packages.urllib3.util.ssl_

Module Contents

Classes

SSLContext(self,protocol_version)

Functions

_const_compare_digest_backport(a,b) Compare two digests of equal length in constant time.
assert_fingerprint(cert,fingerprint) Checks if given fingerprint matches the supplied certificate.
resolve_cert_reqs(candidate) Resolves the argument to a numeric constant, which can be passed to
resolve_ssl_version(candidate) like resolve_cert_reqs
create_urllib3_context(ssl_version=None,cert_reqs=None,options=None,ciphers=None) All arguments have the same meaning as ssl_wrap_socket.
ssl_wrap_socket(sock,keyfile=None,certfile=None,cert_reqs=None,ca_certs=None,server_hostname=None,ssl_version=None,ciphers=None,ssl_context=None,ca_cert_dir=None) All arguments except for server_hostname, ssl_context, and ca_cert_dir have
_const_compare_digest_backport(a, b)

Compare two digests of equal length in constant time.

The digests must be of type str/bytes. Returns True if the digests match, and False otherwise.

class SSLContext(protocol_version)
__init__(protocol_version)
load_cert_chain(certfile, keyfile)
load_verify_locations(cafile=None, capath=None)
set_ciphers(cipher_suite)
wrap_socket(socket, server_hostname=None)
assert_fingerprint(cert, fingerprint)

Checks if given fingerprint matches the supplied certificate.

Parameters:
  • cert – Certificate as bytes object.
  • fingerprint – Fingerprint as string of hexdigits, can be interspersed by colons.
resolve_cert_reqs(candidate)

Resolves the argument to a numeric constant, which can be passed to the wrap_socket function/method from the ssl module. Defaults to ssl.CERT_NONE. If given a string it is assumed to be the name of the constant in the ssl module or its abbrevation. (So you can specify REQUIRED instead of CERT_REQUIRED. If it’s neither None nor a string we assume it is already the numeric constant which can directly be passed to wrap_socket.

resolve_ssl_version(candidate)

like resolve_cert_reqs

create_urllib3_context(ssl_version=None, cert_reqs=None, options=None, ciphers=None)

All arguments have the same meaning as ssl_wrap_socket.

By default, this function does a lot of the same work that ssl.create_default_context does on Python 3.4+. It:

  • Disables SSLv2, SSLv3, and compression
  • Sets a restricted set of server ciphers

If you wish to enable SSLv3, you can do:

from urllib3.util import ssl_
context = ssl_.create_urllib3_context()
context.options &= ~ssl_.OP_NO_SSLv3

You can do the same to enable compression (substituting COMPRESSION for SSLv3 in the last line above).

Parameters:
  • ssl_version – The desired protocol version to use. This will default to PROTOCOL_SSLv23 which will negotiate the highest protocol that both the server and your installation of OpenSSL support.
  • cert_reqs – Whether to require the certificate verification. This defaults to ssl.CERT_REQUIRED.
  • options – Specific OpenSSL options. These default to ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv3, ssl.OP_NO_COMPRESSION.
  • ciphers – Which cipher suites to allow the server to select.
Returns:

Constructed SSLContext object with specified options

Return type:

SSLContext

ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None, ciphers=None, ssl_context=None, ca_cert_dir=None)

All arguments except for server_hostname, ssl_context, and ca_cert_dir have the same meaning as they do when using ssl.wrap_socket().

Parameters:
  • server_hostname – When SNI is supported, the expected hostname of the certificate
  • ssl_context – A pre-made SSLContext object. If none is provided, one will be created using create_urllib3_context().
  • ciphers – A string of ciphers we wish the client to support. This is not supported on Python 2.6 as the ssl module does not support it.
  • ca_cert_dir – A directory containing CA certificates in multiple separate files, as supported by OpenSSL’s -CApath flag or the capath argument to SSLContext.load_verify_locations().