Package tlslite :: Module TLSConnection :: Class TLSConnection
[show private | hide private]
[frames | no frames]

Class TLSConnection

TLSRecordLayer --+
                 |
                TLSConnection


This class wraps a socket and provides TLS handshaking and data transfer.

To use this class, create a new instance, passing a connected socket into the constructor. Then call some handshake function. If the handshake completes without raising an exception, then a TLS connection has been negotiated. You can transfer data over this connection as if it were a socket.

This class provides both synchronous and asynchronous versions of its key functions. The synchronous versions should be used when writing single-or multi-threaded code using blocking sockets. The asynchronous versions should be used when performing asynchronous, event-based I/O with non-blocking sockets.

Asynchronous I/O is a complicated subject; typically, you should not use the asynchronous functions directly, but should use some framework like asyncore or Twisted which TLS Lite integrates with (see tlslite.integration.TLSAsyncDispatcherMixIn.TLSAsyncDispatcherMixIn or tlslite.integration.TLSTwistedProtocolWrapper.TLSTwistedProtocolWrapper).
Method Summary
  __init__(self, sock)
Create a new TLSConnection instance.
None or an iterable handshakeClientCert(self, certChain, privateKey, session, settings, checker, async)
Perform a certificate-based handshake in the role of client.
None or an iterable handshakeClientSharedKey(self, username, sharedKey, settings, checker, async)
Perform a shared-key handshake in the role of client.
None or an iterable handshakeClientSRP(self, username, password, session, settings, checker, async)
Perform an SRP handshake in the role of client.
None or an iterable handshakeClientUnknown(self, srpCallback, certCallback, session, settings, checker, async)
Perform a to-be-determined type of handshake in the role of client.
  handshakeServer(self, sharedKeyDB, verifierDB, certChain, privateKey, reqCert, sessionCache, settings, checker)
Perform a handshake in the role of server.
iterable handshakeServerAsync(self, sharedKeyDB, verifierDB, certChain, privateKey, reqCert, sessionCache, settings, checker)
Start a server handshake operation on the TLS connection.
    Inherited from TLSRecordLayer
  close(self)
Close the TLS connection.
iterable closeAsync(self)
Start a close operation on the TLS connection.
str getCipherImplementation(self)
Get the name of the cipher implementation used with this connection.
str getCipherName(self)
Get the name of the cipher used with this connection.
  getpeername(self)
Return the remote address to which the socket is connected (socket emulation).
  getsockname(self)
Return the socket's own address (socket emulation).
  gettimeout(self)
Return the timeout associated with socket operations (socket emulation).
tlslite.FileObject.FileObject makefile(self, mode, bufsize)
Create a file object for the TLS connection (socket emulation).
str read(self, max, min)
Read some data from the TLS connection.
iterable readAsync(self, max, min)
Start a read operation on the TLS connection.
  recv(self, bufsize)
Get some data from the TLS connection (socket emulation).
  send(self, s)
Send data to the TLS connection (socket emulation).
  sendall(self, s)
Send data to the TLS connection (socket emulation).
  setsockopt(self, level, optname, value)
Set the value of the given socket option (socket emulation).
  settimeout(self, value)
Set a timeout on blocking socket operations (socket emulation).
  write(self, s)
Write some data to the TLS connection.
iterable writeAsync(self, s)
Start a write operation on the TLS connection.

Instance Variable Summary
    Inherited from TLSRecordLayer
str or None allegedSharedKeyUsername: This is set to the shared-key username asserted by the client, whether the handshake succeeded or not.
str or None allegedSrpUsername: This is set to the SRP username asserted by the client, whether the handshake succeeded or not.
bool closed: If this connection is closed.
bool closeSocket: If the socket should be closed when the connection is closed (writable).
bool ignoreAbruptClose: If an abrupt close of the socket should raise an error (writable).
bool resumed: If this connection is based on a resumed session.
tlslite.Session.Session session: The session corresponding to this connection.
socket.socket sock: The underlying socket object.
tuple version: The TLS version being used for this connection.

Method Details

__init__(self, sock)
(Constructor)

Create a new TLSConnection instance.
Parameters:
sock - The socket data will be transmitted on. The socket should already be connected. It may be in blocking or non-blocking mode.
           (type=socket.socket)
Overrides:
tlslite.TLSRecordLayer.TLSRecordLayer.__init__

handshakeClientCert(self, certChain=None, privateKey=None, session=None, settings=None, checker=None, async=False)

Perform a certificate-based handshake in the role of client.

This function performs an SSL or TLS handshake. The server will authenticate itself using an X.509 or cryptoID certificate chain. If the handshake succeeds, the server's certificate chain will be stored in the session's serverCertChain attribute. Unless a checker object is passed in, this function does no validation or checking of the server's certificate chain.

If the server requests client authentication, the client will send the passed-in certificate chain, and use the passed-in private key to authenticate itself. If no certificate chain and private key were passed in, the client will attempt to proceed without client authentication. The server may or may not allow this.

