# Copyright (C) 2001-2018, Python Software Foundation # For licence information, see README file. # msgid "" msgstr "" "Project-Id-Version: Python 3\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2023-04-14 13:19+0200\n" "PO-Revision-Date: 2020-03-30 22:31+0200\n" "Last-Translator: Mathieu Dupuy \n" "Language-Team: FRENCH \n" "Language: fr\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: Poedit 2.3\n" #: library/ssl.rst:2 msgid ":mod:`ssl` --- TLS/SSL wrapper for socket objects" msgstr ":mod:`ssl` — Emballage TLS/SSL pour les objets connecteurs" #: library/ssl.rst:10 msgid "**Source code:** :source:`Lib/ssl.py`" msgstr "**Code source :** :source:`Lib/ssl.py`" #: library/ssl.rst:18 #, fuzzy msgid "" "This module provides access to Transport Layer Security (often known as " "\"Secure Sockets Layer\") encryption and peer authentication facilities for " "network sockets, both client-side and server-side. This module uses the " "OpenSSL library. It is available on all modern Unix systems, Windows, macOS, " "and probably additional platforms, as long as OpenSSL is installed on that " "platform." msgstr "" "Ce module fournit un accès aux fonctions de chiffrement et " "d'authentification entre pairs : « *Transport Layer Security* » (souvent " "appelé « *Secure Sockets Layer* ») pour les connecteurs réseau, côté client " "et côté serveur. Ce module utilise la bibliothèque OpenSSL. Il est " "disponible sur tous les systèmes Unix modernes, Windows, Mac OS X et " "probablement sur d'autres plates-formes, à condition qu'OpenSSL soit " "installé sur cette plate-forme." #: library/ssl.rst:26 #, fuzzy msgid "" "Some behavior may be platform dependent, since calls are made to the " "operating system socket APIs. The installed version of OpenSSL may also " "cause variations in behavior. For example, TLSv1.3 with OpenSSL version " "1.1.1." msgstr "" "Certains comportements peuvent dépendre de la plate-forme, car des appels " "sont passés aux API de connexions du système d'exploitation. La version " "installée de OpenSSL peut également entraîner des variations de " "comportement. Par exemple, TLSv1.1 et TLSv1.2 sont livrés avec la version " "1.0.1 de OpenSSL." #: library/ssl.rst:32 msgid "" "Don't use this module without reading the :ref:`ssl-security`. Doing so may " "lead to a false sense of security, as the default settings of the ssl module " "are not necessarily appropriate for your application." msgstr "" "N’utilisez pas ce module sans lire :ref:`ssl-security`. Cela pourrait créer " "un faux sentiment de sécurité, car les paramètres par défaut du module *ssl* " "ne sont pas nécessairement appropriés pour votre application." #: includes/wasm-notavail.rst:3 #, fuzzy msgid ":ref:`Availability `: not Emscripten, not WASI." msgstr ":ref:`Disponibilité ` : Windows." #: includes/wasm-notavail.rst:5 msgid "" "This module does not work or is not available on WebAssembly platforms " "``wasm32-emscripten`` and ``wasm32-wasi``. See :ref:`wasm-availability` for " "more information." msgstr "" #: library/ssl.rst:38 msgid "" "This section documents the objects and functions in the ``ssl`` module; for " "more general information about TLS, SSL, and certificates, the reader is " "referred to the documents in the \"See Also\" section at the bottom." msgstr "" "Cette section documente les objets et les fonctions du module ``ssl``. Pour " "des informations plus générales sur TLS, SSL et les certificats, le lecteur " "est prié de se référer aux documents de la section « Voir Aussi » au bas de " "cette page." #: library/ssl.rst:42 #, fuzzy msgid "" "This module provides a class, :class:`ssl.SSLSocket`, which is derived from " "the :class:`socket.socket` type, and provides a socket-like wrapper that " "also encrypts and decrypts the data going over the socket with SSL. It " "supports additional methods such as :meth:`getpeercert`, which retrieves the " "certificate of the other side of the connection, and :meth:`cipher`, which " "retrieves the cipher being used for the secure connection." msgstr "" "Ce module fournit une classe :class:`ssl.SSLSocket`, dérivée du type :class:" "`socket.socket`, ainsi qu'une enveloppe (*wrapper* en anglais) qui mime un " "connecteur qui chiffre et déchiffre les données passant sur le connecteur " "utilisant SSL. Il prend en charge des méthodes supplémentaires telles que :" "meth:`getpeercert` qui récupère le certificat de l'autre coté de la " "connexion et :meth:`cipher`, qui récupère le chiffrement utilisé pour la " "connexion." #: library/ssl.rst:49 msgid "" "For more sophisticated applications, the :class:`ssl.SSLContext` class helps " "manage settings and certificates, which can then be inherited by SSL sockets " "created through the :meth:`SSLContext.wrap_socket` method." msgstr "" "Pour les applications plus sophistiquées, la classe :class:`ssl.SSLContext` " "facilite la gestion des paramètres et des certificats, qui peuvent ensuite " "être hérités par les connecteurs SSL créés via la méthode :meth:`SSLContext." "wrap_socket`." #: library/ssl.rst:53 msgid "Updated to support linking with OpenSSL 1.1.0" msgstr "Mise à jour pour prendre en charge la liaison avec OpenSSL 1.1.0" #: library/ssl.rst:58 msgid "" "OpenSSL 0.9.8, 1.0.0 and 1.0.1 are deprecated and no longer supported. In " "the future the ssl module will require at least OpenSSL 1.0.2 or 1.1.0." msgstr "" "OpenSSL 0.9.8, 1.0.0 et 1.0.1 sont obsolètes et ne sont plus prises en " "charge. Dans