contrib.pyopenssl

SSL with SNI-support for Python 2. Follow these instructions if you would like to verify SSL certificates in Python 2. Note, the default libraries do not do certificate checking; you need to do additional work to validate certificates yourself.

This needs the following packages installed:

  • pyOpenSSL (tested with 0.13)
  • ndg-httpsclient (tested with 0.3.2)
  • pyasn1 (tested with 0.1.6)

You can install them with the following command:

pip install pyopenssl ndg-httpsclient pyasn1

To activate certificate checking, call inject_into_urllib3() from your Python code before you begin making HTTP requests. This can be done in a sitecustomize module, or at any other time before your application begins using urllib3, like this:

try:
    import urllib3.contrib.pyopenssl
    urllib3.contrib.pyopenssl.inject_into_urllib3()
except ImportError:
    pass

Now you can use urllib3 as you normally would, and it will support SNI when the required modules are installed.

Activating this module also has the positive side effect of disabling SSL/TLS compression in Python 2 (see CRIME attack).

If you want to configure the default list of supported cipher suites, you can set the urllib3.contrib.pyopenssl.DEFAULT_SSL_CIPHER_LIST variable.

Module Variables

var DEFAULT_SSL_CIPHER_LIST:
 The list of supported SSL/TLS cipher suites. Default: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES: ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

Module Contents

Classes

SubjectAltName() ASN.1 implementation for subjectAltNames support
WrappedSocket(self,connection,socket,suppress_ragged_eofs=True) API-compatibility wrapper for Python OpenSSL’s Connection-class.

Functions

inject_into_urllib3() ‘Monkey-patch urllib3 with PyOpenSSL-backed SSL-support.’
extract_from_urllib3() ‘Undo monkey-patching by inject_into_urllib3().’
get_subj_alt_name(peer_cert)
_verify_callback(cnx,x509,err_no,err_depth,return_code)
ssl_wrap_socket(sock,keyfile=None,certfile=None,cert_reqs=None,ca_certs=None,server_hostname=None,ssl_version=None)
inject_into_urllib3()

‘Monkey-patch urllib3 with PyOpenSSL-backed SSL-support.’

extract_from_urllib3()

‘Undo monkey-patching by inject_into_urllib3().’

class SubjectAltName

ASN.1 implementation for subjectAltNames support

get_subj_alt_name(peer_cert)
class WrappedSocket(connection, socket, suppress_ragged_eofs=True)

API-compatibility wrapper for Python OpenSSL’s Connection-class.

Note: _makefile_refs, _drop() and _reuse() are needed for the garbage collector of pypy.

__init__(connection, socket, suppress_ragged_eofs=True)
fileno()
makefile(mode, bufsize=None)
recv(*args, **kwargs)
settimeout(timeout)
_send_until_done(data)
sendall(data)
close()
getpeercert(binary_form=False)
_reuse()
_drop()
_verify_callback(cnx, x509, err_no, err_depth, return_code)
ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None)