Merged revisions 57620-57771 via svnmerge from

svn+ssh://pythondev@svn.python.org/python/trunk ........ r57771 | thomas.wouters | 2007-08-30 23:54:39 +0200 (Thu, 30 Aug 2007) | 5 lines Don't lie in __all__ attributes when SSL is not available: only add the SSL classes when they are actually created. ........ r57620 | walter.doerwald | 2007-08-28 18:38:26 +0200 (Tue, 28 Aug 2007) | 5 lines Fix title endtag in HTMLCalender.formatyearpage(). Fix documentation for HTMLCalender.formatyearpage() (there's no themonth parameter). This fixes issue1046. ........ r57622 | georg.brandl | 2007-08-28 20:54:44 +0200 (Tue, 28 Aug 2007) | 2 lines Add a crasher for the thread-unsafety of file objects. ........ r57626 | skip.montanaro | 2007-08-29 01:22:52 +0200 (Wed, 29 Aug 2007) | 1 line fixes 813986 ........ r57628 | walter.doerwald | 2007-08-29 01:35:33 +0200 (Wed, 29 Aug 2007) | 2 lines Fix test output. ........ r57631 | skip.montanaro | 2007-08-29 03:24:11 +0200 (Wed, 29 Aug 2007) | 2 lines Install pygettext (once the scriptsinstall target is working again). ........ r57633 | skip.montanaro | 2007-08-29 03:33:45 +0200 (Wed, 29 Aug 2007) | 2 lines Recent items. ........ r57650 | neal.norwitz | 2007-08-29 08:15:33 +0200 (Wed, 29 Aug 2007) | 1 line Add Bill as a developer ........ r57651 | facundo.batista | 2007-08-29 12:28:28 +0200 (Wed, 29 Aug 2007) | 5 lines Ignore test failures caused by 'resource temporarily unavailable' exceptions raised during FailingServerTestCase tests. [GSoC - Alan McIntyre] ........ r57680 | bill.janssen | 2007-08-30 00:35:05 +0200 (Thu, 30 Aug 2007) | 17 lines This contains a number of things: 1) Improve the documentation of the SSL module, with a fuller explanation of certificate usage, another reference, proper formatting of this and that. 2) Fix Windows bug in ssl.py, and general bug in sslsocket.close(). Remove some unused code from ssl.py. Allow accept() to be called on sslsocket sockets. 3) Use try-except-else in import of ssl in socket.py. Deprecate use of socket.ssl(). 4) Remove use of socket.ssl() in every library module, except for test_socket_ssl.py and test_ssl.py. ........ r57714 | georg.brandl | 2007-08-30 12:09:42 +0200 (Thu, 30 Aug 2007) | 2 lines Stronger urge to convert filenames to str before using them as argument to ZipFile.write(). ........ r57716 | georg.brandl | 2007-08-30 12:38:56 +0200 (Thu, 30 Aug 2007) | 2 lines Patch #1680959: add test suite for pipes module. ........ r57717 | georg.brandl | 2007-08-30 14:32:23 +0200 (Thu, 30 Aug 2007) | 3 lines * Skip test_pipes on non-POSIX. * Don't raise TestSkipped within a test function. ........ r57723 | mark.summerfield | 2007-08-30 17:03:03 +0200 (Thu, 30 Aug 2007) | 3 lines Added more cross-references. ........ r57726 | walter.doerwald | 2007-08-30 17:30:09 +0200 (Thu, 30 Aug 2007) | 2 lines Rewrap line. ........ r57727 | walter.doerwald | 2007-08-30 17:34:55 +0200 (Thu, 30 Aug 2007) | 2 lines Set startinpos before calling the error handler. ........ r57730 | bill.janssen | 2007-08-30 19:07:28 +0200 (Thu, 30 Aug 2007) | 3 lines Added docstrings to methods and functions. ........ r57743 | bill.janssen | 2007-08-30 20:08:06 +0200 (Thu, 30 Aug 2007) | 1 line added note on new ssl module and deprecation of socket.ssl ........ r57747 | martin.v.loewis | 2007-08-30 20:14:01 +0200 (Thu, 30 Aug 2007) | 1 line Fix popen usage. ........ r57748 | martin.v.loewis | 2007-08-30 20:15:22 +0200 (Thu, 30 Aug 2007) | 1 line Fix typo. ........ r57750 | martin.v.loewis | 2007-08-30 20:25:47 +0200 (Thu, 30 Aug 2007) | 1 line Bug #1746880: Correctly install DLLs into system32 folder on Win64. ........ r57760 | martin.v.loewis | 2007-08-30 21:04:09 +0200 (Thu, 30 Aug 2007) | 1 line Bug #1709599: Run test_1565150 only if the file system is NTFS. ........ r57762 | martin.v.loewis | 2007-08-30 22:10:57 +0200 (Thu, 30 Aug 2007) | 2 lines Bump autoconf minimum version to 2.61. ........ r57764 | lars.gustaebel | 2007-08-30 22:24:31 +0200 (Thu, 30 Aug 2007) | 2 lines Warn about possible risks when extracting untrusted archives. ........ r57769 | thomas.wouters | 2007-08-30 23:01:17 +0200 (Thu, 30 Aug 2007) | 7 lines Somewhat-preliminary slice-object and extended slicing support for ctypes. The exact behaviour of omitted and negative indices for the Pointer type may need a closer look (especially as it's subtly different from simple slices) but there's time yet before 2.6, and not enough before 3.0a1 :-) ........
author: Thomas Wouters <thomas@python.org> 2007-08-30 22:15:33 (GMT)
committer: Thomas Wouters <thomas@python.org> 2007-08-30 22:15:33 (GMT)
commit: 47b49bf6dc5e57578baad3a591117e6da16cf6c8 (patch)
tree: 2dc915b2262343fb830a0bfa7d75917b547ddda6 /Doc/library/ssl.rst
parent: cf1be88b438f0e85f2053e4d444b23732757345b (diff)
download: cpython-47b49bf6dc5e57578baad3a591117e6da16cf6c8.zip
cpython-47b49bf6dc5e57578baad3a591117e6da16cf6c8.tar.gz
cpython-47b49bf6dc5e57578baad3a591117e6da16cf6c8.tar.bz2
1 files changed, 133 insertions, 64 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 8ac7e26..8441eff 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -1,12 +1,16 @@
 