l'avenir, le module *ssl* nécessitera au minimum OpenSSL 1.0.2 " "ou 1.1.0." #: library/ssl.rst:64 msgid "" ":pep:`644` has been implemented. The ssl module requires OpenSSL 1.1.1 or " "newer." msgstr "" #: library/ssl.rst:67 msgid "" "Use of deprecated constants and functions result in deprecation warnings." msgstr "" #: library/ssl.rst:71 msgid "Functions, Constants, and Exceptions" msgstr "Fonctions, constantes et exceptions" #: library/ssl.rst:75 msgid "Socket creation" msgstr "Création de connecteurs" #: library/ssl.rst:77 msgid "" "Since Python 3.2 and 2.7.9, it is recommended to use the :meth:`SSLContext." "wrap_socket` of an :class:`SSLContext` instance to wrap sockets as :class:" "`SSLSocket` objects. The helper functions :func:`create_default_context` " "returns a new context with secure default settings. The old :func:" "`wrap_socket` function is deprecated since it is both inefficient and has no " "support for server name indication (SNI) and hostname matching." msgstr "" "Depuis Python 3.2 et 2.7.9, il est recommandé d'utiliser :meth:`SSLContext." "wrap_socket` d'une instance :class:`SSLContext` pour encapsuler des " "connecteurs en tant qu'objets :class:`SSLSocket`. Les fonctions auxiliaires :" "func:`create_default_context` renvoient un nouveau contexte avec des " "paramètres par défaut sécurisés. L'ancienne fonction :func:`wrap_socket` est " "obsolète car elle est à la fois inefficace et ne prend pas en charge " "l'indication de nom de serveur (SNI) et la vérification du nom de l'hôte." #: library/ssl.rst:85 msgid "Client socket example with default context and IPv4/IPv6 dual stack::" msgstr "" "Exemple de connecteur client avec contexte par défaut et double pile IPv4/" "IPv6 ::" #: library/ssl.rst:98 msgid "Client socket example with custom context and IPv4::" msgstr "Exemple de connecteur client avec contexte personnalisé et IPv4 ::" #: library/ssl.rst:110 msgid "Server socket example listening on localhost IPv4::" msgstr "Exemple de connecteur serveur à l'écoute sur IPv4 *localhost* ::" #: library/ssl.rst:124 msgid "Context creation" msgstr "Création de contexte" #: library/ssl.rst:126 msgid "" "A convenience function helps create :class:`SSLContext` objects for common " "purposes." msgstr "" "Une fonction utilitaire permettant de créer facilement des objets :class:" "`SSLContext` pour des usages classiques." #: library/ssl.rst:131 msgid "" "Return a new :class:`SSLContext` object with default settings for the given " "*purpose*. The settings are chosen by the :mod:`ssl` module, and usually " "represent a higher security level than when calling the :class:`SSLContext` " "constructor directly." msgstr "" "Renvoie un nouvel objet :class:`SSLContext`. Le paramètre *purpose* permet " "de choisir parmi un ensemble de paramètres par défaut en fonction de l'usage " "souhaité. Les paramètres sont choisis par le module :mod:`ssl` et " "représentent généralement un niveau de sécurité supérieur à celui utilisé " "lorsque vous appelez directement le constructeur :class:`SSLContext`." #: library/ssl.rst:136 msgid "" "*cafile*, *capath*, *cadata* represent optional CA certificates to trust for " "certificate verification, as in :meth:`SSLContext.load_verify_locations`. " "If all three are :const:`None`, this function can choose to trust the " "system's default CA certificates instead." msgstr "" "*cafile*, *capath*, *cadata* représentent des certificats d'autorité de " "certification facultatifs approuvés pour la vérification de certificats, " "comme dans :meth:`SSLContext.load_verify_locations`. Si les trois sont à :" "const:`None`, cette fonction peut choisir de faire confiance aux certificats " "d'autorité de certification par défaut du système." #: library/ssl.rst:142 #, fuzzy msgid "" "The settings are: :data:`PROTOCOL_TLS_CLIENT` or :data:" "`PROTOCOL_TLS_SERVER`, :data:`OP_NO_SSLv2`, and :data:`OP_NO_SSLv3` with " "high encryption cipher suites without RC4 and without unauthenticated cipher " "suites. Passing :data:`~Purpose.SERVER_AUTH` as *purpose* sets :data:" "`~SSLContext.verify_mode` to :data:`CERT_REQUIRED` and either loads CA " "certificates (when at least one of *cafile*, *capath* or *cadata* is given) " "or uses :meth:`SSLContext.load_default_certs` to load default CA " "certificates." msgstr "" "Les paramètres sont : :data:`PROTOCOL_TLS`, :data:`OP_NO_SSLv2` et :data:" "`OP_NO_SSLv3` avec des algorithmes de chiffrement de grande robustesse, " "n'utilisant pas RC4 et n'utilisant pas les suites cryptographiques sans " "authentification. Passer :data:`~Purpose.SERVER_AUTH` en tant que *purpose* " "définit :data:`~SSLContext.verify_mode` sur :data:`CERT_REQUIRED` et charge " "les certificats de l'autorité de certification (lorsqu'au moins un des " "paramètres *cafile*, *capath* ou *cadata* est renseigné) ou utilise :meth:" "`SSLContext.load_default_certs` pour charger les certificats des autorités " "de certification par défaut." #: library/ssl.rst:151 msgid "" "When :attr:`~SSLContext.keylog_filename` is supported and the environment " "variable :envvar:`SSLKEYLOGFILE` is set, :func:`create_default_context` " "enables key logging." msgstr "" "Lorsque :attr:`~SSLContext.keylog_filename` est pris en charge et que la " "variable d'environnement :envvar:`SSLKEYLOGFILE` est définie, :func:" "`create_default_context` active la journalisation des clés." #: library/ssl.rst:156 msgid "" "The protocol, options, cipher and other settings may change