tlslite.tlsconnection module

MAIN CLASS FOR TLS LITE (START HERE!).

class tlslite.tlsconnection.TLSConnection(sock)[source]

Bases: TLSRecordLayer

This class wraps a socket and provides TLS handshaking and data transfer.

To use this class, create a new instance, passing a connected socket into the constructor. Then call some handshake function. If the handshake completes without raising an exception, then a TLS connection has been negotiated. You can transfer data over this connection as if it were a socket.

This class provides both synchronous and asynchronous versions of its key functions. The synchronous versions should be used when writing single-or multi-threaded code using blocking sockets. The asynchronous versions should be used when performing asynchronous, event-based I/O with non-blocking sockets.

Asynchronous I/O is a complicated subject; typically, you should not use the asynchronous functions directly, but should use some framework like asyncore or Twisted which TLS Lite integrates with (see TLSAsyncDispatcherMixIn).

__init__(sock)[source]

Create a new TLSConnection instance.

Parameters:

sock (socket.socket) – The socket data will be transmitted on. The socket should already be connected. It may be in blocking or non-blocking mode.

handshakeClientAnonymous(session=None, settings=None, checker=None, serverName=None, async_=False)[source]

Perform an anonymous handshake in the role of client.

This function performs an SSL or TLS handshake using an anonymous Diffie Hellman ciphersuite.

Like any handshake function, this can be called on a closed TLS connection, or on a TLS connection that is already open. If called on an open connection it performs a re-handshake.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).

Parameters:

  • session (Session) – A TLS session to attempt to resume. If the resumption does not succeed, a full handshake will be performed.

  • settings (HandshakeSettings) – Various settings which can be used to control the ciphersuites, certificate types, and SSL/TLS versions offered by the client.

  • checker (Checker) – A Checker instance. This instance will be invoked to examine the other party’s authentication credentials, if the handshake completes succesfully.

  • serverName (string) – The ServerNameIndication TLS Extension.

  • async (bool) – If False, this function will block until the handshake is completed. If True, this function will return a generator. Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or will raise StopIteration if the handshake operation is completed.

Return type:

None or an iterable

Returns:

If ‘async_’ is True, a generator object will be returned.

Raises:
handshakeClientCert(certChain=None, privateKey=None, session=None, settings=None, checker=None, nextProtos=None, reqTack=True, serverName=None, async_=False, alpn=None)[source]

Perform a certificate-based handshake in the role of client.

This function performs an SSL or TLS handshake. The server will authenticate itself using an X.509 certificate chain. If the handshake succeeds, the server’s certificate chain will be stored in the session’s serverCertChain attribute. Unless a checker object is passed in, this function does no validation or checking of the server’s certificate chain.

If the server requests client authentication, the client will send the passed-in certificate chain, and use the passed-in private key to authenticate itself. If no certificate chain and private key were passed in, the client will attempt to proceed without client authentication. The server may or may not allow this.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).

Parameters:

  • certChain (X509CertChain) – The certificate chain to be used if the server requests client authentication.

  • privateKey (RSAKey) – The private key to be used if the server requests client authentication.

  • session (Session) – A TLS session to attempt to resume. If the resumption does not succeed, a full handshake will be performed.

  • settings (HandshakeSettings) – Various settings which can be used to control the ciphersuites, certificate types, and SSL/TLS versions offered by the client.

  • checker (Checker) – A Checker instance. This instance will be invoked to examine the other party’s authentication credentials, if the handshake completes succesfully.

  • nextProtos (list of str) – A list of upper layer protocols ordered by preference, to use in the Next-Protocol Negotiation Extension.

  • reqTack (bool) – Whether or not to send a “tack” TLS Extension, requesting the server return a TackExtension if it has one.

  • serverName (string) – The ServerNameIndication TLS Extension.

  • async (bool) – If False, this function will block until the handshake is completed. If True, this function will return a generator. Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or will raise StopIteration if the handshake operation is completed.

  • alpn (list of bytearrays) – protocol names to advertise to server as supported by client in the Application Layer Protocol Negotiation extension. Example items in the array include b’http/1.1’ or b’h2’.

Return type:

None or an iterable

Returns:

If ‘async_’ is True, a generator object will be returned.

Raises:
handshakeClientSRP(username, password, session=None, settings=None, checker=None, reqTack=True, serverName=None, async_=False)[source]

Perform an SRP handshake in the role of client.

This function performs a TLS/SRP handshake. SRP mutually authenticates both parties to each other using only a username and password. This function may also perform a combined SRP and server-certificate handshake, if the server chooses to authenticate itself with a certificate chain in addition to doing SRP.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).

Parameters:

  • username (bytearray) – The SRP username.

