain=None, privateKey=None, reqCert=False, sessionCache=None, settings=None, checker=None, reqCAs=None, tacks=None, activationFlags=0, nextProtos=None, anon=False, alpn=None)

source code 

Perform a handshake in the role of server.

This function performs an SSL or TLS handshake. Depending on the arguments and the behavior of the client, this function can perform an SRP, or certificate-based handshake. It can also perform a combined SRP and server-certificate handshake.

Like any handshake function, this can be called on a closed TLS connection, or on a TLS connection that is already open. If called on an open connection it performs a re-handshake. This function does not send a Hello Request message before performing the handshake, so if re-handshaking is required, the server must signal the client to begin the re-handshake through some other means.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).

Parameters:
  • verifierDB (tlslite.verifierdb.VerifierDB) - A database of SRP password verifiers associated with usernames. If the client performs an SRP handshake, the session's srpUsername attribute will be set.
  • certChain (tlslite.x509certchain.X509CertChain) - The certificate chain to be used if the client requests server certificate authentication.
  • privateKey (tlslite.utils.rsakey.RSAKey) - The private key to be used if the client requests server certificate authentication.
  • reqCert (bool) - Whether to request client certificate authentication. This only applies if the client chooses server certificate authentication; if the client chooses SRP authentication, this will be ignored. If the client performs a client certificate authentication, the sessions's clientCertChain attribute will be set.
  • sessionCache (tlslite.sessioncache.SessionCache) - An in-memory cache of resumable sessions. The client can resume sessions from this cache. Alternatively, if the client performs a full handshake, a new session will be added to the cache.
  • settings (tlslite.handshakesettings.HandshakeSettings) - Various settings which can be used to control the ciphersuites and SSL/TLS version chosen by the server.
  • checker (tlslite.checker.Checker) - A Checker instance. This instance will be invoked to examine the other party's authentication credentials, if the handshake completes succesfully.
  • reqCAs (list of bytearray of unsigned bytes) - A collection of DER-encoded DistinguishedNames that will be sent along with a certificate request. This does not affect verification.
  • nextProtos (list of strings.) - A list of upper layer protocols to expose to the clients through the Next-Protocol Negotiation Extension, if they support it.
  • alpn (list of bytearrays) - names of application layer protocols supported. Note that it will be used instead of NPN if both were advertised by client.
Raises:

handshakeServerAsync(self, verifierDB=None, certChain=None, privateKey=None, reqCert=False, sessionCache=None, settings=None, checker=None, reqCAs=None, tacks=None, activationFlags=0, nextProtos=None, anon=False, alpn=None)

source code 

Start a server handshake operation on the TLS connection.

This function returns a generator which behaves similarly to handshakeServer(). Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or it will raise StopIteration if the handshake operation is complete.

Returns: iterable
A generator; see above for details.

keyingMaterialExporter(self, label, length=20)

source code 

Return keying material as described in RFC 5705

Parameters:
  • label (bytearray) - label to be provided for the exporter
  • length (int) - number of bytes of the keying material to export