-:mod:`ssl` --- SSL wrapper for socket objects, and utility functions
+:mod:`ssl` --- SSL wrapper for socket objects
 ====================================================================
 
 .. module:: ssl
-   :synopsis: SSL wrapper for socket objects, and utility functions
+   :synopsis: SSL wrapper for socket objects
+
+.. moduleauthor:: Bill Janssen <bill.janssen@gmail.com>
 
 .. versionadded:: 2.6
 
+.. sectionauthor::  Bill Janssen <bill.janssen@gmail.com>
+
 
 This module provides access to Transport Layer Security (often known
 as "Secure Sockets Layer") encryption and peer authentication
@@ -20,10 +24,9 @@ platforms, as long as OpenSSL is installed on that platform.
    Some behavior may be platform dependent, since calls are made to the operating
    system socket APIs.
 
-This section documents the objects and functions in the `ssl` module;
+This section documents the objects and functions in the ``ssl`` module;
 for more general information about TLS, SSL, and certificates, the
-reader is referred to the paper, *Introducing SSL and Certificates using OpenSSL*, by Frederick J. Hirsch, at
-http://old.pseudonym.org/ssl/wwwj-index.html.
+reader is referred to the documents in the :ref:`ssl-references` section.
 
 This module defines a class, :class:`ssl.sslsocket`, which is
 derived from the :class:`socket.socket` type, and supports additional
@@ -57,25 +60,25 @@ This module defines the following functions, exceptions, and constants:
 
 .. data:: CERT_NONE
 
-   Value to pass to the `cert_reqs` parameter to :func:`sslobject`
+   Value to pass to the ``cert_reqs`` parameter to :func:`sslobject`
    when no certificates will be required or validated from the other
    side of the socket connection.
 
 .. data:: CERT_OPTIONAL
 
-   Value to pass to the `cert_reqs` parameter to :func:`sslobject`
+   Value to pass to the ``cert_reqs`` parameter to :func:`sslobject`
    when no certificates will be required from the other side of the
    socket connection, but if they are provided, will be validated.
    Note that use of this setting requires a valid certificate
-   validation file also be passed as a value of the `ca_certs`
+   validation file also be passed as a value of the ``ca_certs``
    parameter.
 