  • password (bytearray) – The SRP password.

  • session (Session) – A TLS session to attempt to resume. This session must be an SRP session performed with the same username and password as were passed in. If the resumption does not succeed, a full SRP handshake will be performed.

  • settings (HandshakeSettings) – Various settings which can be used to control the ciphersuites, certificate types, and SSL/TLS versions offered by the client.

  • checker (Checker) – A Checker instance. This instance will be invoked to examine the other party’s authentication credentials, if the handshake completes succesfully.

  • reqTack (bool) – Whether or not to send a “tack” TLS Extension, requesting the server return a TackExtension if it has one.

  • serverName (string) – The ServerNameIndication TLS Extension.

  • async (bool) – If False, this function will block until the handshake is completed. If True, this function will return a generator. Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or will raise StopIteration if the handshake operation is completed.

Return type:

None or an iterable

Returns:

If ‘async_’ is True, a generator object will be returned.

Raises:
handshakeServer(verifierDB=None, certChain=None, privateKey=None, reqCert=False, sessionCache=None, settings=None, checker=None, reqCAs=None, tacks=None, activationFlags=0, nextProtos=None, anon=False, alpn=None, sni=None)[source]

Perform a handshake in the role of server.

This function performs an SSL or TLS handshake. Depending on the arguments and the behavior of the client, this function can perform an SRP, or certificate-based handshake. It can also perform a combined SRP and server-certificate handshake.

Like any handshake function, this can be called on a closed TLS connection, or on a TLS connection that is already open. If called on an open connection it performs a re-handshake. This function does not send a Hello Request message before performing the handshake, so if re-handshaking is required, the server must signal the client to begin the re-handshake through some other means.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).

Parameters:

  • verifierDB (VerifierDB) – A database of SRP password verifiers associated with usernames. If the client performs an SRP handshake, the session’s srpUsername attribute will be set.

  • certChain (X509CertChain) – The certificate chain to be used if the client requests server certificate authentication and no virtual host defined in HandshakeSettings matches ClientHello.

  • privateKey (RSAKey) – The private key to be used if the client requests server certificate authentication and no virtual host defined in HandshakeSettings matches ClientHello.

  • reqCert (bool) – Whether to request client certificate authentication. This only applies if the client chooses server certificate authentication; if the client chooses SRP authentication, this will be ignored. If the client performs a client certificate authentication, the sessions’s clientCertChain attribute will be set.

  • sessionCache (SessionCache) – An in-memory cache of resumable sessions. The client can resume sessions from this cache. Alternatively, if the client performs a full handshake, a new session will be added to the cache.

  • settings (HandshakeSettings) – Various settings which can be used to control the ciphersuites and SSL/TLS version chosen by the server.

  • checker (Checker) – A Checker instance. This instance will be invoked to examine the other party’s authentication credentials, if the handshake completes succesfully.

  • reqCAs (list of bytearray) – A collection of DER-encoded DistinguishedNames that will be sent along with a certificate request to help client pick a certificates. This does not affect verification.

  • nextProtos (list of str) – A list of upper layer protocols to expose to the clients through the Next-Protocol Negotiation Extension, if they support it. Deprecated, use the virtual_hosts in HandshakeSettings.

  • alpn (list of bytearray) – names of application layer protocols supported. Note that it will be used instead of NPN if both were advertised by client. Deprecated, use the virtual_hosts in HandshakeSettings.

  • sni (bytearray) – expected virtual name hostname. Deprecated, use the virtual_hosts in HandshakeSettings.

Raises:
handshakeServerAsync(verifierDB=None, certChain=None, privateKey=None, reqCert=False, sessionCache=None, settings=None, checker=None, reqCAs=None, tacks=None, activationFlags=0, nextProtos=None, anon=False, alpn=None, sni=None)[source]

Start a server handshake operation on the TLS connection.

This function returns a generator which behaves similarly to handshakeServer(). Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or it will raise StopIteration if the handshake operation is complete.

Return type:

iterable

Returns:

A generator; see above for details.

keyingMaterialExporter(label, length=20)[source]

Return keying material as described in RFC 5705

Parameters:

  • label (bytearray) – label to be provided for the exporter

  • length (int) – number of bytes of the keying material to export

request_post_handshake_auth(settings=None)[source]

Request Post-handshake Authentication from client.

The PHA process is asynchronous, and client may send some data before its certificates are added to Session object. Calling this generator will only request for the new identity of client, it will not wait for it.

tlslite.tlsconnection.bytes_to_int(bytes, byteorder='big', *, signed=False)

Return the integer represented by the given array of bytes.

bytes

Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Indicates whether two’s complement is used to represent the integer.