Back to module index

Go to module by name

ssl

This module provides some more Pythonic support for SSL.

Object types:

  SSLSocket -- subtype of socket.socket which does SSL over the socket

Exceptions:

  SSLError -- exception raised for I/O errors

Functions:

  cert_time_to_seconds -- convert time string used for certificate
                          notBefore and notAfter functions to integer
                          seconds past the Epoch (the time values
                          returned from time.time())

  get_server_certificate (addr, ssl_version, ca_certs, timeout) -- Retrieve the
                          certificate from the server at the specified
                          address and return it as a PEM-encoded string


Integer constants:

SSL_ERROR_ZERO_RETURN
SSL_ERROR_WANT_READ
SSL_ERROR_WANT_WRITE
SSL_ERROR_WANT_X509_LOOKUP
SSL_ERROR_SYSCALL
SSL_ERROR_SSL
SSL_ERROR_WANT_CONNECT

SSL_ERROR_EOF
SSL_ERROR_INVALID_ERROR_CODE

The following group define certificate requirements that one side is
allowing/requiring from the other side:

CERT_NONE - no certificates from the other side are required (or will
            be looked at if provided)
CERT_OPTIONAL - certificates are not required, but if provided will be
                validated, and if validation fails, the connection will
                also fail
CERT_REQUIRED - certificates are required, and will be validated, and
                if validation fails, the connection will also fail

The following constants identify various SSL protocol variants:

PROTOCOL_SSLv2
PROTOCOL_SSLv3
PROTOCOL_SSLv23
PROTOCOL_TLS
PROTOCOL_TLS_CLIENT
PROTOCOL_TLS_SERVER
PROTOCOL_TLSv1
PROTOCOL_TLSv1_1
PROTOCOL_TLSv1_2

The following constants identify various SSL alert message descriptions as per
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6

ALERT_DESCRIPTION_CLOSE_NOTIFY
ALERT_DESCRIPTION_UNEXPECTED_MESSAGE
ALERT_DESCRIPTION_BAD_RECORD_MAC
ALERT_DESCRIPTION_RECORD_OVERFLOW
ALERT_DESCRIPTION_DECOMPRESSION_FAILURE
ALERT_DESCRIPTION_HANDSHAKE_FAILURE
ALERT_DESCRIPTION_BAD_CERTIFICATE
ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE
ALERT_DESCRIPTION_CERTIFICATE_REVOKED
ALERT_DESCRIPTION_CERTIFICATE_EXPIRED
ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN
ALERT_DESCRIPTION_ILLEGAL_PARAMETER
ALERT_DESCRIPTION_UNKNOWN_CA
ALERT_DESCRIPTION_ACCESS_DENIED
ALERT_DESCRIPTION_DECODE_ERROR
ALERT_DESCRIPTION_DECRYPT_ERROR
ALERT_DESCRIPTION_PROTOCOL_VERSION
ALERT_DESCRIPTION_INSUFFICIENT_SECURITY
ALERT_DESCRIPTION_INTERNAL_ERROR
ALERT_DESCRIPTION_USER_CANCELLED
ALERT_DESCRIPTION_NO_RENEGOTIATION
ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION
ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE
ALERT_DESCRIPTION_UNRECOGNIZED_NAME
ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE
ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE
ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY

Classes

AlertDescription

An enumeration.
ALERT_DESCRIPTION_ACCESS_DENIED = <AlertDescription.ALERT_DESCRIPTION_ACCESS_DENIED: 49>
ALERT_DESCRIPTION_BAD_CERTIFICATE = <AlertDescription.ALERT_DESCRIPTION_BAD_CERTIFICATE: 42>
ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE = <AlertDescription.ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE: 114>
ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE = <AlertDescription.ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE: 113>
ALERT_DESCRIPTION_BAD_RECORD_MAC = <AlertDescription.ALERT_DESCRIPTION_BAD_RECORD_MAC: 20>
ALERT_DESCRIPTION_CERTIFICATE_EXPIRED = <AlertDescription.ALERT_DESCRIPTION_CERTIFICATE_EXPIRED: 45>
ALERT_DESCRIPTION_CERTIFICATE_REVOKED = <AlertDescription.ALERT_DESCRIPTION_CERTIFICATE_REVOKED: 44>
ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN = <AlertDescription.ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN: 46>
ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE = <AlertDescription.ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE: 111>
ALERT_DESCRIPTION_CLOSE_NOTIFY = <AlertDescription.ALERT_DESCRIPTION_CLOSE_NOTIFY: 0>
ALERT_DESCRIPTION_DECODE_ERROR = <AlertDescription.ALERT_DESCRIPTION_DECODE_ERROR: 50>
ALERT_DESCRIPTION_DECOMPRESSION_FAILURE = <AlertDescription.ALERT_DESCRIPTION_DECOMPRESSION_FAILURE: 30>
ALERT_DESCRIPTION_DECRYPT_ERROR = <AlertDescription.ALERT_DESCRIPTION_DECRYPT_ERROR: 51>
ALERT_DESCRIPTION_HANDSHAKE_FAILURE = <AlertDescription.ALERT_DESCRIPTION_HANDSHAKE_FAILURE: 40>
ALERT_DESCRIPTION_ILLEGAL_PARAMETER = <AlertDescription.ALERT_DESCRIPTION_ILLEGAL_PARAMETER: 47>
ALERT_DESCRIPTION_INSUFFICIENT_SECURITY = <AlertDescription.ALERT_DESCRIPTION_INSUFFICIENT_SECURITY: 71>
ALERT_DESCRIPTION_INTERNAL_ERROR = <AlertDescription.ALERT_DESCRIPTION_INTERNAL_ERROR: 80>
ALERT_DESCRIPTION_NO_RENEGOTIATION = <AlertDescription.ALERT_DESCRIPTION_NO_RENEGOTIATION: 100>
ALERT_DESCRIPTION_PROTOCOL_VERSION = <AlertDescription.ALERT_DESCRIPTION_PROTOCOL_VERSION: 70>
ALERT_DESCRIPTION_RECORD_OVERFLOW = <AlertDescription.ALERT_DESCRIPTION_RECORD_OVERFLOW: 22>
ALERT_DESCRIPTION_UNEXPECTED_MESSAGE = <AlertDescription.ALERT_DESCRIPTION_UNEXPECTED_MESSAGE: 10>
ALERT_DESCRIPTION_UNKNOWN_CA = <AlertDescription.ALERT_DESCRIPTION_UNKNOWN_CA: 48>
ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY = <AlertDescription.ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY: 115>
ALERT_DESCRIPTION_UNRECOGNIZED_NAME = <AlertDescription.ALERT_DESCRIPTION_UNRECOGNIZED_NAME: 112>
ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE = <AlertDescription.ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE: 43>
ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION = <AlertDescription.ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION: 110>
ALERT_DESCRIPTION_USER_CANCELLED = <AlertDescription.ALERT_DESCRIPTION_USER_CANCELLED: 90>

SSLCertVerificationError

A certificate could not be verified.
with_traceback(...)

  Exception.with_traceback(tb) --
      set self.__traceback__ to tb and return self.
args = <attribute 'args' of 'BaseException' objects>
characters_written = <attribute 'characters_written' of 'OSError' objects>
errno = <member 'errno' of 'OSError' objects>
  POSIX exception code
filename = <member 'filename' of 'OSError' objects>
  exception filename
filename2 = <member 'filename2' of 'OSError' objects>
  second exception filename
strerror = <member 'strerror' of 'OSError' objects>
  exception strerror

DefaultVerifyPaths

DefaultVerifyPaths(cafile, capath, openssl_cafile_env, openssl_cafile, openssl_capath_env, openssl_capath)
count(self, value, /)

  Return number of occurrences of value.
index(self, value, start=0, stop=9223372036854775807, /)

  Return first index of value.

  Raises ValueError if the value is not present.
cafile = _tuplegetter(0, 'Alias for field number 0')
  Alias for field number 0
capath = _tuplegetter(1, 'Alias for field number 1')
  Alias for field number 1
openssl_cafile = _tuplegetter(3, 'Alias for field number 3')
  Alias for field number 3
openssl_cafile_env = _tuplegetter(2, 'Alias for field number 2')
  Alias for field number 2
openssl_capath = _tuplegetter(5, 'Alias for field number 5')
  Alias for field number 5
openssl_capath_env = _tuplegetter(4, 'Alias for field number 4')
  Alias for field number 4

MemoryBIO

read(self, size=-1, /)

  Read up to size bytes from the memory BIO.