 .. data:: CERT_REQUIRED
 
-   Value to pass to the `cert_reqs` parameter to :func:`sslobject`
+   Value to pass to the ``cert_reqs`` parameter to :func:`sslobject`
    when certificates will be required from the other side of the
    socket connection.  Note that use of this setting requires a valid certificate
-   validation file also be passed as a value of the `ca_certs`
+   validation file also be passed as a value of the ``ca_certs``
    parameter.
 
 .. data:: PROTOCOL_SSLv2
@@ -99,10 +102,12 @@ This module defines the following functions, exceptions, and constants:
    protection, if both sides can speak it.
 
 
+.. _ssl-certificates:
+
 Certificates
 ------------
 
-Certificates in general are part of a public-key / private-key system.  In this system, each `principal`,
+Certificates in general are part of a public-key / private-key system.  In this system, each *principal*,
 (which may be a machine, or a person, or an organization) is assigned a unique two-part encryption key.
 One part of the key is public, and is called the *public key*; the other part is kept secret, and is called
 the *private key*.  The two parts are related, in that if you encrypt a message with one of the parts, you can
@@ -120,17 +125,54 @@ the certificate.  The certificate also contains information about the
 time period over which it is valid.  This is expressed as two fields,
 called "notBefore" and "notAfter".
 
-The underlying system which is used in the Python SSL support is
-called "OpenSSL".  It contains facilities for constructing and
-validating certificates.  In the Python use of certificates, the other
-side of a network connection can be required to produce a certificate,
-and that certificate can be validated against a file filled with
-self-signed *root* certificates (so-called because the issuer is the
-same as the subject), and and "CA" (certification authority)
-certificates assured by those root certificates (and by other CA
-certificates).  Either side of a connection, client or server, can
-request certificates and validation, and the connection can be optionally
-set up to fail if a valid certificate is not presented by the other side.
+In the Python use of certificates, a client or server
+can use a certificate to prove who they are.  The other
+side of a network connection can also be required to produce a certificate,
+and that certificate can be validated to the satisfaction
+of the client or server that requires such validation.
+The connection can be set to fail automatically if such
+validation is not achieved.
+
+Python uses files to contain certificates.  They should be formatted
+as "PEM" (see :rfc:`1422`), which is a base-64 encoded form wrapped
+with a header line and a footer line::
+
+      -----BEGIN CERTIFICATE-----
+      ... (certificate in base64 PEM encoding) ...
+      -----END CERTIFICATE-----
+
+The Python files which contain certificates can contain a sequence
+of certificates, sometimes called a *certificate chain*.  This chain
+should start with the specific certificate for the principal who "is"
+the client or server, and then the certificate for the issuer of that
+certificate, and then the certificate for the issuer of *that* certificate,
+and so on up the chain till you get to a certificate which is *self-signed*,
+that is, a certificate which has the same subject and issuer, 
+sometimes called a *root certificate*.  The certificates should just
+be concatenated together in the certificate file.  For example, suppose
+we had a three certificate chain, from our server certificate to the
+certificate of the certification authority that signed our server certificate,
+to the root certificate of the agency which issued the certification authority's
+certificate::
+
+      -----BEGIN CERTIFICATE-----
+      ... (certificate for your server)...
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      ... (the certificate for the CA)...
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      ... (the root certificate for the CA's issuer)...
+      -----END CERTIFICATE-----
+
+If you are going to require validation of the other side of the connection's
+certificate, you need to provide a "CA certs" file, filled with the certificate
+chains for each issuer you are willing to trust.  Again, this file just
+contains these chains concatenated together.  For validation, Python will
+use the first chain it finds in the file which matches.
+Some "standard" root certificates are available at
+http://www.thawte.com/roots/  (for Thawte roots) and
+http://www.verisign.com/support/roots.html  (for Verisign roots).
 
 
 sslsocket Objects
@@ -138,76 +180,67 @@ sslsocket Objects
 
 .. class:: sslsocket(sock [, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, ssl_version=PROTOCOL_SSLv23, ca_certs=None])
 
-   Takes an instance *sock* of :class:`socket.socket`, and returns an instance of a subtype
+   Takes an instance ``sock`` of :class:`socket.socket`, and returns an instance of a subtype
    of :class:`socket.socket` which wraps the underlying socket in an SSL context.
    For client-side sockets, the context construction is lazy; if the underlying socket isn't
    connected yet, the context construction will be performed after :meth:`connect` is called
    on the socket.
 