to more " "restrictive values anytime without prior deprecation. The values represent " "a fair balance between compatibility and security." msgstr "" "Le protocole, les options, l'algorithme de chiffrement et d'autres " "paramètres peuvent changer pour des valeurs plus restrictives à tout moment " "sans avertissement préalable. Les valeurs représentent un juste équilibre " "entre compatibilité et sécurité." #: library/ssl.rst:160 msgid "" "If your application needs specific settings, you should create a :class:" "`SSLContext` and apply the settings yourself." msgstr "" "Si votre application nécessite des paramètres spécifiques, vous devez créer " "une classe :class:`SSLContext` et appliquer les paramètres vous-même." #: library/ssl.rst:164 msgid "" "If you find that when certain older clients or servers attempt to connect " "with a :class:`SSLContext` created by this function that they get an error " "stating \"Protocol or cipher suite mismatch\", it may be that they only " "support SSL3.0 which this function excludes using the :data:`OP_NO_SSLv3`. " "SSL3.0 is widely considered to be `completely broken `_. If you still wish to continue to use this function but " "still allow SSL 3.0 connections you can re-enable them using::" msgstr "" "Si vous constatez que, lorsque certains clients ou serveurs plus anciens " "tentent de se connecter avec une classe :class:`SSLContext` créée par cette " "fonction, une erreur indiquant « *Protocol or cipher suite " "mismatch* » (« Non concordance de protocole ou d'algorithme de " "chiffrement ») est détectée, il se peut qu'ils ne prennent en charge que SSL " "3.0 que cette fonction exclut en utilisant :data:`OP_NO_SSLv3`. SSL3.0 est " "notoirement considéré comme `totalement déficient `_. Si vous souhaitez toujours continuer à utiliser cette " "fonction tout en autorisant les connexions SSL 3.0, vous pouvez les " "réactiver à l'aide de ::" #: library/ssl.rst:180 msgid "RC4 was dropped from the default cipher string." msgstr "" "RC4 a été supprimé de la liste des algorithmes de chiffrement par défaut." #: library/ssl.rst:184 msgid "ChaCha20/Poly1305 was added to the default cipher string." msgstr "" "*ChaCha20*/*Poly1305* a été ajouté à la liste des algorithmes de chiffrement " "par défaut." #: library/ssl.rst:186 msgid "3DES was dropped from the default cipher string." msgstr "" "*3DES* a été supprimé de la liste des algorithmes de chiffrement par défaut." #: library/ssl.rst:190 msgid "Support for key logging to :envvar:`SSLKEYLOGFILE` was added." msgstr "" "La prise en charge de la journalisation des clés dans :envvar:" "`SSLKEYLOGFILE` a été ajoutée." #: library/ssl.rst:194 msgid "" "The context now uses :data:`PROTOCOL_TLS_CLIENT` or :data:" "`PROTOCOL_TLS_SERVER` protocol instead of generic :data:`PROTOCOL_TLS`." msgstr "" #: library/ssl.rst:200 msgid "Exceptions" msgstr "Exceptions" #: library/ssl.rst:204 msgid "" "Raised to signal an error from the underlying SSL implementation (currently " "provided by the OpenSSL library). This signifies some problem in the higher-" "level encryption and authentication layer that's superimposed on the " "underlying network connection. This error is a subtype of :exc:`OSError`. " "The error code and message of :exc:`SSLError` instances are provided by the " "OpenSSL library." msgstr "" "Levée pour signaler une erreur de l'implémentation SSL sous-jacente " "(actuellement fournie par la bibliothèque OpenSSL). Cela signifie qu'un " "problème est apparu dans la couche d'authentification et de chiffrement de " "niveau supérieur qui s'appuie sur la connexion réseau sous-jacente. Cette " "erreur est un sous-type de :exc:`OSError`. Le code d'erreur et le message " "des instances de :exc:`SSLError` sont fournis par la bibliothèque OpenSSL." #: library/ssl.rst:211 msgid ":exc:`SSLError` used to be a subtype of :exc:`socket.error`." msgstr ":exc:`SSLError` était un sous-type de :exc:`socket.error`." #: library/ssl.rst:216 msgid "" "A string mnemonic designating the OpenSSL submodule in which the error " "occurred, such as ``SSL``, ``PEM`` or ``X509``. The range of possible " "values depends on the OpenSSL version." msgstr "" "Une chaîne de caractères mnémonique désignant le sous-module OpenSSL dans " "lequel l'erreur s'est produite, telle que ``SSL``, ``PEM`` ou ``X509``. " "L'étendue des valeurs possibles dépend de la version d'OpenSSL." #: library/ssl.rst:224 msgid "" "A string mnemonic designating the reason this error occurred, for example " "``CERTIFICATE_VERIFY_FAILED``. The range of possible values depends on the " "OpenSSL version." msgstr "" #: library/ssl.rst:232 msgid "" "A subclass of :exc:`SSLError` raised when trying to read or write and the " "SSL connection has been closed cleanly. Note that this doesn't mean that " "the underlying transport (read TCP) has been closed." msgstr "" #: library/ssl.rst:240 msgid "" "A subclass of :exc:`SSLError` raised by a :ref:`non-blocking SSL socket ` when trying to read or write data, but more data needs to be " "received on the underlying TCP transport before the request can be fulfilled." msgstr "" "Sous-classe de :exc:`SSLError` levée par un connecteur :ref:`SSL non " "bloquant ` lors d'une tentative de lecture ou d'écriture de " "données, alors que davantage de données doivent être reçues sur la couche " "TCP sous-jacente avant que la demande puisse être satisfaite." #: library/ssl.rst:249 msgid "" "A subclass of :exc:`SSLError` raised by a :ref:`non-blocking SSL socket ` when trying to read or write data, but more data needs to be " "sent on the underlying TCP transport before the request can be fulfilled." msgstr "" #: library/ssl.rst:258 msgid "" "A subclass of :exc:`SSLError` raised when a system error was encountered " "while trying to fulfill an operation on a SSL socket. Unfortunately, there " "is no easy way to inspect the original errno number." msgstr "" #: library/ssl.rst:266 msgid "" "A subclass of :exc:`SSLError` raised when the SSL connection has been " "terminated abruptly. Generally, you shouldn't try to reuse the underlying " "transport when this error is encountered." msgstr "" #: library/ssl.rst:274 msgid "" "A subclass of :exc:`SSLError` raised when certificate validation has failed." msgstr "" #: library/ssl.rst:281 msgid "A numeric error number that denotes the verification error." msgstr "" #: library/ssl.rst:285 msgid "A human readable string of the verification error." msgstr "" #: library/ssl.rst:289 msgid "An alias for :exc:`SSLCertVerificationError`." msgstr "" #: library/ssl.rst:291 msgid "The exception is now an alias for :exc:`SSLCertVerificationError`." msgstr "" #: library/ssl.rst:296 msgid "Random generation" msgstr "" #: library/ssl.rst:300 msgid "" "Return *num* cryptographically strong pseudo-random bytes. Raises an :class:" "`SSLError` if the PRNG has not been seeded with enough data or if the " "operation is not supported by the current RAND method. :func:`RAND_status` " "can be used to check the status of the PRNG and :func:`RAND_add` can be used " "to seed the PRNG." msgstr "" #: library/ssl.rst:327 msgid "For almost all applications :func:`os.urandom` is preferable." msgstr "" #: library/ssl.rst:308 msgid "" "Read the Wikipedia article, `Cryptographically secure pseudorandom number " "generator (CSPRNG) `_, to get the " "requirements of a cryptographically strong generator." msgstr "" #: library/ssl.rst:317 msgid "" "Return (bytes, is_cryptographic): bytes are *num* pseudo-random bytes, " "is_cryptographic is ``True`` if the bytes generated are cryptographically " "strong. Raises an :class:`SSLError` if the operation is not supported by the " "current RAND method." msgstr "" #: library/ssl.rst:322 msgid "" "Generated pseudo-random byte sequences will be unique if they are of " "sufficient length, but are not necessarily unpredictable. They can be used " "for non-cryptographic purposes and for certain purposes in cryptographic " "protocols, but usually not for key generation etc." msgstr "" #: library/ssl.rst:333 msgid "" "OpenSSL has deprecated :func:`ssl.RAND_pseudo_bytes`, use :func:`ssl." "RAND_bytes` instead." msgstr "" #: library/ssl.rst:338 msgid "" "Return ``True`` if the SSL pseudo-random number generator has been seeded " "with 'enough' randomness, and ``False`` otherwise. You can use :func:`ssl." "RAND_egd` and :func:`ssl.RAND_add` to increase the randomness of the pseudo-" "random number generator." msgstr "" #: library/ssl.rst:345 msgid "" "Mix the given *bytes* into the SSL pseudo-random number generator. The " "parameter *entropy* (a float) is a lower bound on the entropy contained in " "string (so you can always use :const:`0.0`). See :rfc:`1750` for more " "information on sources of entropy." msgstr "" #: library/ssl.rst:350 msgid "Writable :term:`bytes-like object` is now accepted." msgstr "N'importe quel :term:`bytes-like object` est maintenant accepté." #: library/ssl.rst:354 msgid "Certificate handling" msgstr "" #: library/ssl.rst:362 msgid "" "Verify that *cert* (in decoded format as returned by :meth:`SSLSocket." "getpeercert`) matches the given *hostname*. The rules applied are those for " "checking the identity of HTTPS servers as outlined in :rfc:`2818`, :rfc:" "`5280` and :rfc:`6125`. In addition to HTTPS, this function should be " "suitable for checking the identity of servers in various SSL-based protocols " "such as FTPS, IMAPS, POPS and others." msgstr "" #: library/ssl.rst:369 msgid "" ":exc:`CertificateError` is raised on failure. On success, the function " "returns nothing::" msgstr "" #: library/ssl.rst:382 msgid "" "The function now follows :rfc:`6125`, section 6.4.3 and does neither match " "multiple wildcards (e.g. ``*.*.com`` or ``*a*.example.org``) nor a wildcard " "inside an internationalized domain names (IDN) fragment. IDN A-labels such " "as ``www*.xn--pthon-kva.org`` are still supported, but ``x*.python.org`` no " "longer matches ``xn--tda.python.org``." msgstr "" #: library/ssl.rst:389 msgid "" "Matching of IP addresses, when present in the subjectAltName field of the " "certificate, is now supported." msgstr "" #: library/ssl.rst:393 msgid "" "The function is no longer used to TLS connections. Hostname matching is now " "performed by OpenSSL." msgstr "" #: library/ssl.rst:397 msgid "" "Allow wildcard when it is the leftmost and the only character in that " "segment. Partial wildcards like ``www*.example.com`` are no longer supported." msgstr "" #: library/ssl.rst:405 msgid "" "Return the time in seconds since the Epoch, given the ``cert_time`` string " "representing the \"notBefore\" or \"notAfter\" date from a certificate in " "``\"%b %d %H:%M:%S %Y %Z\"`` strptime format (C locale)." msgstr "" #: library/ssl.rst:410 msgid "Here's an example:" msgstr "" #: library/ssl.rst:422 msgid "\"notBefore\" or \"notAfter\" dates must use GMT (:rfc:`5280`)." msgstr "" #: library/ssl.rst:424 msgid "" "Interpret the input