  If size is not specified, read the entire buffer.
  If the return value is an empty bytes instance, this means either
  EOF or that no data is available. Use the "eof" property to
  distinguish between the two.
write(self, b, /)

  Writes the bytes b into the memory BIO.

  Returns the number of bytes written.
write_eof(self, /)

  Write an EOF marker to the memory BIO.

  When all data has been read, the "eof" property will be True.
eof = <attribute 'eof' of '_ssl.MemoryBIO' objects>
  Whether the memory BIO is at EOF.
pending = <attribute 'pending' of '_ssl.MemoryBIO' objects>
  The number of bytes pending in the memory BIO.

Options

An enumeration.
OP_ALL = <Options.OP_ALL: 2147483728>
OP_CIPHER_SERVER_PREFERENCE = <Options.OP_CIPHER_SERVER_PREFERENCE: 4194304>
OP_ENABLE_MIDDLEBOX_COMPAT = <Options.OP_ENABLE_MIDDLEBOX_COMPAT: 1048576>
OP_IGNORE_UNEXPECTED_EOF = <Options.OP_IGNORE_UNEXPECTED_EOF: 128>
OP_NO_COMPRESSION = <Options.OP_NO_COMPRESSION: 131072>
OP_NO_RENEGOTIATION = <Options.OP_NO_RENEGOTIATION: 1073741824>
OP_NO_SSLv2 = <Options.OP_NO_SSLv2: 0>
OP_NO_SSLv3 = <Options.OP_NO_SSLv3: 33554432>
OP_NO_TICKET = <Options.OP_NO_TICKET: 16384>
OP_NO_TLSv1 = <Options.OP_NO_TLSv1: 67108864>
OP_NO_TLSv1_1 = <Options.OP_NO_TLSv1_1: 268435456>
OP_NO_TLSv1_2 = <Options.OP_NO_TLSv1_2: 134217728>
OP_NO_TLSv1_3 = <Options.OP_NO_TLSv1_3: 536870912>

Purpose

SSLContext purpose flags with X509v3 Extended Key Usage objects
    
CLIENT_AUTH = <Purpose.CLIENT_AUTH: _ASN1Object(nid=130, shortname='clientAuth', longname='TLS Web Client Authentication', oid='1.3.6.1.5.5.7.3.2')>
SERVER_AUTH = <Purpose.SERVER_AUTH: _ASN1Object(nid=129, shortname='serverAuth', longname='TLS Web Server Authentication', oid='1.3.6.1.5.5.7.3.1')>
name = <types.DynamicClassAttribute object at 0x7f75e3bec2e0>
  The name of the Enum member.
value = <types.DynamicClassAttribute object at 0x7f75e3bec2b0>
  The value of the Enum member.

SSLCertVerificationError

A certificate could not be verified.
with_traceback(...)

  Exception.with_traceback(tb) --
      set self.__traceback__ to tb and return self.
args = <attribute 'args' of 'BaseException' objects>
characters_written = <attribute 'characters_written' of 'OSError' objects>
errno = <member 'errno' of 'OSError' objects>
  POSIX exception code
filename = <member 'filename' of 'OSError' objects>
  exception filename
filename2 = <member 'filename2' of 'OSError' objects>
  second exception filename
strerror = <member 'strerror' of 'OSError' objects>
  exception strerror

SSLContext

An SSLContext holds various SSL-related configuration options and
    data, such as certificates and possibly a private key.

wrap_socket.SSLObject

This class implements an interface on top of a low-level SSL object as
    implemented by OpenSSL. This object captures the state of an SSL connection
    but does not provide any network IO itself. IO needs to be performed
    through separate "BIO" objects which are OpenSSL's IO abstraction layer.

    This class does not have a public constructor. Instances are returned by
    ``SSLContext.wrap_bio``. This class is typically used by framework authors
    that want to implement asynchronous IO for SSL through memory buffers.

    When compared to ``SSLSocket``, this object lacks the following features:

     * Any form of network IO, including methods such as ``recv`` and ``send``.
     * The ``do_handshake_on_connect`` and ``suppress_ragged_eofs`` machinery.
    
cipher(self)

  Return the currently selected cipher as a 3-tuple ``(name,
          ssl_version, secret_bits)``.
compression(self)

  Return the current compression algorithm in use, or ``None`` if
          compression was not negotiated or not supported by one of the peers.
do_handshake(self)

  Start the SSL/TLS handshake.
get_channel_binding(self, cb_type='tls-unique')

  Get channel binding data for current connection.  Raise ValueError
          if the requested `cb_type` is not supported.  Return bytes of the data
          or None if the data is not available (e.g. before the handshake).
getpeercert(self, binary_form=False)

  Returns a formatted version of the data in the certificate provided
          by the other end of the SSL channel.

          Return None if no certificate was provided, {} if a certificate was
          provided, but not validated.
        
pending(self)

  Return the number of bytes that can be read immediately.
read(self, len=1024, buffer=None)

  Read up to 'len' bytes from the SSL object and return them.

          If 'buffer' is provided, read into this buffer and return the number of
          bytes read.
        
selected_alpn_protocol(self)

  Return the currently selected ALPN protocol as a string, or ``None``
          if a next protocol was not negotiated or if ALPN is not supported by one
          of the peers.
selected_npn_protocol(self)

  Return the currently selected NPN protocol as a string, or ``None``
          if a next protocol was not negotiated or if NPN is not supported by one
          of the peers.
shared_ciphers(self)

  Return a list of ciphers shared by the client during the handshake or
          None if this is not a valid server connection.
        
unwrap(self)

  Start the SSL shutdown handshake.
verify_client_post_handshake(self)
version(self)

  Return a string identifying the protocol version used by the
          current SSL channel. 
write(self, data)

  Write 'data' to the SSL object and return the number of bytes
          written.

          The 'data' argument must support the buffer interface.
        
context = <property object at 0x7f75e3a901d0>
  The SSLContext that is currently in use.
server_hostname = <property object at 0x7f75e3a90270>
  The currently set server hostname (for SNI), or ``None`` if no
          server hostname is set.
server_side = <property object at 0x7f75e3a90180>
  Whether this is a server-side socket.
session = <property object at 0x7f75e3a90220>
  The SSLSession for client socket.
session_reused = <property object at 0x7f75e3a90090>
  Was the client session reused during handshake

wrap_socket.SSLSocket

This class implements a subtype of socket.socket that wraps
    the underlying OS socket in an SSL context when necessary, and
    provides read and write methods over that channel. 
accept(self)

  Accepts a new connection from a remote client, and returns
          a tuple containing that new connection wrapped with a server-side
          SSL channel, and the address of the remote client.
bind(...)

  bind(address)

  Bind the socket to a local address.  For IP sockets, the address is a
  pair (host, port); the host must refer to the local host. For raw packet
  sockets the address is a tuple (ifname, proto [,pkttype [,hatype [,addr]]])
cipher(self)

  Return the currently selected cipher as a 3-tuple ``(name,
          ssl_version, secret_bits)``.
close(self)
compression(self)

  Return the current compression algorithm in use, or ``None`` if
          compression was not negotiated or not supported by one of the peers.
connect(self, addr)

  Connects to remote ADDR, and then wraps the connection in
          an SSL channel.
connect_ex(self, addr)

  Connects to remote ADDR, and then wraps the connection in
          an SSL channel.
detach(self)

  detach() -> file descriptor

          Close the socket object without closing the underlying file descriptor.
          The object cannot be used after this call, but the file descriptor
          can be reused for other purposes.  The file descriptor is returned.
        
do_handshake(self, block=False)

  Start the SSL/TLS handshake.
dup(self)
fileno(...)

  fileno() -> integer

  Return the integer file descriptor of the socket.
get_channel_binding(self, cb_type='tls-unique')

  Get channel binding data for current connection.  Raise ValueError
          if the requested `cb_type` is not supported.  Return bytes of the data
          or None if the data is not available (e.g. before the handshake).
get_inheritable(self)

  Get the inheritable flag of the socket
getblocking(...)

  getblocking()

  Returns True if socket is in blocking mode, or False if it
  is in non-blocking mode.
getpeercert(self, binary_form=False)

  Returns a formatted version of the data in the certificate provided
          by the other end of the SSL channel.