-   The `keyfile` and `certfile` parameters specify optional files which contain a certificate
-   to be used to identify the local side of the connection.  Often the private key is stored
-   in the same file as the certificate; in this case, only the `certfile` parameter need be
+   The ``keyfile`` and ``certfile`` parameters specify optional files which contain a certificate
+   to be used to identify the local side of the connection.  See the above discussion of :ref:`ssl-certificates`
+   for more information on how the certificate is stored in the ``certfile``.
+
+   Often the private key is stored
+   in the same file as the certificate; in this case, only the ``certfile`` parameter need be
    passed.  If the private key is stored in a separate file, both parameters must be used.
+   If the private key is stored in the ``certfile``, it should come before the first certificate
+   in the certificate chain::
 
-   The parameter `server_side` is a boolean which identifies whether server-side or client-side
+      -----BEGIN RSA PRIVATE KEY-----
+      ... (private key in base64 encoding) ...
+      -----END RSA PRIVATE KEY-----
+      -----BEGIN CERTIFICATE-----
+      ... (certificate in base64 PEM encoding) ...
+      -----END CERTIFICATE-----
+
+   The parameter ``server_side`` is a boolean which identifies whether server-side or client-side
    behavior is desired from this socket.
 
-   The parameter `cert_reqs` specifies whether a certificate is
+   The parameter ``cert_reqs`` specifies whether a certificate is
    required from the other side of the connection, and whether it will
    be validated if provided.  It must be one of the three values
    :const:`CERT_NONE` (certificates ignored), :const:`CERT_OPTIONAL` (not required,
    but validated if provided), or :const:`CERT_REQUIRED` (required and
    validated).  If the value of this parameter is not :const:`CERT_NONE`, then
-   the `ca_certs` parameter must point to a file of CA certificates.
+   the ``ca_certs`` parameter must point to a file of CA certificates.
 
-   The parameter `ssl_version` specifies which version of the SSL protocol to use.  Typically,
+   The parameter ``ssl_version`` specifies which version of the SSL protocol to use.  Typically,
    the server specifies this, and a client connecting to it must use the same protocol.  An
    SSL server using :const:`PROTOCOL_SSLv23` can understand a client connecting via SSL2, SSL3, or TLS1,
    but a client using :const:`PROTOCOL_SSLv23` can only connect to an SSL2 server.
 
-   The `ca_certs` file contains a set of concatenated "certification authority" certificates,
+   The ``ca_certs`` file contains a set of concatenated "certification authority" certificates,
    which are used to validate certificates passed from the other end of the connection.
-   This file
-   contains the certificates in PEM format (IETF RFC 1422) where each certificate is
-   encoded in base64 encoding and surrounded with a header and footer::
-
-      -----BEGIN CERTIFICATE-----
-      ... (CA certificate in base64 encoding) ...
-      -----END CERTIFICATE-----
-
-   The various certificates in the file are just concatenated together::
-
-      -----BEGIN CERTIFICATE-----
-      ... (CA certificate in base64 encoding) ...
-      -----END CERTIFICATE-----
-      -----BEGIN CERTIFICATE-----
-      ... (a second CA certificate in base64 encoding) ...
-      -----END CERTIFICATE-----
-      -----BEGIN CERTIFICATE-----
-      ... (a root certificate in base64 encoding) ...
-      -----END CERTIFICATE-----
-
-   Some "standard" root certificates are available at
-   http://www.thawte.com/roots/  (for Thawte roots) and
-   http://www.verisign.com/support/roots.html  (for Verisign roots).
+   See the above discussion of :ref:`ssl-certificates` for more information about how to arrange
+   the certificates in this file.
 
 .. method:: sslsocket.read([nbytes])
 
-   Reads up to `nbytes` bytes from the SSL-encrypted channel and returns them.
+   Reads up to ``nbytes`` bytes from the SSL-encrypted channel and returns them.
 
 .. method:: sslsocket.write(data)
 
-   Writes the `data` to the other side of the connection, using the SSL channel to encrypt.  Returns the number
+   Writes the ``data`` to the other side of the connection, using the SSL channel to encrypt.  Returns the number
    of bytes written.
 