time as a time in UTC as specified by 'GMT' timezone in " "the input string. Local timezone was used previously. Return an integer (no " "fractions of a second in the input format)" msgstr "" #: library/ssl.rst:433 msgid "" "Given the address ``addr`` of an SSL-protected server, as a (*hostname*, " "*port-number*) pair, fetches the server's certificate, and returns it as a " "PEM-encoded string. If ``ssl_version`` is specified, uses that version of " "the SSL protocol to attempt to connect to the server. If ``ca_certs`` is " "specified, it should be a file containing a list of root certificates, the " "same format as used for the same parameter in :meth:`SSLContext." "wrap_socket`. The call will attempt to validate the server certificate " "against that set of root certificates, and will fail if the validation " "attempt fails. A timeout can be specified with the ``timeout`` parameter." msgstr "" #: library/ssl.rst:444 msgid "This function is now IPv6-compatible." msgstr "" #: library/ssl.rst:447 msgid "" "The default *ssl_version* is changed from :data:`PROTOCOL_SSLv3` to :data:" "`PROTOCOL_TLS` for maximum compatibility with modern servers." msgstr "" #: library/ssl.rst:451 msgid "The *timeout* parameter was added." msgstr "" #: library/ssl.rst:456 msgid "" "Given a certificate as a DER-encoded blob of bytes, returns a PEM-encoded " "string version of the same certificate." msgstr "" #: library/ssl.rst:461 msgid "" "Given a certificate as an ASCII PEM string, returns a DER-encoded sequence " "of bytes for that same certificate." msgstr "" #: library/ssl.rst:466 msgid "" "Returns a named tuple with paths to OpenSSL's default cafile and capath. The " "paths are the same as used by :meth:`SSLContext.set_default_verify_paths`. " "The return value is a :term:`named tuple` ``DefaultVerifyPaths``:" msgstr "" #: library/ssl.rst:471 msgid "" ":attr:`cafile` - resolved path to cafile or ``None`` if the file doesn't " "exist," msgstr "" #: library/ssl.rst:472 msgid "" ":attr:`capath` - resolved path to capath or ``None`` if the directory " "doesn't exist," msgstr "" #: library/ssl.rst:473 msgid "" ":attr:`openssl_cafile_env` - OpenSSL's environment key that points to a " "cafile," msgstr "" #: library/ssl.rst:474 msgid ":attr:`openssl_cafile` - hard coded path to a cafile," msgstr "" #: library/ssl.rst:475 msgid "" ":attr:`openssl_capath_env` - OpenSSL's environment key that points to a " "capath," msgstr "" #: library/ssl.rst:476 msgid ":attr:`openssl_capath` - hard coded path to a capath directory" msgstr "" #: library/ssl.rst:482 msgid "" "Retrieve certificates from Windows' system cert store. *store_name* may be " "one of ``CA``, ``ROOT`` or ``MY``. Windows may provide additional cert " "stores, too." msgstr "" #: library/ssl.rst:486 msgid "" "The function returns a list of (cert_bytes, encoding_type, trust) tuples. " "The encoding_type specifies the encoding of cert_bytes. It is either :const:" "`x509_asn` for X.509 ASN.1 data or :const:`pkcs_7_asn` for PKCS#7 ASN.1 " "data. Trust specifies the purpose of the certificate as a set of OIDS or " "exactly ``True`` if the certificate is trustworthy for all purposes." msgstr "" #: library/ssl.rst:1637 library/ssl.rst:1932 msgid "Example::" msgstr "Exemple ::" #: library/ssl.rst:514 msgid ":ref:`Availability `: Windows." msgstr ":ref:`Disponibilité ` : Windows." #: library/ssl.rst:505 msgid "" "Retrieve CRLs from Windows' system cert store. *store_name* may be one of " "``CA``, ``ROOT`` or ``MY``. Windows may provide additional cert stores, too." msgstr "" #: library/ssl.rst:509 msgid "" "The function returns a list of (cert_bytes, encoding_type, trust) tuples. " "The encoding_type specifies the encoding of cert_bytes. It is either :const:" "`x509_asn` for X.509 ASN.1 data or :const:`pkcs_7_asn` for PKCS#7 ASN.1 data." msgstr "" #: library/ssl.rst:523 msgid "" "Takes an instance ``sock`` of :class:`socket.socket`, and returns an " "instance of :class:`ssl.SSLSocket`, a subtype of :class:`socket.socket`, " "which wraps the underlying socket in an SSL context. ``sock`` must be a :" "data:`~socket.SOCK_STREAM` socket; other socket types are unsupported." msgstr "" #: library/ssl.rst:528 msgid "" "Internally, function creates a :class:`SSLContext` with protocol " "*ssl_version* and :attr:`SSLContext.options` set to *cert_reqs*. If " "parameters *keyfile*, *certfile*, *ca_certs* or *ciphers* are set, then the " "values are passed to :meth:`SSLContext.load_cert_chain`, :meth:`SSLContext." "load_verify_locations`, and :meth:`SSLContext.set_ciphers`." msgstr "" #: library/ssl.rst:535 msgid "" "The arguments *server_side*, *do_handshake_on_connect*, and " "*suppress_ragged_eofs* have the same meaning as :meth:`SSLContext." "wrap_socket`." msgstr "" #: library/ssl.rst:541 msgid "" "Since Python 3.2 and 2.7.9, it is recommended to use the :meth:`SSLContext." "wrap_socket` instead of :func:`wrap_socket`. The top-level function is " "limited and creates an insecure client socket without server name indication " "or hostname matching." msgstr "" #: library/ssl.rst:547 msgid "Constants" msgstr "Constantes" #: library/ssl.rst:549 msgid "" "All constants are now :class:`enum.IntEnum` or :class:`enum.IntFlag` " "collections." msgstr "" #: library/ssl.rst:555 msgid "" "Possible value for :attr:`SSLContext.verify_mode`, or the ``cert_reqs`` " "parameter to :func:`wrap_socket`. Except for :const:`PROTOCOL_TLS_CLIENT`, " "it is the default