          Return None if no certificate was provided, {} if a certificate was
          provided, but not validated.
        
getpeername(...)

  getpeername() -> address info

  Return the address of the remote endpoint.  For IP sockets, the address
  info is a pair (hostaddr, port).
getsockname(...)

  getsockname() -> address info

  Return the address of the local endpoint. The format depends on the
  address family. For IPv4 sockets, the address info is a pair
  (hostaddr, port).
getsockopt(...)

  getsockopt(level, option[, buffersize]) -> value

  Get a socket option.  See the Unix manual for level and option.
  If a nonzero buffersize argument is given, the return value is a
  string of that length; otherwise it is an integer.
gettimeout(...)

  gettimeout() -> timeout

  Returns the timeout in seconds (float) associated with socket
  operations. A timeout of None indicates that timeouts on socket
  operations are disabled.
listen(...)

  listen([backlog])

  Enable a server to accept connections.  If backlog is specified, it must be
  at least 0 (if it is lower, it is set to 0); it specifies the number of
  unaccepted connections that the system will allow before refusing new
  connections. If not specified, a default reasonable value is chosen.
makefile(self, mode='r', buffering=None, *, encoding=None, errors=None, newline=None)

  makefile(...) -> an I/O stream connected to the socket

          The arguments are as for io.open() after the filename, except the only
          supported mode values are 'r' (default), 'w' and 'b'.
        
pending(self)

  Return the number of bytes that can be read immediately.
read(self, len=1024, buffer=None)

  Read up to LEN bytes and return them.
          Return zero-length string on EOF.
recv(self, buflen=1024, flags=0)
recv_into(self, buffer, nbytes=None, flags=0)
recvfrom(self, buflen=1024, flags=0)
recvfrom_into(self, buffer, nbytes=None, flags=0)
recvmsg(self, *args, **kwargs)
recvmsg_into(self, *args, **kwargs)
selected_alpn_protocol(self)

  Return the currently selected ALPN protocol as a string, or ``None``
          if a next protocol was not negotiated or if ALPN is not supported by one
          of the peers.
selected_npn_protocol(self)

  Return the currently selected NPN protocol as a string, or ``None``
          if a next protocol was not negotiated or if NPN is not supported by one
          of the peers.
send(self, data, flags=0)
sendall(self, data, flags=0)
sendfile(self, file, offset=0, count=None)

  Send a file, possibly by using os.sendfile() if this is a
          clear-text socket.  Return the total number of bytes sent.
        
sendmsg(self, *args, **kwargs)
sendmsg_afalg(...)

  sendmsg_afalg([msg], *, op[, iv[, assoclen[, flags=MSG_MORE]]])

  Set operation mode, IV and length of associated data for an AF_ALG
  operation socket.
sendto(self, data, flags_or_addr, addr=None)
set_inheritable(self, inheritable)

  Set the inheritable flag of the socket
setblocking(...)

  setblocking(flag)

  Set the socket to blocking (flag is true) or non-blocking (false).
  setblocking(True) is equivalent to settimeout(None);
  setblocking(False) is equivalent to settimeout(0.0).
setsockopt(...)

  setsockopt(level, option, value: int)
  setsockopt(level, option, value: buffer)
  setsockopt(level, option, None, optlen: int)

  Set a socket option.  See the Unix manual for level and option.
  The value argument can either be an integer, a string buffer, or
  None, optlen.
settimeout(...)

  settimeout(timeout)

  Set a timeout on socket operations.  'timeout' can be a float,
  giving in seconds, or None.  Setting a timeout of None disables
  the timeout feature and is equivalent to setblocking(1).
  Setting a timeout of zero is the same as setblocking(0).
shared_ciphers(self)

  Return a list of ciphers shared by the client during the handshake or
          None if this is not a valid server connection.
        
shutdown(self, how)
unwrap(self)

  Start the SSL shutdown handshake.
verify_client_post_handshake(self)
version(self)

  Return a string identifying the protocol version used by the
          current SSL channel. 
write(self, data)

  Write DATA to the underlying SSL channel.  Returns
          number of bytes of DATA actually transmitted.
context = <property object at 0x7f75e3a903b0>
  The SSLContext that is currently in use.
family = <property object at 0x7f75e3b37420>
  Read-only access to the address family for this socket.
        
proto = <member 'proto' of '_socket.socket' objects>
  the socket protocol
session = <property object at 0x7f75e3a90400>
  The SSLSession for client socket.
session_reused = <property object at 0x7f75e3a90310>
  Was the client session reused during handshake
timeout = <attribute 'timeout' of '_socket.socket' objects>
  the socket timeout
type = <property object at 0x7f75e3a66e80>
  Read-only access to the socket type.
        
cert_store_stats(self, /)

  Returns quantities of loaded X.509 certificates.

  X.509 certificates with a CA extension and certificate revocation lists
  inside the context's cert store.

  NOTE: Certificates in a capath directory aren't loaded unless they have
  been used at least once.
get_ca_certs(self, /, binary_form=False)

  Returns a list of dicts with information of loaded CA certs.

  If the optional argument is True, returns a DER-encoded copy of the CA
  certificate.

  NOTE: Certificates in a capath directory aren't loaded unless they have
  been used at least once.
get_ciphers(self, /)
load_cert_chain(self, /, certfile, keyfile=None, password=None)
load_default_certs(self, purpose=<Purpose.SERVER_AUTH: _ASN1Object(nid=129, shortname='serverAuth', longname='TLS Web Server Authentication', oid='1.3.6.1.5.5.7.3.1')>)
load_dh_params(self, path, /)
load_verify_locations(self, /, cafile=None, capath=None, cadata=None)
session_stats(self, /)
set_alpn_protocols(self, alpn_protocols)
set_ciphers(self, cipherlist, /)
set_default_verify_paths(self, /)
set_ecdh_curve(self, name, /)
set_npn_protocols(self, npn_protocols)
set_servername_callback(self, server_name_callback)
wrap_bio(self, incoming, outgoing, server_side=False, server_hostname=None, session=None)
wrap_socket(self, sock, server_side=False, do_handshake_on_connect=True, suppress_ragged_eofs=True, server_hostname=None, session=None)
check_hostname = <attribute 'check_hostname' of '_ssl._SSLContext' objects>
hostname_checks_common_name = <property object at 0x7f75e3a73fb0>
keylog_filename = <attribute 'keylog_filename' of '_ssl._SSLContext' objects>
maximum_version = <property object at 0x7f75e3a73f10>
minimum_version = <property object at 0x7f75e3a73ec0>
num_tickets = <attribute 'num_tickets' of '_ssl._SSLContext' objects>
  Control the number of TLSv1.3 session tickets
options = <property object at 0x7f75e3a73f60>
post_handshake_auth = <attribute 'post_handshake_auth' of '_ssl._SSLContext' objects>
protocol = <property object at 0x7f75e3a73a60>
security_level = <attribute 'security_level' of '_ssl._SSLContext' objects>
  The current security level
sni_callback = <attribute 'sni_callback' of '_ssl._SSLContext' objects>
  Set a callback that will be called when a server name is provided by the SSL/TLS client in the SNI extension.

  If the argument is None then the callback is disabled. The method is called
  with the SSLSocket, the server name as a string, and the SSLContext object.
  See RFC 6066 for details of the SNI extension.
verify_flags = <property object at 0x7f75e3a900e0>
verify_mode = <property object at 0x7f75e3a90130>

SSLEOFError

SSL/TLS connection terminated abruptly.
with_traceback(...)

  Exception.with_traceback(tb) --
      set self.__traceback__ to tb and return self.
args = <attribute 'args' of 'BaseException' objects>
characters_written = <attribute 'characters_written' of 'OSError' objects>
errno = <member 'errno' of 'OSError' objects>
  POSIX exception code
filename = <member 'filename' of 'OSError' objects>
  exception filename
filename2 = <member 'filename2' of 'OSError' objects>
  second exception filename
strerror = <member 'strerror' of 'OSError' objects>
  exception strerror

SSLError

An error occurred in the SSL implementation.
with_traceback(...)