 .. method:: sslsocket.getpeercert()
 
-   If there is no certificate for the peer on the other end of the connection, returns `None`.
-   If a certificate was received from the peer, but not validated, returns an empty `dict` instance.
-   If a certificate was received and validated, returns a `dict` instance with the fields
-   `subject` (the principal for which the certificate was issued), `issuer` (the signer of
-   the certificate), `notBefore` (the time before which the certificate should not be trusted),
-   and `notAfter` (the time after which the certificate should not be trusted) filled in.
+   If there is no certificate for the peer on the other end of the connection, returns ``None``.
+   If a certificate was received from the peer, but not validated, returns an empty ``dict`` instance.
+   If a certificate was received and validated, returns a ``dict`` instance with the fields
+   ``subject`` (the principal for which the certificate was issued), ``issuer`` (the signer of
+   the certificate), ``notBefore`` (the time before which the certificate should not be trusted),
+   and ``notAfter`` (the time after which the certificate should not be trusted) filled in.
 
    The "subject" and "issuer" fields are themselves dictionaries containing the fields given
    in the certificate's data structure for each principal::
@@ -229,12 +262,34 @@ sslsocket Objects
        'version': 2}
 
    This certificate is said to be *self-signed*, because the subject
-   and issuer are the same entity.  The *version* field refers the the X509 version
+   and issuer are the same entity.  The *version* field refers to the X509 version
    that's used for the certificate.
 
+.. method:: sslsocket.ssl_shutdown()
+
+   Closes the SSL context (if any) over the socket, but leaves the socket connection
+   open for further use, if both sides are willing.  This is different from :meth:`socket.socket.shutdown`,
+   which will close the connection, but leave the local socket available for further use.
+
+
 Examples
 --------
 
+Testing for SSL support
+^^^^^^^^^^^^^^^^^^^^^^^
+
+To test for the presence of SSL support in a Python installation, user code should use the following idiom::
+
+   try:
+      import ssl
+   except ImportError:
+      pass
+   else:
+      [ do something that requires SSL support ]
+
+Client-side operation
+^^^^^^^^^^^^^^^^^^^^^
+
 This example connects to an SSL server, prints the server's address and certificate,
 sends some bytes, and reads part of the response::
 
@@ -281,6 +336,9 @@ looked like this::
     'notBefore': 'May  9 00:00:00 2007 GMT',
     'version': 2}
 
+Server-side operation
+^^^^^^^^^^^^^^^^^^^^^
+
 For server operation, typically you'd need to have a server certificate, and private key, each in a file.
 You'd open a socket, bind it to a port, call :meth:`listen` on it, then start waiting for clients
 to connect::
@@ -300,7 +358,7 @@ end, and use :func:`sslsocket` to create a server-side SSL context for it::
                                  keyfile="mykeyfile", ssl_protocol=ssl.PROTOCOL_TLSv1)
       deal_with_client(connstream)
 
-Then you'd read data from the `connstream` and do something with it till you are finished with the client (or the client is finished with you)::
+Then you'd read data from the ``connstream`` and do something with it till you are finished with the client (or the client is finished with you)::
 
    def deal_with_client(connstream):
 
@@ -317,3 +375,14 @@ Then you'd read data from the `connstream` and do something with it till you are
 And go back to listening for new client connections.
 
            
+.. _ssl-references:
+
+References
+----------
+
+Class :class:`socket.socket`
+      Documentation of underlying :mod:`socket` class
+
+`Introducing SSL and Certificates using OpenSSL <http://old.pseudonym.org/ssl/wwwj-index.html>`_, by Frederick J. Hirsch
+
+`Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management`, :rfc:`1422`, by Steve Kent
author	Thomas Wouters <thomas@python.org>	2007-08-30 22:15:33 (GMT)
committer	Thomas Wouters <thomas@python.org>	2007-08-30 22:15:33 (GMT)
commit	47b49bf6dc5e57578baad3a591117e6da16cf6c8 (patch)
tree	2dc915b2262343fb830a0bfa7d75917b547ddda6 /Doc/library/ssl.rst
parent	cf1be88b438f0e85f2053e4d444b23732757345b (diff)
download	cpython-47b49bf6dc5e57578baad3a591117e6da16cf6c8.zip cpython-47b49bf6dc5e57578baad3a591117e6da16cf6c8.tar.gz cpython-47b49bf6dc5e57578baad3a591117e6da16cf6c8.tar.bz2