Like any handshake function, this can be called on a closed TLS connection, or on a TLS connection that is already open. If called on an open connection it performs a re-handshake.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).
Parameters:
certChain - The certificate chain to be used if the server requests client authentication.
           (type=tlslite.X509CertChain.X509CertChain or cryptoIDlib.CertChain.CertChain)
privateKey - The private key to be used if the server requests client authentication.
           (type=tlslite.utils.RSAKey.RSAKey)
session - A TLS session to attempt to resume. If the resumption does not succeed, a full handshake will be performed.
           (type=tlslite.Session.Session)
settings - Various settings which can be used to control the ciphersuites, certificate types, and SSL/TLS versions offered by the client.
           (type=tlslite.HandshakeSettings.HandshakeSettings)
checker - A Checker instance. This instance will be invoked to examine the other party's authentication credentials, if the handshake completes succesfully.
           (type=tlslite.Checker.Checker)
async - If False, this function will block until the handshake is completed. If True, this function will return a generator. Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or will raise StopIteration if the handshake operation is completed.
           (type=bool)
Returns:
If 'async' is True, a generator object will be returned.
           (type=None or an iterable)
Raises:
socket.error - If a socket error occurs.
tlslite.errors.TLSAbruptCloseError - If the socket is closed without a preceding alert.
tlslite.errors.TLSAlert - If a TLS alert is signalled.
tlslite.errors.TLSAuthenticationError - If the checker doesn't like the other party's authentication credentials.

handshakeClientSharedKey(self, username, sharedKey, settings=None, checker=None, async=False)

Perform a shared-key handshake in the role of client.

This function performs a shared-key handshake. Using shared symmetric keys of high entropy (128 bits or greater) mutually authenticates both parties to each other.

TLS with shared-keys is non-standard. Most TLS implementations don't support it. See http://www.ietf.org/html.charters/tls-charter.html for the latest information on TLS with shared-keys. If the shared-keys Internet-Draft changes or is superceded, TLS Lite will track those changes, so the shared-key support in later versions of TLS Lite may become incompatible with this version.

Like any handshake function, this can be called on a closed TLS connection, or on a TLS connection that is already open. If called on an open connection it performs a re-handshake.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).
Parameters:
username - The shared-key username.
           (type=str)
sharedKey - The shared key.
           (type=str)
settings - Various settings which can be used to control the ciphersuites, certificate types, and SSL/TLS versions offered by the client.
           (type=tlslite.HandshakeSettings.HandshakeSettings)
checker - A Checker instance. This instance will be invoked to examine the other party's authentication credentials, if the handshake completes succesfully.
           (type=tlslite.Checker.Checker)
async - If False, this function will block until the handshake is completed. If True, this function will return a generator. Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or will raise StopIteration if the handshake operation is completed.
           (type=bool)
Returns:
If 'async' is True, a generator object will be returned.
           (type=None or an iterable)
Raises:
socket.error - If a socket error occurs.
tlslite.errors.TLSAbruptCloseError - If the socket is closed without a preceding alert.
tlslite.errors.TLSAlert - If a TLS alert is signalled.
tlslite.errors.TLSAuthenticationError - If the checker doesn't like the other party's authentication credentials.

handshakeClientSRP(self, username, password, session=None, settings=None, checker=None, async=False)

Perform an SRP handshake in the role of client.

This function performs a TLS/SRP handshake. SRP mutually authenticates both parties to each other using only a username and password. This function may also perform a combined SRP and server-certificate handshake, if the server chooses to authenticate itself with a certificate chain in addition to doing SRP.

TLS/SRP is non-standard. Most TLS implementations don't support it. See http://www.ietf.org/html.charters/tls-charter.html or http://trevp.net/tlssrp/ for the latest information on TLS/SRP.

Like any handshake function, this can be called on a closed TLS connection, or on a TLS connection that is already open. If called on an open connection it performs a re-handshake.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).
Parameters:
username - The SRP username.
           (type=str)
password - The SRP password.
           (type=str)
session - A TLS session to attempt to resume. This session must be an SRP session performed with the same username and password as were passed in. If the resumption does not succeed, a full SRP handshake will be performed.
           (type=tlslite.Session.Session)
settings - Various settings which can be used to control the ciphersuites, certificate types, and SSL/TLS versions offered by the client.
           (type=tlslite.HandshakeSettings.HandshakeSettings)
checker - A Checker instance. This instance will be invoked to examine the other party's authentication credentials, if the handshake completes succesfully.
           (type=tlslite.Checker.Checker)
async - If False, this function will block until the handshake is completed. If True, this function will return a generator. Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or will raise StopIteration if the handshake operation is completed.
           (type=bool)
Returns:
If 'async' is True, a generator object will be returned.
           (type=None or an iterable)
Raises:
socket.error - If a socket error occurs.
tlslite.errors.TLSAbruptCloseError - If the socket is closed without a preceding alert.
tlslite.errors.TLSAlert - If a TLS alert is signalled.
tlslite.errors.TLSAuthenticationError - If the checker doesn't like the other party's authentication credentials.

handshakeClientUnknown(self, srpCallback=None, certCallback=None, session=None, settings=None, checker=None, async=False)

Perform a to-be-determined type of handshake in the role of client.