  Exception.with_traceback(tb) --
      set self.__traceback__ to tb and return self.
args = <attribute 'args' of 'BaseException' objects>
characters_written = <attribute 'characters_written' of 'OSError' objects>
errno = <member 'errno' of 'OSError' objects>
  POSIX exception code
filename = <member 'filename' of 'OSError' objects>
  exception filename
filename2 = <member 'filename2' of 'OSError' objects>
  second exception filename
strerror = <member 'strerror' of 'OSError' objects>
  exception strerror

SSLErrorNumber

An enumeration.
SSL_ERROR_EOF = <SSLErrorNumber.SSL_ERROR_EOF: 8>
SSL_ERROR_INVALID_ERROR_CODE = <SSLErrorNumber.SSL_ERROR_INVALID_ERROR_CODE: 10>
SSL_ERROR_SSL = <SSLErrorNumber.SSL_ERROR_SSL: 1>
SSL_ERROR_SYSCALL = <SSLErrorNumber.SSL_ERROR_SYSCALL: 5>
SSL_ERROR_WANT_CONNECT = <SSLErrorNumber.SSL_ERROR_WANT_CONNECT: 7>
SSL_ERROR_WANT_READ = <SSLErrorNumber.SSL_ERROR_WANT_READ: 2>
SSL_ERROR_WANT_WRITE = <SSLErrorNumber.SSL_ERROR_WANT_WRITE: 3>
SSL_ERROR_WANT_X509_LOOKUP = <SSLErrorNumber.SSL_ERROR_WANT_X509_LOOKUP: 4>
SSL_ERROR_ZERO_RETURN = <SSLErrorNumber.SSL_ERROR_ZERO_RETURN: 6>

SSLObject

This class implements an interface on top of a low-level SSL object as
    implemented by OpenSSL. This object captures the state of an SSL connection
    but does not provide any network IO itself. IO needs to be performed
    through separate "BIO" objects which are OpenSSL's IO abstraction layer.

    This class does not have a public constructor. Instances are returned by
    ``SSLContext.wrap_bio``. This class is typically used by framework authors
    that want to implement asynchronous IO for SSL through memory buffers.

    When compared to ``SSLSocket``, this object lacks the following features:

     * Any form of network IO, including methods such as ``recv`` and ``send``.
     * The ``do_handshake_on_connect`` and ``suppress_ragged_eofs`` machinery.
    
cipher(self)

  Return the currently selected cipher as a 3-tuple ``(name,
          ssl_version, secret_bits)``.
compression(self)

  Return the current compression algorithm in use, or ``None`` if
          compression was not negotiated or not supported by one of the peers.
do_handshake(self)

  Start the SSL/TLS handshake.
get_channel_binding(self, cb_type='tls-unique')

  Get channel binding data for current connection.  Raise ValueError
          if the requested `cb_type` is not supported.  Return bytes of the data
          or None if the data is not available (e.g. before the handshake).
getpeercert(self, binary_form=False)

  Returns a formatted version of the data in the certificate provided
          by the other end of the SSL channel.

          Return None if no certificate was provided, {} if a certificate was
          provided, but not validated.
        
pending(self)

  Return the number of bytes that can be read immediately.
read(self, len=1024, buffer=None)

  Read up to 'len' bytes from the SSL object and return them.

          If 'buffer' is provided, read into this buffer and return the number of
          bytes read.
        
selected_alpn_protocol(self)

  Return the currently selected ALPN protocol as a string, or ``None``
          if a next protocol was not negotiated or if ALPN is not supported by one
          of the peers.
selected_npn_protocol(self)

  Return the currently selected NPN protocol as a string, or ``None``
          if a next protocol was not negotiated or if NPN is not supported by one
          of the peers.
shared_ciphers(self)

  Return a list of ciphers shared by the client during the handshake or
          None if this is not a valid server connection.
        
unwrap(self)

  Start the SSL shutdown handshake.
verify_client_post_handshake(self)
version(self)

  Return a string identifying the protocol version used by the
          current SSL channel. 
write(self, data)

  Write 'data' to the SSL object and return the number of bytes
          written.

          The 'data' argument must support the buffer interface.
        
context = <property object at 0x7f75e3a901d0>
  The SSLContext that is currently in use.
server_hostname = <property object at 0x7f75e3a90270>
  The currently set server hostname (for SNI), or ``None`` if no
          server hostname is set.
server_side = <property object at 0x7f75e3a90180>
  Whether this is a server-side socket.
session = <property object at 0x7f75e3a90220>
  The SSLSession for client socket.
session_reused = <property object at 0x7f75e3a90090>
  Was the client session reused during handshake

SSLSession

has_ticket = <attribute 'has_ticket' of '_ssl.SSLSession' objects>
  Does the session contain a ticket?
id = <attribute 'id' of '_ssl.SSLSession' objects>
  Session id
ticket_lifetime_hint = <attribute 'ticket_lifetime_hint' of '_ssl.SSLSession' objects>
  Ticket life time hint.
time = <attribute 'time' of '_ssl.SSLSession' objects>
  Session creation time (seconds since epoch).
timeout = <attribute 'timeout' of '_ssl.SSLSession' objects>
  Session timeout (delta in seconds).

SSLSocket

This class implements a subtype of socket.socket that wraps
    the underlying OS socket in an SSL context when necessary, and
    provides read and write methods over that channel. 
accept(self)

  Accepts a new connection from a remote client, and returns
          a tuple containing that new connection wrapped with a server-side
          SSL channel, and the address of the remote client.
bind(...)

  bind(address)

  Bind the socket to a local address.  For IP sockets, the address is a
  pair (host, port); the host must refer to the local host. For raw packet
  sockets the address is a tuple (ifname, proto [,pkttype [,hatype [,addr]]])
cipher(self)

  Return the currently selected cipher as a 3-tuple ``(name,
          ssl_version, secret_bits)``.
close(self)
compression(self)

  Return the current compression algorithm in use, or ``None`` if
          compression was not negotiated or not supported by one of the peers.
connect(self, addr)

  Connects to remote ADDR, and then wraps the connection in
          an SSL channel.
connect_ex(self, addr)

  Connects to remote ADDR, and then wraps the connection in
          an SSL channel.
detach(self)

  detach() -> file descriptor

          Close the socket object without closing the underlying file descriptor.
          The object cannot be used after this call, but the file descriptor
          can be reused for other purposes.  The file descriptor is returned.
        
do_handshake(self, block=False)

  Start the SSL/TLS handshake.
dup(self)
fileno(...)

  fileno() -> integer

  Return the integer file descriptor of the socket.
get_channel_binding(self, cb_type='tls-unique')

  Get channel binding data for current connection.  Raise ValueError
          if the requested `cb_type` is not supported.  Return bytes of the data
          or None if the data is not available (e.g. before the handshake).
get_inheritable(self)

  Get the inheritable flag of the socket
getblocking(...)

  getblocking()

  Returns True if socket is in blocking mode, or False if it
  is in non-blocking mode.
getpeercert(self, binary_form=False)

  Returns a formatted version of the data in the certificate provided
          by the other end of the SSL channel.