mode. With client-side sockets, just about any cert is " "accepted. Validation errors, such as untrusted or expired cert, are ignored " "and do not abort the TLS/SSL handshake." msgstr "" #: library/ssl.rst:561 msgid "" "In server mode, no certificate is requested from the client, so the client " "does not send any for client cert authentication." msgstr "" #: library/ssl.rst:2340 msgid "See the discussion of :ref:`ssl-security` below." msgstr "" #: library/ssl.rst:568 msgid "" "Possible value for :attr:`SSLContext.verify_mode`, or the ``cert_reqs`` " "parameter to :func:`wrap_socket`. In client mode, :const:`CERT_OPTIONAL` " "has the same meaning as :const:`CERT_REQUIRED`. It is recommended to use :" "const:`CERT_REQUIRED` for client-side sockets instead." msgstr "" #: library/ssl.rst:573 msgid "" "In server mode, a client certificate request is sent to the client. The " "client may either ignore the request or send a certificate in order perform " "TLS client cert authentication. If the client chooses to send a " "certificate, it is verified. Any verification error immediately aborts the " "TLS handshake." msgstr "" #: library/ssl.rst:599 msgid "" "Use of this setting requires a valid set of CA certificates to be passed, " "either to :meth:`SSLContext.load_verify_locations` or as a value of the " "``ca_certs`` parameter to :func:`wrap_socket`." msgstr "" #: library/ssl.rst:585 msgid "" "Possible value for :attr:`SSLContext.verify_mode`, or the ``cert_reqs`` " "parameter to :func:`wrap_socket`. In this mode, certificates are required " "from the other side of the socket connection; an :class:`SSLError` will be " "raised if no certificate is provided, or if its validation fails. This mode " "is **not** sufficient to verify a certificate in client mode as it does not " "match hostnames. :attr:`~SSLContext.check_hostname` must be enabled as well " "to verify the authenticity of a cert. :const:`PROTOCOL_TLS_CLIENT` uses :" "const:`CERT_REQUIRED` and enables :attr:`~SSLContext.check_hostname` by " "default." msgstr "" #: library/ssl.rst:595 msgid "" "With server socket, this mode provides mandatory TLS client cert " "authentication. A client certificate request is sent to the client and the " "client must provide a valid and trusted certificate." msgstr "" #: library/ssl.rst:605 msgid ":class:`enum.IntEnum` collection of CERT_* constants." msgstr "" #: library/ssl.rst:611 msgid "" "Possible value for :attr:`SSLContext.verify_flags`. In this mode, " "certificate revocation lists (CRLs) are not checked. By default OpenSSL does " "neither require nor verify CRLs." msgstr "" #: library/ssl.rst:619 msgid "" "Possible value for :attr:`SSLContext.verify_flags`. In this mode, only the " "peer cert is checked but none of the intermediate CA certificates. The mode " "requires a valid CRL that is signed by the peer cert's issuer (its direct " "ancestor CA). If no proper CRL has been loaded with :attr:`SSLContext." "load_verify_locations`, validation will fail." msgstr "" #: library/ssl.rst:629 msgid "" "Possible value for :attr:`SSLContext.verify_flags`. In this mode, CRLs of " "all certificates in the peer cert chain are checked." msgstr "" #: library/ssl.rst:636 msgid "" "Possible value for :attr:`SSLContext.verify_flags` to disable workarounds " "for broken X.509 certificates." msgstr "" #: library/ssl.rst:643 msgid "" "Possible value for :attr:`SSLContext.verify_flags` to enables proxy " "certificate verification." msgstr "" #: library/ssl.rst:650 msgid "" "Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to " "prefer trusted certificates when building the trust chain to validate a " "certificate. This flag is enabled by default." msgstr "" #: library/ssl.rst:658 msgid "" "Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to " "accept intermediate CAs in the trust store to be treated as trust-anchors, " "in the same way as the self-signed root CA certificates. This makes it " "possible to trust certificates issued by an intermediate CA without having " "to trust its ancestor root CA." msgstr "" #: library/ssl.rst:669 msgid ":class:`enum.IntFlag` collection of VERIFY_* constants." msgstr "" #: library/ssl.rst:675 msgid "" "Selects the highest protocol version that both the client and server " "support. Despite the name, this option can select both \"SSL\" and \"TLS\" " "protocols." msgstr "" #: library/ssl.rst:682 msgid "" "TLS clients and servers require different default settings for secure " "communication. The generic TLS protocol constant is deprecated in favor of :" "data:`PROTOCOL_TLS_CLIENT` and :data:`PROTOCOL_TLS_SERVER`." msgstr "" #: library/ssl.rst:688 msgid "" "Auto-negotiate the highest protocol version that both the client and server " "support, and configure the context client-side connections. The protocol " "enables :data:`CERT_REQUIRED` and :attr:`~SSLContext.check_hostname` by " "default." msgstr "" #: library/ssl.rst:697 msgid "" "Auto-negotiate the highest protocol version that both the client and server " "support, and configure the context server-side connections." msgstr "" #: library/ssl.rst:704 msgid "Alias for :data:`PROTOCOL_TLS`." msgstr "" #: library/ssl.rst:708 msgid "Use :data:`PROTOCOL_TLS` instead." msgstr "" #: library/ssl.rst:712 msgid "Selects SSL version 2 as the channel encryption protocol." msgstr "" #: library/ssl.rst:714 msgid "" "This protocol is not available if OpenSSL is compiled with the ``no-ssl2`` " "option." msgstr "" #: library/ssl.rst:719 msgid "SSL version 2 is insecure. Its use is highly discouraged." msgstr "" #: library/ssl.rst:723 msgid "OpenSSL has removed support for SSLv2." msgstr "" #: library/ssl.rst:727 msgid "Selects SSL version 3 as the channel encryption protocol." msgstr "" #: library/ssl.rst:729 msgid "" "This protocol is not available if OpenSSL is compiled with the ``no-ssl3`` " "option." msgstr "" #: library/ssl.rst:734 msgid "SSL version 3 is insecure. Its use is highly discouraged." msgstr "" #: library/ssl.rst:738 msgid "" "OpenSSL has deprecated all version specific protocols. Use the default " "protocol :data:`PROTOCOL_TLS_SERVER` or :data:`PROTOCOL_TLS_CLIENT` with :" "attr:`SSLContext.minimum_version` and :attr:`SSLContext.maximum_version` " "instead." msgstr "" #: library/ssl.rst:746 msgid "Selects TLS version 1.0 as the channel encryption protocol." msgstr "" #: library/ssl.rst:761 library/ssl.rst:772 msgid "OpenSSL has deprecated all version specific protocols." msgstr "" #: library/ssl.rst:754 msgid "" "Selects TLS version 1.1 as the channel encryption protocol. Available only " "with openssl version 1.0.1+." msgstr "" #: library/ssl.rst:765 msgid "" "Selects TLS version 1.2 as the channel encryption protocol. Available only " "with openssl version 1.0.1+." msgstr "" #: library/ssl.rst:776 msgid "" "Enables workarounds for various bugs present in other SSL implementations. " "This option is set by default. It does not necessarily set the same flags " "as OpenSSL's ``SSL_OP_ALL`` constant." msgstr "" #: library/ssl.rst:784 msgid "" "Prevents an SSLv2 connection. This option is only applicable in conjunction " "with :const:`PROTOCOL_TLS`. It prevents the peers from choosing SSLv2 as " "the protocol version." msgstr "" #: library/ssl.rst:792 msgid "SSLv2 is deprecated" msgstr "" #: library/ssl.rst:796 msgid "" "Prevents an SSLv3 connection. This option is only applicable in conjunction " "with :const:`PROTOCOL_TLS`. It prevents the peers from choosing SSLv3 as " "the protocol version." msgstr "" #: library/ssl.rst:804 msgid "SSLv3 is deprecated" msgstr "" #: library/ssl.rst:808 msgid "" "Prevents a TLSv1 connection. This option is only applicable in conjunction " "with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1 as " "the protocol version." msgstr "" #: library/ssl.rst:814 msgid "" "The option is deprecated since OpenSSL 1.1.0, use the new :attr:`SSLContext." "minimum_version` and :attr:`SSLContext.maximum_version` instead." msgstr "" #: library/ssl.rst:821 msgid "" "Prevents a TLSv1.1 connection. This option is only applicable in conjunction " "with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.1 as " "the protocol version. Available only with openssl version 1.0.1+." msgstr "" #: library/ssl.rst:838 msgid "The option is deprecated since OpenSSL 1.1.0." msgstr "" #: library/ssl.rst:832 msgid "" "Prevents a TLSv1.2 connection. This option is only applicable in conjunction " "with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.2 as " "the protocol version. Available only with openssl version 1.0.1+." msgstr "" #: library/ssl.rst:843 msgid "" "Prevents a TLSv1.3 connection. This option is only applicable in conjunction " "with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.3 as " "the protocol version. TLS 1.3 is available with OpenSSL 1.1.1 or later. When " "Python has been compiled against an older version of OpenSSL, the flag " "defaults to *0*." msgstr "" #: library/ssl.rst:851 msgid "" "The option is deprecated since OpenSSL 1.1.0. It was added to 2.7.15, 3.6.3 " "and 3.7.0 for backwards compatibility with OpenSSL 1.0.2." msgstr "" #: library/ssl.rst:857 msgid "" "Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest " "messages, and ignore renegotiation requests via ClientHello." msgstr "" #: library/ssl.rst:860 msgid "This option is only available with OpenSSL 1.1.0h and later." msgstr "" #: library/ssl.rst:866 msgid "" "Use the server's cipher ordering preference, rather than the client's. This " "option has no effect on client sockets and SSLv2 server sockets." msgstr "" #: library/ssl.rst:873 msgid "" "Prevents re-use of the same DH key for distinct SSL sessions. This improves " "forward secrecy but requires more computational resources. This option only " "applies to server sockets." msgstr "" #: library/ssl.rst:881 msgid "" "Prevents re-use of the same ECDH key for distinct SSL sessions. This " "improves forward secrecy but requires more computational resources. This " "option only applies to server sockets." msgstr "" #: library/ssl.rst:889 msgid "" "Send dummy Change Cipher Spec (CCS) messages in TLS 1.3 handshake to make a " "TLS 1.3 connection look more like a TLS 1.2 connection." msgstr "" #: library/ssl.rst:892 msgid "This option is only available with OpenSSL 1.1.1 and later." msgstr "" #: library/ssl.rst:898 msgid "" "Disable compression on the SSL channel. This is useful if the application " "protocol supports its own compression scheme." msgstr "" #: library/ssl.rst:905 msgid ":class:`enum.IntFlag` collection of OP_* constants." msgstr "" #: library/ssl.rst:909 msgid "Prevent client side from requesting a session ticket." msgstr "" #: library/ssl.rst:915 msgid "Ignore unexpected shutdown of TLS connections." msgstr "" #: library/ssl.rst:917 msgid "This option is only available with OpenSSL 3.0.0 and later." msgstr "" #: library/ssl.rst:923 msgid "" "Whether the OpenSSL library has built-in