This function performs an SSL or TLS handshake. If the server requests client certificate authentication, the certCallback will be invoked and should return a (certChain, privateKey) pair. If the callback returns None, the library will attempt to proceed without client authentication. The server may or may not allow this.

If the server requests SRP authentication, the srpCallback will be invoked and should return a (username, password) pair. If the callback returns None, the local implementation will signal a user_canceled error alert.

After the handshake completes, the client can inspect the connection's session attribute to determine what type of authentication was performed.

Like any handshake function, this can be called on a closed TLS connection, or on a TLS connection that is already open. If called on an open connection it performs a re-handshake.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).
Parameters:
srpCallback - The callback to be used if the server requests SRP authentication. If None, the client will not offer support for SRP ciphersuites.
           (type=callable)
certCallback - The callback to be used if the server requests client certificate authentication.
           (type=callable)
session - A TLS session to attempt to resume. If the resumption does not succeed, a full handshake will be performed.
           (type=tlslite.Session.Session)
settings - Various settings which can be used to control the ciphersuites, certificate types, and SSL/TLS versions offered by the client.
           (type=tlslite.HandshakeSettings.HandshakeSettings)
checker - A Checker instance. This instance will be invoked to examine the other party's authentication credentials, if the handshake completes succesfully.
           (type=tlslite.Checker.Checker)
async - If False, this function will block until the handshake is completed. If True, this function will return a generator. Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or will raise StopIteration if the handshake operation is completed.
           (type=bool)
Returns:
If 'async' is True, a generator object will be returned.
           (type=None or an iterable)
Raises:
socket.error - If a socket error occurs.
tlslite.errors.TLSAbruptCloseError - If the socket is closed without a preceding alert.
tlslite.errors.TLSAlert - If a TLS alert is signalled.
tlslite.errors.TLSAuthenticationError - If the checker doesn't like the other party's authentication credentials.

handshakeServer(self, sharedKeyDB=None, verifierDB=None, certChain=None, privateKey=None, reqCert=False, sessionCache=None, settings=None, checker=None)

Perform a handshake in the role of server.

This function performs an SSL or TLS handshake. Depending on the arguments and the behavior of the client, this function can perform a shared-key, SRP, or certificate-based handshake. It can also perform a combined SRP and server-certificate handshake.

Like any handshake function, this can be called on a closed TLS connection, or on a TLS connection that is already open. If called on an open connection it performs a re-handshake. This function does not send a Hello Request message before performing the handshake, so if re-handshaking is required, the server must signal the client to begin the re-handshake through some other means.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).
Parameters:
sharedKeyDB - A database of shared symmetric keys associated with usernames. If the client performs a shared-key handshake, the session's sharedKeyUsername attribute will be set.
           (type=tlslite.SharedKeyDB.SharedKeyDB)
verifierDB - A database of SRP password verifiers associated with usernames. If the client performs an SRP handshake, the session's srpUsername attribute will be set.
           (type=tlslite.VerifierDB.VerifierDB)
certChain - The certificate chain to be used if the client requests server certificate authentication.
           (type=tlslite.X509CertChain.X509CertChain or cryptoIDlib.CertChain.CertChain)
privateKey - The private key to be used if the client requests server certificate authentication.
           (type=tlslite.utils.RSAKey.RSAKey)
reqCert - Whether to request client certificate authentication. This only applies if the client chooses server certificate authentication; if the client chooses SRP or shared-key authentication, this will be ignored. If the client performs a client certificate authentication, the sessions's clientCertChain attribute will be set.
           (type=bool)
sessionCache - An in-memory cache of resumable sessions. The client can resume sessions from this cache. Alternatively, if the client performs a full handshake, a new session will be added to the cache.
           (type=tlslite.SessionCache.SessionCache)
settings - Various settings which can be used to control the ciphersuites and SSL/TLS version chosen by the server.
           (type=tlslite.HandshakeSettings.HandshakeSettings)
checker - A Checker instance. This instance will be invoked to examine the other party's authentication credentials, if the handshake completes succesfully.
           (type=tlslite.Checker.Checker)
Raises:
socket.error - If a socket error occurs.
tlslite.errors.TLSAbruptCloseError - If the socket is closed without a preceding alert.
tlslite.errors.TLSAlert - If a TLS alert is signalled.
tlslite.errors.TLSAuthenticationError - If the checker doesn't like the other party's authentication credentials.

handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, certChain=None, privateKey=None, reqCert=False, sessionCache=None, settings=None, checker=None)

Start a server handshake operation on the TLS connection.

This function returns a generator which behaves similarly to handshakeServer(). Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or it will raise StopIteration if the handshake operation is complete.
Returns:
A generator; see above for details.
           (type=iterable)

Generated by Epydoc 2.0 on Mon Feb 21 21:56:56 2005 http://epydoc.sf.net