          Return None if no certificate was provided, {} if a certificate was
          provided, but not validated.
        
getpeername(...)

  getpeername() -> address info

  Return the address of the remote endpoint.  For IP sockets, the address
  info is a pair (hostaddr, port).
getsockname(...)

  getsockname() -> address info

  Return the address of the local endpoint. The format depends on the
  address family. For IPv4 sockets, the address info is a pair
  (hostaddr, port).
getsockopt(...)

  getsockopt(level, option[, buffersize]) -> value

  Get a socket option.  See the Unix manual for level and option.
  If a nonzero buffersize argument is given, the return value is a
  string of that length; otherwise it is an integer.
gettimeout(...)

  gettimeout() -> timeout

  Returns the timeout in seconds (float) associated with socket
  operations. A timeout of None indicates that timeouts on socket
  operations are disabled.
listen(...)

  listen([backlog])

  Enable a server to accept connections.  If backlog is specified, it must be
  at least 0 (if it is lower, it is set to 0); it specifies the number of
  unaccepted connections that the system will allow before refusing new
  connections. If not specified, a default reasonable value is chosen.
makefile(self, mode='r', buffering=None, *, encoding=None, errors=None, newline=None)

  makefile(...) -> an I/O stream connected to the socket

          The arguments are as for io.open() after the filename, except the only
          supported mode values are 'r' (default), 'w' and 'b'.
        
pending(self)

  Return the number of bytes that can be read immediately.
read(self, len=1024, buffer=None)

  Read up to LEN bytes and return them.
          Return zero-length string on EOF.
recv(self, buflen=1024, flags=0)
recv_into(self, buffer, nbytes=None, flags=0)
recvfrom(self, buflen=1024, flags=0)
recvfrom_into(self, buffer, nbytes=None, flags=0)
recvmsg(self, *args, **kwargs)
recvmsg_into(self, *args, **kwargs)
selected_alpn_protocol(self)

  Return the currently selected ALPN protocol as a string, or ``None``
          if a next protocol was not negotiated or if ALPN is not supported by one
          of the peers.
selected_npn_protocol(self)

  Return the currently selected NPN protocol as a string, or ``None``
          if a next protocol was not negotiated or if NPN is not supported by one
          of the peers.
send(self, data, flags=0)
sendall(self, data, flags=0)
sendfile(self, file, offset=0, count=None)

  Send a file, possibly by using os.sendfile() if this is a
          clear-text socket.  Return the total number of bytes sent.
        
sendmsg(self, *args, **kwargs)
sendmsg_afalg(...)

  sendmsg_afalg([msg], *, op[, iv[, assoclen[, flags=MSG_MORE]]])

  Set operation mode, IV and length of associated data for an AF_ALG
  operation socket.
sendto(self, data, flags_or_addr, addr=None)
set_inheritable(self, inheritable)

  Set the inheritable flag of the socket
setblocking(...)

  setblocking(flag)

  Set the socket to blocking (flag is true) or non-blocking (false).
  setblocking(True) is equivalent to settimeout(None);
  setblocking(False) is equivalent to settimeout(0.0).
setsockopt(...)

  setsockopt(level, option, value: int)
  setsockopt(level, option, value: buffer)
  setsockopt(level, option, None, optlen: int)

  Set a socket option.  See the Unix manual for level and option.
  The value argument can either be an integer, a string buffer, or
  None, optlen.
settimeout(...)

  settimeout(timeout)

  Set a timeout on socket operations.  'timeout' can be a float,
  giving in seconds, or None.  Setting a timeout of None disables
  the timeout feature and is equivalent to setblocking(1).
  Setting a timeout of zero is the same as setblocking(0).
shared_ciphers(self)

  Return a list of ciphers shared by the client during the handshake or
          None if this is not a valid server connection.
        
shutdown(self, how)
unwrap(self)

  Start the SSL shutdown handshake.
verify_client_post_handshake(self)
version(self)

  Return a string identifying the protocol version used by the
          current SSL channel. 
write(self, data)

  Write DATA to the underlying SSL channel.  Returns
          number of bytes of DATA actually transmitted.
context = <property object at 0x7f75e3a903b0>
  The SSLContext that is currently in use.
family = <property object at 0x7f75e3b37420>
  Read-only access to the address family for this socket.
        
proto = <member 'proto' of '_socket.socket' objects>
  the socket protocol
session = <property object at 0x7f75e3a90400>
  The SSLSession for client socket.
session_reused = <property object at 0x7f75e3a90310>
  Was the client session reused during handshake
timeout = <attribute 'timeout' of '_socket.socket' objects>
  the socket timeout
type = <property object at 0x7f75e3a66e80>
  Read-only access to the socket type.
        

SSLSyscallError

System error when attempting SSL operation.
with_traceback(...)

  Exception.with_traceback(tb) --
      set self.__traceback__ to tb and return self.
args = <attribute 'args' of 'BaseException' objects>
characters_written = <attribute 'characters_written' of 'OSError' objects>
errno = <member 'errno' of 'OSError' objects>
  POSIX exception code
filename = <member 'filename' of 'OSError' objects>
  exception filename
filename2 = <member 'filename2' of 'OSError' objects>
  second exception filename
strerror = <member 'strerror' of 'OSError' objects>
  exception strerror

SSLWantReadError

Non-blocking SSL socket needs to read more data
before the requested operation can be completed.
with_traceback(...)

  Exception.with_traceback(tb) --
      set self.__traceback__ to tb and return self.
args = <attribute 'args' of 'BaseException' objects>
characters_written = <attribute 'characters_written' of 'OSError' objects>
errno = <member 'errno' of 'OSError' objects>
  POSIX exception code
filename = <member 'filename' of 'OSError' objects>
  exception filename
filename2 = <member 'filename2' of 'OSError' objects>
  second exception filename
strerror = <member 'strerror' of 'OSError' objects>
  exception strerror

SSLWantWriteError

Non-blocking SSL socket needs to write more data
before the requested operation can be completed.
with_traceback(...)

  Exception.with_traceback(tb) --
      set self.__traceback__ to tb and return self.
args = <attribute 'args' of 'BaseException' objects>
characters_written = <attribute 'characters_written' of 'OSError' objects>
errno = <member 'errno' of 'OSError' objects>
  POSIX exception code
filename = <member 'filename' of 'OSError' objects>
  exception filename
filename2 = <member 'filename2' of 'OSError' objects>
  second exception filename
strerror = <member 'strerror' of 'OSError' objects>
  exception strerror

SSLZeroReturnError

SSL/TLS session closed cleanly.
with_traceback(...)

  Exception.with_traceback(tb) --
      set self.__traceback__ to tb and return self.
args = <attribute 'args' of 'BaseException' objects>
characters_written = <attribute 'characters_written' of 'OSError' objects>
errno = <member 'errno' of 'OSError' objects>
  POSIX exception code
filename = <member 'filename' of 'OSError' objects>
  exception filename
filename2 = <member 'filename2' of 'OSError' objects>
  second exception filename
strerror = <member 'strerror' of 'OSError' objects>
  exception strerror

TLSVersion

An enumeration.
MAXIMUM_SUPPORTED = <TLSVersion.MAXIMUM_SUPPORTED: -1>
MINIMUM_SUPPORTED = <TLSVersion.MINIMUM_SUPPORTED: -2>
SSLv3 = <TLSVersion.SSLv3: 768>
TLSv1 = <TLSVersion.TLSv1: 769>
TLSv1_1 = <TLSVersion.TLSv1_1: 770>
TLSv1_2 = <TLSVersion.TLSv1_2: 771>
TLSv1_3 = <TLSVersion.TLSv1_3: 772>

VerifyFlags

An enumeration.
VERIFY_ALLOW_PROXY_CERTS = <VerifyFlags.VERIFY_ALLOW_PROXY_CERTS: 64>
VERIFY_CRL_CHECK_CHAIN = <VerifyFlags.VERIFY_CRL_CHECK_CHAIN: 12>
VERIFY_CRL_CHECK_LEAF = <VerifyFlags.VERIFY_CRL_CHECK_LEAF: 4>
VERIFY_DEFAULT = <VerifyFlags.VERIFY_DEFAULT: 0>
VERIFY_X509_PARTIAL_CHAIN = <VerifyFlags.VERIFY_X509_PARTIAL_CHAIN: 524288>
VERIFY_X509_STRICT = <VerifyFlags.VERIFY_X509_STRICT: 32>
VERIFY_X509_TRUSTED_FIRST = <VerifyFlags.VERIFY_X509_TRUSTED_FIRST: 32768>

VerifyMode

An enumeration.
CERT_NONE = <VerifyMode.CERT_NONE: 0>
CERT_OPTIONAL = <VerifyMode.CERT_OPTIONAL: 1>
CERT_REQUIRED = <VerifyMode.CERT_REQUIRED: 2>

socket

A subclass of _socket.socket adding the makefile() method.
accept(self)

  accept() -> (socket object, address info)

          Wait for an incoming connection.  Return a new socket
          representing the connection, and the address of the client.
          For IP sockets, the address info is a pair (hostaddr, port).
        
bind(...)

  bind(address)

  Bind the socket to a local address.  For IP sockets, the address is a
  pair (host, port); the host must refer to the local host. For raw packet
  sockets the address is a tuple (ifname, proto [,pkttype [,hatype [,addr]]])
close(self)
connect(...)

