cheroot.ssl.pyopenssl module#

A library for integrating pyOpenSSL with Cheroot.

The OpenSSL module must be importable for SSL/TLS/HTTPS functionality. You can obtain it from here.

To use this module, set HTTPServer.ssl_adapter to an instance of ssl.Adapter. There are two ways to use TLS:

Method One#

ssl_adapter.context: an instance of SSL.Context.

If this is not None, it is assumed to be an SSL.Context instance, and will be passed to SSL.Connection on bind(). The developer is responsible for forming a valid Context object. This approach is to be preferred for more flexibility, e.g. if the cert and key are streams instead of files, or need decryption, or SSL.SSLv3_METHOD is desired instead of the default SSL.SSLv23_METHOD, etc. Consult the pyOpenSSL documentation for complete options.

Method Two (shortcut)#

ssl_adapter.certificate: the file name of the server’s TLS certificate.

ssl_adapter.private_key: the file name of the server’s private key file.

Both are None by default. If ssl_adapter.context is None, but .private_key and .certificate are both given and valid, they will be read, and the context will be automatically created from them.

class cheroot.ssl.pyopenssl.SSLFileobjectStreamReader(sock, bufsize=8192)#

Bases: StreamReader

SSL file object attached to a socket object.

_abc_impl = <_abc._abc_data object>#

class cheroot.ssl.pyopenssl.SSLFileobjectStreamWriter(sock, bufsize=8192)#

Bases: StreamWriter

SSL file object attached to a socket object.

_abc_impl = <_abc._abc_data object>#

class cheroot.ssl.pyopenssl.pyOpenSSLAdapter(certificate, private_key, certificate_chain=None, ciphers=None, *, private_key_password=None)#

Bases: Adapter

A wrapper for integrating pyOpenSSL.

_abc_impl = <_abc._abc_data object>#

_configure_connection_state(ssl_object, server_side)#: Set connection to server or client mode.

_create_pyopenssl_connection(raw_socket)#: Create PyOpenSSL connection object.

_get_client_cert_environ(conn, ssl_environ)#: Add client certificate details using pyOpenSSL.

_get_library_version_environ()#: Get SSL library version information for pyOpenSSL.

_get_optional_environ(conn)#: Get optional environment variables for pyOpenSSL.

_get_server_cert_environ()#: Get server certificate info using pyOpenSSL certificate parsing.

_handle_ssl_error(error)#: Handle SSL errors during handshake.

_password_callback(password_max_length, _verify_twice, password, /)#: Pass a passphrase to password protected private key.

_perform_handshake(ssl_object, raw_socket)#: Perform SSL handshake with error handling.

_wait_for_handshake_data(raw_socket)#: Wait for peer to send data during handshake.

_wrap_with_pyopenssl(raw_socket, server_side=True)#: Create a TLSSocket wrapping a PyOpenSSL connection.

bind(sock)#

Prepare the server socket.

Ensures that the SSL context object is created and fully configured. For Method One the caller supplies the context at __init()__ but for Method Two we construct from certificate files.

certificate = None#: The file name of the server’s TLS certificate.

certificate_chain = None#

Optional. The file name of CA’s intermediate certificate bundle.

This is needed for cheaper “chained root” TLS certificates, and should be left as None if not required.

ciphers = None#: The ciphers list of TLS.

property context#: Get the SSL context.

get_context()#

Return an SSL.Context from self attributes.

Uses TLS_SERVER_METHOD which supports TLS 1.0-1.3, but immediately disables insecure protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1) via set_options(), ensuring only TLS 1.2+ is accepted.

private_key = None#: The file name of the server’s private key file.

private_key_password = None#: Optional passphrase for password protected private key.

wrap(sock)#: Wrap client socket with SSL and return environ entries.