Class TLSConnection

Create a new TLSConnection instance.

Parameters:

• sock (socket.socket) - The socket data will be transmitted on. The socket should already be connected. It may be in blocking or non-blocking mode.

Overrides: tlsrecordlayer.TLSRecordLayer.__init__

Perform a certificate-based handshake in the role of client.

This function performs an SSL or TLS handshake. The server will authenticate itself using an X.509 certificate chain. If the handshake succeeds, the server's certificate chain will be stored in the session's serverCertChain attribute. Unless a checker object is passed in, this function does no validation or checking of the server's certificate chain.

If the server requests client authentication, the client will send the passed-in certificate chain, and use the passed-in private key to authenticate itself. If no certificate chain and private key were passed in, the client will attempt to proceed without client authentication. The server may or may not allow this.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).

Parameters:

• certChain (tlslite.x509certchain.X509CertChain) - The certificate chain to be used if the server requests client authentication.
• privateKey (tlslite.utils.rsakey.RSAKey) - The private key to be used if the server requests client authentication.
• session (tlslite.session.Session) - A TLS session to attempt to resume. If the resumption does not succeed, a full handshake will be performed.
• settings (tlslite.handshakesettings.HandshakeSettings) - Various settings which can be used to control the ciphersuites, certificate types, and SSL/TLS versions offered by the client.
• checker (tlslite.checker.Checker) - A Checker instance. This instance will be invoked to examine the other party's authentication credentials, if the handshake completes succesfully.
• reqTack (bool) - Whether or not to send a "tack" TLS Extension, requesting the server return a TACK_Extension if it has one.
• async (bool) - If False, this function will block until the handshake is completed. If True, this function will return a generator. Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or will raise StopIteration if the handshake operation is completed.

Returns: None or an iterable

If 'async' is True, a generator object will be returned.

Raises:

• socket.error - If a socket error occurs.
• tlslite.errors.TLSAbruptCloseError - If the socket is closed without a preceding alert.
• tlslite.errors.TLSAlert - If a TLS alert is signalled.
• tlslite.errors.TLSAuthenticationError - If the checker doesn't like the other party's authentication credentials.

Perform an SRP handshake in the role of client.

This function performs a TLS/SRP handshake. SRP mutually authenticates both parties to each other using only a username and password. This function may also perform a combined SRP and server-certificate handshake, if the server chooses to authenticate itself with a certificate chain in addition to doing SRP.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).

Parameters:

• username (str) - The SRP username.
• password (str) - The SRP password.
• session (tlslite.session.Session) - A TLS session to attempt to resume. This session must be an SRP session performed with the same username and password as were passed in. If the resumption does not succeed, a full SRP handshake will be performed.
• settings (tlslite.handshakesettings.HandshakeSettings) - Various settings which can be used to control the ciphersuites, certificate types, and SSL/TLS versions offered by the client.
• checker (tlslite.checker.Checker) - A Checker instance. This instance will be invoked to examine the other party's authentication credentials, if the handshake completes succesfully.
• reqTack (bool) - Whether or not to send a "tack" TLS Extension, requesting the server return a TACK_Extension if it has one.
• async (bool) - If False, this function will block until the handshake is completed. If True, this function will return a generator. Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or will raise StopIteration if the handshake operation is completed.

Returns: None or an iterable

If 'async' is True, a generator object will be returned.

Raises:

• socket.error - If a socket error occurs.
• tlslite.errors.TLSAbruptCloseError - If the socket is closed without a preceding alert.
• tlslite.errors.TLSAlert - If a TLS alert is signalled.
• tlslite.errors.TLSAuthenticationError - If the checker doesn't like the other party's authentication credentials.

Perform a handshake in the role of server.

This function performs an SSL or TLS handshake. Depending on the arguments and the behavior of the client, this function can perform an SRP, or certificate-based handshake. It can also perform a combined SRP and server-certificate handshake.

Like any handshake function, this can be called on a closed TLS connection, or on a TLS connection that is already open. If called on an open connection it performs a re-handshake. This function does not send a Hello Request message before performing the handshake, so if re-handshaking is required, the server must signal the client to begin the re-handshake through some other means.

If the function completes without raising an exception, the TLS connection will be open and available for data transfer.

If an exception is raised, the connection will have been automatically closed (if it was ever open).

Parameters:

• verifierDB (tlslite.verifierdb.VerifierDB) - A database of SRP password verifiers associated with usernames. If the client performs an SRP handshake, the session's srpUsername attribute will be set.
• certChain (tlslite.x509certchain.X509CertChain) - The certificate chain to be used if the client requests server certificate authentication.
• privateKey (tlslite.utils.rsakey.RSAKey) - The private key to be used if the client requests server certificate authentication.
• reqCert (bool) - Whether to request client certificate authentication. This only applies if the client chooses server certificate authentication; if the client chooses SRP authentication, this will be ignored. If the client performs a client certificate authentication, the sessions's clientCertChain attribute will be set.
• sessionCache (tlslite.sessioncache.SessionCache) - An in-memory cache of resumable sessions. The client can resume sessions from this cache. Alternatively, if the client performs a full handshake, a new session will be added to the cache.
• settings (tlslite.handshakesettings.HandshakeSettings) - Various settings which can be used to control the ciphersuites and SSL/TLS version chosen by the server.
• checker (tlslite.checker.Checker) - A Checker instance. This instance will be invoked to examine the other party's authentication credentials, if the handshake completes succesfully.
• reqCAs (list of bytearray of unsigned bytes) - A collection of DER-encoded DistinguishedNames that will be sent along with a certificate request. This does not affect verification.

Raises:

• socket.error - If a socket error occurs.
• tlslite.errors.TLSAbruptCloseError - If the socket is closed without a preceding alert.
• tlslite.errors.TLSAlert - If a TLS alert is signalled.
• tlslite.errors.TLSAuthenticationError - If the checker doesn't like the other party's authentication credentials.

Start a server handshake operation on the TLS connection.

This function returns a generator which behaves similarly to handshakeServer(). Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or it will raise StopIteration if the handshake operation is complete.

Returns: iterable

A generator; see above for details.