  connect(address)

  Connect the socket to a remote address.  For IP sockets, the address
  is a pair (host, port).
connect_ex(...)

  connect_ex(address) -> errno

  This is like connect(address), but returns an error code (the errno value)
  instead of raising an exception when an error occurs.
detach(self)

  detach() -> file descriptor

          Close the socket object without closing the underlying file descriptor.
          The object cannot be used after this call, but the file descriptor
          can be reused for other purposes.  The file descriptor is returned.
        
dup(self)

  dup() -> socket object

          Duplicate the socket. Return a new socket object connected to the same
          system resource. The new socket is non-inheritable.
        
fileno(...)

  fileno() -> integer

  Return the integer file descriptor of the socket.
get_inheritable(self)

  Get the inheritable flag of the socket
getblocking(...)

  getblocking()

  Returns True if socket is in blocking mode, or False if it
  is in non-blocking mode.
getpeername(...)

  getpeername() -> address info

  Return the address of the remote endpoint.  For IP sockets, the address
  info is a pair (hostaddr, port).
getsockname(...)

  getsockname() -> address info

  Return the address of the local endpoint. The format depends on the
  address family. For IPv4 sockets, the address info is a pair
  (hostaddr, port).
getsockopt(...)

  getsockopt(level, option[, buffersize]) -> value

  Get a socket option.  See the Unix manual for level and option.
  If a nonzero buffersize argument is given, the return value is a
  string of that length; otherwise it is an integer.
gettimeout(...)

  gettimeout() -> timeout

  Returns the timeout in seconds (float) associated with socket
  operations. A timeout of None indicates that timeouts on socket
  operations are disabled.
listen(...)

  listen([backlog])

  Enable a server to accept connections.  If backlog is specified, it must be
  at least 0 (if it is lower, it is set to 0); it specifies the number of
  unaccepted connections that the system will allow before refusing new
  connections. If not specified, a default reasonable value is chosen.
makefile(self, mode='r', buffering=None, *, encoding=None, errors=None, newline=None)

  makefile(...) -> an I/O stream connected to the socket

          The arguments are as for io.open() after the filename, except the only
          supported mode values are 'r' (default), 'w' and 'b'.
        
recv(...)

  recv(buffersize[, flags]) -> data

  Receive up to buffersize bytes from the socket.  For the optional flags
  argument, see the Unix manual.  When no data is available, block until
  at least one byte is available or until the remote end is closed.  When
  the remote end is closed and all data is read, return the empty string.
recv_into(...)

  recv_into(buffer, [nbytes[, flags]]) -> nbytes_read

  A version of recv() that stores its data into a buffer rather than creating
  a new string.  Receive up to buffersize bytes from the socket.  If buffersize
  is not specified (or 0), receive up to the size available in the given buffer.

  See recv() for documentation about the flags.
recvfrom(...)

  recvfrom(buffersize[, flags]) -> (data, address info)

  Like recv(buffersize, flags) but also return the sender's address info.
recvfrom_into(...)

  recvfrom_into(buffer[, nbytes[, flags]]) -> (nbytes, address info)

  Like recv_into(buffer[, nbytes[, flags]]) but also return the sender's address info.
recvmsg(...)

  recvmsg(bufsize[, ancbufsize[, flags]]) -> (data, ancdata, msg_flags, address)

  Receive normal data (up to bufsize bytes) and ancillary data from the
  socket.  The ancbufsize argument sets the size in bytes of the
  internal buffer used to receive the ancillary data; it defaults to 0,
  meaning that no ancillary data will be received.  Appropriate buffer
  sizes for ancillary data can be calculated using CMSG_SPACE() or
  CMSG_LEN(), and items which do not fit into the buffer might be
  truncated or discarded.  The flags argument defaults to 0 and has the
  same meaning as for recv().

  The return value is a 4-tuple: (data, ancdata, msg_flags, address).
  The data item is a bytes object holding the non-ancillary data
  received.  The ancdata item is a list of zero or more tuples
  (cmsg_level, cmsg_type, cmsg_data) representing the ancillary data
  (control messages) received: cmsg_level and cmsg_type are integers
  specifying the protocol level and protocol-specific type respectively,
  and cmsg_data is a bytes object holding the associated data.  The
  msg_flags item is the bitwise OR of various flags indicating
  conditions on the received message; see your system documentation for
  details.  If the receiving socket is unconnected, address is the
  address of the sending socket, if available; otherwise, its value is
  unspecified.

  If recvmsg() raises an exception after the system call returns, it
  will first attempt to close any file descriptors received via the
  SCM_RIGHTS mechanism.
recvmsg_into(...)

  recvmsg_into(buffers[, ancbufsize[, flags]]) -> (nbytes, ancdata, msg_flags, address)

  Receive normal data and ancillary data from the socket, scattering the
  non-ancillary data into a series of buffers.  The buffers argument
  must be an iterable of objects that export writable buffers
  (e.g. bytearray objects); these will be filled with successive chunks
  of the non-ancillary data until it has all been written or there are
  no more buffers.  The ancbufsize argument sets the size in bytes of
  the internal buffer used to receive the ancillary data; it defaults to
  0, meaning that no ancillary data will be received.  Appropriate
  buffer sizes for ancillary data can be calculated using CMSG_SPACE()
  or CMSG_LEN(), and items which do not fit into the buffer might be
  truncated or discarded.  The flags argument defaults to 0 and has the
  same meaning as for recv().

  The return value is a 4-tuple: (nbytes, ancdata, msg_flags, address).
  The nbytes item is the total number of bytes of non-ancillary data
  written into the buffers.  The ancdata item is a list of zero or more
  tuples (cmsg_level, cmsg_type, cmsg_data) representing the ancillary
  data (control messages) received: cmsg_level and cmsg_type are
  integers specifying the protocol level and protocol-specific type
  respectively, and cmsg_data is a bytes object holding the associated
  data.  The msg_flags item is the bitwise OR of various flags
  indicating conditions on the received message; see your system
  documentation for details.  If the receiving socket is unconnected,
  address is the address of the sending socket, if available; otherwise,
  its value is unspecified.

  If recvmsg_into() raises an exception after the system call returns,
  it will first attempt to close any file descriptors received via the
  SCM_RIGHTS mechanism.
send(...)

  send(data[, flags]) -> count

  Send a data string to the socket.  For the optional flags
  argument, see the Unix manual.  Return the number of bytes
  sent; this may be less than len(data) if the network is busy.
sendall(...)

  sendall(data[, flags])

  Send a data string to the socket.  For the optional flags
  argument, see the Unix manual.  This calls send() repeatedly
  until all data is sent.  If an error occurs, it's impossible
  to tell how much data has been sent.
sendfile(self, file, offset=0, count=None)

  sendfile(file[, offset[, count]]) -> sent

          Send a file until EOF is reached by using high-performance
          os.sendfile() and return the total number of bytes which
          were sent.
          *file* must be a regular file object opened in binary mode.
          If os.sendfile() is not available (e.g. Windows) or file is
          not a regular file socket.send() will be used instead.
          *offset* tells from where to start reading the file.
          If specified, *count* is the total number of bytes to transmit
          as opposed to sending the file until EOF is reached.
          File position is updated on return or also in case of error in
          which case file.tell() can be used to figure out the number of
          bytes which were sent.
          The socket must be of SOCK_STREAM type.
          Non-blocking sockets are not supported.
        
sendmsg(...)

  sendmsg(buffers[, ancdata[, flags[, address]]]) -> count

  Send normal and ancillary data to the socket, gathering the
  non-ancillary data from a series of buffers and concatenating it into
  a single message.  The buffers argument specifies the non-ancillary
  data as an iterable of bytes-like objects (e.g. bytes objects).
  The ancdata argument specifies the ancillary data (control messages)
  as an iterable of zero or more tuples (cmsg_level, cmsg_type,
  cmsg_data), where cmsg_level and cmsg_type are integers specifying the
  protocol level and protocol-specific type respectively, and cmsg_data
  is a bytes-like object holding the associated data.  The flags
  argument defaults to 0 and has the same meaning as for send().  If
  address is supplied and not None, it sets a destination address for
  the message.  The return value is the number of bytes of non-ancillary
  data sent.
sendmsg_afalg(...)

  sendmsg_afalg([msg], *, op[, iv[, assoclen[, flags=MSG_MORE]]])

  Set operation mode, IV and length of associated data for an AF_ALG
  operation socket.
sendto(...)

  sendto(data[, flags], address) -> count

  Like send(data, flags) but allows specifying the destination address.
  For IP sockets, the address is a pair (hostaddr, port).
set_inheritable(self, inheritable)

  Set the inheritable flag of the socket
setblocking(...)

  setblocking(flag)

  Set the socket to blocking (flag is true) or non-blocking (false).
  setblocking(True) is equivalent to settimeout(None);
  setblocking(False) is equivalent to settimeout(0.0).
setsockopt(...)

  setsockopt(level, option, value: int)
  setsockopt(level, option, value: buffer)
  setsockopt(level, option, None, optlen: int)

  Set a socket option.  See the Unix manual for level and option.
  The value argument can either be an integer, a string buffer, or
  None, optlen.
settimeout(...)

  settimeout(timeout)

  Set a timeout on socket operations.  'timeout' can be a float,
  giving in seconds, or None.  Setting a timeout of None disables
  the timeout feature and is equivalent to setblocking(1).
  Setting a timeout of zero is the same as setblocking(0).
shutdown(...)

  shutdown(flag)

  Shut down the reading side of the socket (flag == SHUT_RD), the writing side
  of the socket (flag == SHUT_WR), or both ends (flag == SHUT_RDWR).
family = <property object at 0x7f75e3b37420>
  Read-only access to the address family for this socket.
        
proto = <member 'proto' of '_socket.socket' objects>
  the socket protocol
timeout = <attribute 'timeout' of '_socket.socket' objects>
  the socket timeout
type = <property object at 0x7f75e3a66e80>
  Read-only access to the socket type.
        

OSError

Base class for I/O related errors.
with_traceback(...)

  Exception.with_traceback(tb) --
      set self.__traceback__ to tb and return self.
args = <attribute 'args' of 'BaseException' objects>
characters_written = <attribute 'characters_written' of 'OSError' objects>
errno = <member 'errno' of 'OSError' objects>
  POSIX exception code
filename = <member 'filename' of 'OSError' objects>
  exception filename
filename2 = <member 'filename2' of 'OSError' objects>
  second exception filename
strerror = <member 'strerror' of 'OSError' objects>
  exception strerror

Functions

DER_cert_to_PEM_cert

DER_cert_to_PEM_cert(der_cert_bytes)

  Takes a certificate in binary DER format and returns the
      PEM version of it as a string.

PEM_cert_to_DER_cert

PEM_cert_to_DER_cert(pem_cert_string)

  Takes a certificate in ASCII PEM format and returns the
      DER-encoded version of it as a byte sequence

RAND_add

RAND_add(string, entropy, /)

  Mix string into the OpenSSL PRNG state.

  entropy (a float) is a lower bound on the entropy contained in
  string.  See RFC 4086.

RAND_bytes

RAND_bytes(n, /)

  Generate n cryptographically strong pseudo-random bytes.

RAND_pseudo_bytes

RAND_pseudo_bytes(n, /)

  Generate n pseudo-random bytes.

  Return a pair (bytes, is_cryptographic).  is_cryptographic is True
  if the bytes generated are cryptographically strong.

RAND_status

RAND_status()

  Returns True if the OpenSSL PRNG has been seeded with enough data and False if not.

  It is necessary to seed the PRNG with RAND_add() on some platforms before
  using the ssl() function.

cert_time_to_seconds

cert_time_to_seconds(cert_time)

  Return the time in seconds since the Epoch, given the timestring
      representing the "notBefore" or "notAfter" date from a certificate
      in ``"%b %d %H:%M:%S %Y %Z"`` strptime format (C locale).

      "notBefore" or "notAfter" dates must use UTC (RFC 5280).

      Month is one of: Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
      UTC should be specified as GMT (see ASN1_TIME_print())
    

create_connection

create_connection(address, timeout=<object object at 0x7f75e3c944e0>, source_address=None)

  Connect to *address* and return the socket object.

      Convenience function.  Connect to *address* (a 2-tuple ``(host,
      port)``) and return the socket object.  Passing the optional
      *timeout* parameter will set the timeout on the socket instance
      before attempting to connect.  If no *timeout* is supplied, the
      global default timeout setting returned by :func:`getdefaulttimeout`
      is used.  If *source_address* is set it must be a tuple of (host, port)
      for the socket to bind as a source address before making the connection.
      A host of '' or port 0 tells the OS to use the default.
    

create_default_context

create_default_context(purpose=<Purpose.SERVER_AUTH: _ASN1Object(nid=129, shortname='serverAuth', longname='TLS Web Server Authentication', oid='1.3.6.1.5.5.7.3.1')>, *, cafile=None, capath=None, cadata=None)

  Create a SSLContext object with default settings.

      NOTE: The protocol and settings may change anytime without prior
            deprecation. The values represent a fair balance between maximum
            compatibility and security.
    

get_default_verify_paths

get_default_verify_paths()

  Return paths to default cafile and capath.
    

get_protocol_name

get_protocol_name(protocol_code)

get_server_certificate

get_server_certificate(addr, ssl_version=<_SSLMethod.PROTOCOL_TLS_CLIENT: 16>, ca_certs=None, timeout=<object object at 0x7f75e3c944e0>)

  Retrieve the certificate from the server at the specified address,
      and return it as a PEM-encoded string.
      If 'ca_certs' is specified, validate the server cert against it.
      If 'ssl_version' is specified, use it in the connection attempt.
      If 'timeout' is specified, use it in the connection attempt.
    

match_hostname

match_hostname(cert, hostname)

  Verify that *cert* (in decoded format as returned by
      SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 and RFC 6125
      rules are followed.

      The function matches IP addresses rather than dNSNames if hostname is a
      valid ipaddress string. IPv4 addresses are supported on all platforms.
      IPv6 addresses are supported on platforms with IPv6 support (AF_INET6
      and inet_pton).

      CertificateError is raised on failure. On success, the function
      returns nothing.
    

namedtuple

namedtuple(typename, field_names, *, rename=False, defaults=None, module=None)

  Returns a new subclass of tuple with named fields.

      >>> Point = namedtuple('Point', ['x', 'y'])
      >>> Point.__doc__                   # docstring for the new class
      'Point(x, y)'
      >>> p = Point(11, y=22)             # instantiate with positional args or keywords
      >>> p[0] + p[1]                     # indexable like a plain tuple
      33
      >>> x, y = p                        # unpack like a regular tuple
      >>> x, y
      (11, 22)
      >>> p.x + p.y                       # fields also accessible by name
      33
      >>> d = p._asdict()                 # convert to a dictionary
      >>> d['x']
      11
      >>> Point(**d)                      # convert from a dictionary
      Point(x=11, y=22)
      >>> p._replace(x=100)               # _replace() is like str.replace() but targets named fields
      Point(x=100, y=22)

    

wrap_socket

wrap_socket(sock, keyfile=None, certfile=None, server_side=False, cert_reqs=<VerifyMode.CERT_NONE: 0>, ssl_version=<_SSLMethod.PROTOCOL_TLS: 2>, ca_certs=None, do_handshake_on_connect=True, suppress_ragged_eofs=True, ciphers=None)

Other members

ALERT_DESCRIPTION_ACCESS_DENIED = <AlertDescription.ALERT_DESCRIPTION_ACCESS_DENIED: 49>
ALERT_DESCRIPTION_BAD_CERTIFICATE = <AlertDescription.ALERT_DESCRIPTION_BAD_CERTIFICATE: 42>
ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE = <AlertDescription.ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE: 114>
ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE = <AlertDescription.ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE: 113>
ALERT_DESCRIPTION_BAD_RECORD_MAC = <AlertDescription.ALERT_DESCRIPTION_BAD_RECORD_MAC: 20>
ALERT_DESCRIPTION_CERTIFICATE_EXPIRED = <AlertDescription.ALERT_DESCRIPTION_CERTIFICATE_EXPIRED: 45>
ALERT_DESCRIPTION_CERTIFICATE_REVOKED = <AlertDescription.ALERT_DESCRIPTION_CERTIFICATE_REVOKED: 44>
ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN = <AlertDescription.ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN: 46>
ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE = <AlertDescription.ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE: 111>
ALERT_DESCRIPTION_CLOSE_NOTIFY = <AlertDescription.ALERT_DESCRIPTION_CLOSE_NOTIFY: 0>
ALERT_DESCRIPTION_DECODE_ERROR = <AlertDescription.ALERT_DESCRIPTION_DECODE_ERROR: 50>
ALERT_DESCRIPTION_DECOMPRESSION_FAILURE = <AlertDescription.ALERT_DESCRIPTION_DECOMPRESSION_FAILURE: 30>
ALERT_DESCRIPTION_DECRYPT_ERROR = <AlertDescription.ALERT_DESCRIPTION_DECRYPT_ERROR: 51>
ALERT_DESCRIPTION_HANDSHAKE_FAILURE = <AlertDescription.ALERT_DESCRIPTION_HANDSHAKE_FAILURE: 40>
ALERT_DESCRIPTION_ILLEGAL_PARAMETER = <AlertDescription.ALERT_DESCRIPTION_ILLEGAL_PARAMETER: 47>
ALERT_DESCRIPTION_INSUFFICIENT_SECURITY = <AlertDescription.ALERT_DESCRIPTION_INSUFFICIENT_SECURITY: 71>
ALERT_DESCRIPTION_INTERNAL_ERROR = <AlertDescription.ALERT_DESCRIPTION_INTERNAL_ERROR: 80>
ALERT_DESCRIPTION_NO_RENEGOTIATION = <AlertDescription.ALERT_DESCRIPTION_NO_RENEGOTIATION: 100>
ALERT_DESCRIPTION_PROTOCOL_VERSION = <AlertDescription.ALERT_DESCRIPTION_PROTOCOL_VERSION: 70>
ALERT_DESCRIPTION_RECORD_OVERFLOW = <AlertDescription.ALERT_DESCRIPTION_RECORD_OVERFLOW: 22>
ALERT_DESCRIPTION_UNEXPECTED_MESSAGE = <AlertDescription.ALERT_DESCRIPTION_UNEXPECTED_MESSAGE: 10>
ALERT_DESCRIPTION_UNKNOWN_CA = <AlertDescription.ALERT_DESCRIPTION_UNKNOWN_CA: 48>
ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY = <AlertDescription.ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY: 115>
ALERT_DESCRIPTION_UNRECOGNIZED_NAME = <AlertDescription.ALERT_DESCRIPTION_UNRECOGNIZED_NAME: 112>
ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE = <AlertDescription.ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE: 43>
ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION = <AlertDescription.ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION: 110>
ALERT_DESCRIPTION_USER_CANCELLED = <AlertDescription.ALERT_DESCRIPTION_USER_CANCELLED: 90>
CERT_NONE = <VerifyMode.CERT_NONE: 0>
CERT_OPTIONAL = <VerifyMode.CERT_OPTIONAL: 1>
CERT_REQUIRED = <VerifyMode.CERT_REQUIRED: 2>
CHANNEL_BINDING_TYPES = ['tls-unique']
HAS_ALPN = True
HAS_ECDH = True
HAS_NEVER_CHECK_COMMON_NAME = True
HAS_NPN = False
HAS_SNI = True
HAS_SSLv2 = False
HAS_SSLv3 = False
HAS_TLSv1 = True
HAS_TLSv1_1 = True
HAS_TLSv1_2 = True
HAS_TLSv1_3 = True
OPENSSL_VERSION = 'OpenSSL 3.0.7 1 Nov 2022'
OPENSSL_VERSION_INFO = (3, 0, 0, 7, 0)
OPENSSL_VERSION_NUMBER = 805306480
OP_ALL = <Options.OP_ALL: 2147483728>
OP_CIPHER_SERVER_PREFERENCE = <Options.OP_CIPHER_SERVER_PREFERENCE: 4194304>
OP_ENABLE_MIDDLEBOX_COMPAT = <Options.OP_ENABLE_MIDDLEBOX_COMPAT: 1048576>
OP_IGNORE_UNEXPECTED_EOF = <Options.OP_IGNORE_UNEXPECTED_EOF: 128>
OP_NO_COMPRESSION = <Options.OP_NO_COMPRESSION: 131072>
OP_NO_RENEGOTIATION = <Options.OP_NO_RENEGOTIATION: 1073741824>
OP_NO_SSLv2 = <Options.OP_NO_SSLv2: 0>
OP_NO_SSLv3 = <Options.OP_NO_SSLv3: 33554432>
OP_NO_TICKET = <Options.OP_NO_TICKET: 16384>
OP_NO_TLSv1 = <Options.OP_NO_TLSv1: 67108864>
OP_NO_TLSv1_1 = <Options.OP_NO_TLSv1_1: 268435456>
OP_NO_TLSv1_2 = <Options.OP_NO_TLSv1_2: 134217728>
OP_NO_TLSv1_3 = <Options.OP_NO_TLSv1_3: 536870912>
OP_SINGLE_DH_USE = <Options.OP_NO_SSLv2: 0>
OP_SINGLE_ECDH_USE = <Options.OP_NO_SSLv2: 0>
PEM_FOOTER = '-----END CERTIFICATE-----'
PEM_HEADER = '-----BEGIN CERTIFICATE-----'
PROTOCOL_SSLv23 = <_SSLMethod.PROTOCOL_TLS: 2>
PROTOCOL_TLS = <_SSLMethod.PROTOCOL_TLS: 2>
PROTOCOL_TLS_CLIENT = <_SSLMethod.PROTOCOL_TLS_CLIENT: 16>
PROTOCOL_TLS_SERVER = <_SSLMethod.PROTOCOL_TLS_SERVER: 17>
PROTOCOL_TLSv1 = <_SSLMethod.PROTOCOL_TLSv1: 3>
PROTOCOL_TLSv1_1 = <_SSLMethod.PROTOCOL_TLSv1_1: 4>
PROTOCOL_TLSv1_2 = <_SSLMethod.PROTOCOL_TLSv1_2: 5>
SOCK_STREAM = <SocketKind.SOCK_STREAM: 1>
SOL_SOCKET = 1
SO_TYPE = 3
SSL_ERROR_EOF = <SSLErrorNumber.SSL_ERROR_EOF: 8>
SSL_ERROR_INVALID_ERROR_CODE = <SSLErrorNumber.SSL_ERROR_INVALID_ERROR_CODE: 10>
SSL_ERROR_SSL = <SSLErrorNumber.SSL_ERROR_SSL: 1>
SSL_ERROR_SYSCALL = <SSLErrorNumber.SSL_ERROR_SYSCALL: 5>
SSL_ERROR_WANT_CONNECT = <SSLErrorNumber.SSL_ERROR_WANT_CONNECT: 7>
SSL_ERROR_WANT_READ = <SSLErrorNumber.SSL_ERROR_WANT_READ: 2>
SSL_ERROR_WANT_WRITE = <SSLErrorNumber.SSL_ERROR_WANT_WRITE: 3>
SSL_ERROR_WANT_X509_LOOKUP = <SSLErrorNumber.SSL_ERROR_WANT_X509_LOOKUP: 4>
SSL_ERROR_ZERO_RETURN = <SSLErrorNumber.SSL_ERROR_ZERO_RETURN: 6>
VERIFY_ALLOW_PROXY_CERTS = <VerifyFlags.VERIFY_ALLOW_PROXY_CERTS: 64>
VERIFY_CRL_CHECK_CHAIN = <VerifyFlags.VERIFY_CRL_CHECK_CHAIN: 12>
VERIFY_CRL_CHECK_LEAF = <VerifyFlags.VERIFY_CRL_CHECK_LEAF: 4>
VERIFY_DEFAULT = <VerifyFlags.VERIFY_DEFAULT: 0>
VERIFY_X509_PARTIAL_CHAIN = <VerifyFlags.VERIFY_X509_PARTIAL_CHAIN: 524288>
VERIFY_X509_STRICT = <VerifyFlags.VERIFY_X509_STRICT: 32>
VERIFY_X509_TRUSTED_FIRST = <VerifyFlags.VERIFY_X509_TRUSTED_FIRST: 32768>

Modules

base64

errno

os

sys

warnings