support for the *Application-Layer " "Protocol Negotiation* TLS extension as described in :rfc:`7301`." msgstr "" #: library/ssl.rst:930 msgid "" "Whether the OpenSSL library has built-in support not checking subject common " "name and :attr:`SSLContext.hostname_checks_common_name` is writeable." msgstr "" #: library/ssl.rst:938 msgid "" "Whether the OpenSSL library has built-in support for the Elliptic Curve-" "based Diffie-Hellman key exchange. This should be true unless the feature " "was explicitly disabled by the distributor." msgstr "" #: library/ssl.rst:946 msgid "" "Whether the OpenSSL library has built-in support for the *Server Name " "Indication* extension (as defined in :rfc:`6066`)." msgstr "" #: library/ssl.rst:953 msgid "" "Whether the OpenSSL library has built-in support for the *Next Protocol " "Negotiation* as described in the `Application Layer Protocol Negotiation " "`_. " "When true, you can use the :meth:`SSLContext.set_npn_protocols` method to " "advertise which protocols you want to support." msgstr "" #: library/ssl.rst:963 msgid "" "Whether the OpenSSL library has built-in support for the SSL 2.0 protocol." msgstr "" #: library/ssl.rst:969 msgid "" "Whether the OpenSSL library has built-in support for the SSL 3.0 protocol." msgstr "" #: library/ssl.rst:975 msgid "" "Whether the OpenSSL library has built-in support for the TLS 1.0 protocol." msgstr "" #: library/ssl.rst:981 msgid "" "Whether the OpenSSL library has built-in support for the TLS 1.1 protocol." msgstr "" #: library/ssl.rst:987 msgid "" "Whether the OpenSSL library has built-in support for the TLS 1.2 protocol." msgstr "" #: library/ssl.rst:993 msgid "" "Whether the OpenSSL library has built-in support for the TLS 1.3 protocol." msgstr "" #: library/ssl.rst:999 msgid "" "List of supported TLS channel binding types. Strings in this list can be " "used as arguments to :meth:`SSLSocket.get_channel_binding`." msgstr "" #: library/ssl.rst:1006 msgid "The version string of the OpenSSL library loaded by the interpreter::" msgstr "" #: library/ssl.rst:1015 msgid "" "A tuple of five integers representing version information about the OpenSSL " "library::" msgstr "" #: library/ssl.rst:1025 msgid "The raw version number of the OpenSSL library, as a single integer::" msgstr "" #: library/ssl.rst:1038 msgid "" "Alert Descriptions from :rfc:`5246` and others. The `IANA TLS Alert Registry " "`_ contains this list and references to the RFCs where their " "meaning is defined." msgstr "" #: library/ssl.rst:1042 msgid "" "Used as the return value of the callback function in :meth:`SSLContext." "set_servername_callback`." msgstr "" #: library/ssl.rst:1049 msgid ":class:`enum.IntEnum` collection of ALERT_DESCRIPTION_* constants." msgstr "" #: library/ssl.rst:1055 msgid "" "Option for :func:`create_default_context` and :meth:`SSLContext." "load_default_certs`. This value indicates that the context may be used to " "authenticate web servers (therefore, it will be used to create client-side " "sockets)." msgstr "" #: library/ssl.rst:1064 msgid "" "Option for :func:`create_default_context` and :meth:`SSLContext." "load_default_certs`. This value indicates that the context may be used to " "authenticate web clients (therefore, it will be used to create server-side " "sockets)." msgstr "" #: library/ssl.rst:1073 msgid ":class:`enum.IntEnum` collection of SSL_ERROR_* constants." msgstr "" #: library/ssl.rst:1079 msgid "" ":class:`enum.IntEnum` collection of SSL and TLS versions for :attr:" "`SSLContext.maximum_version` and :attr:`SSLContext.minimum_version`." msgstr "" #: library/ssl.rst:1087 msgid "" "The minimum or maximum supported SSL or TLS version. These are magic " "constants. Their values don't reflect the lowest and highest available TLS/" "SSL versions." msgstr "" #: library/ssl.rst:1097 msgid "SSL 3.0 to TLS 1.3." msgstr "" #: library/ssl.rst:1101 msgid "" "All :class:`TLSVersion` members except :attr:`TLSVersion.TLSv1_2` and :attr:" "`TLSVersion.TLSv1_3` are deprecated." msgstr "" #: library/ssl.rst:1106 msgid "SSL Sockets" msgstr "" #: library/ssl.rst:1110 msgid "SSL sockets provide the following methods of :ref:`socket-objects`:" msgstr "" #: library/ssl.rst:1112 msgid ":meth:`~socket.socket.accept()`" msgstr ":meth:`~socket.socket.accept()`" #: library/ssl.rst:1113 msgid ":meth:`~socket.socket.bind()`" msgstr ":meth:`~socket.socket.bind()`" #: library/ssl.rst:1114 msgid ":meth:`~socket.socket.close()`" msgstr ":meth:`~socket.socket.close()`" #: library/ssl.rst:1115 msgid ":meth:`~socket.socket.connect()`" msgstr ":meth:`~socket.socket.connect()`" #: library/ssl.rst:1116 msgid ":meth:`~socket.socket.detach()`" msgstr ":meth:`~socket.socket.detach()`" #: library/ssl.rst:1117 msgid ":meth:`~socket.socket.fileno()`" msgstr ":meth:`~socket.socket.fileno()`" #: library/ssl.rst:1118 msgid "" ":meth:`~socket.socket.getpeername()`, :meth:`~socket.socket.getsockname()`" msgstr "" #: library/ssl.rst:1119 msgid "" ":meth:`~socket.socket.getsockopt()`, :meth:`~socket.socket.setsockopt()`" msgstr "" #: library/ssl.rst:1120 msgid "" ":meth:`~socket.socket.gettimeout()`, :meth:`~socket.socket.settimeout()`, :" "meth:`~socket.socket.setblocking()`" msgstr "" #: library/ssl.rst:1122 msgid ":meth:`~socket.socket.listen()`" msgstr ":meth:`~socket.socket.listen()`" #: library/ssl.rst:1123 msgid ":meth:`~socket.socket.makefile()`" msgstr ":meth:`~socket.socket.makefile()`" #: library/ssl.rst:1124 msgid "" ":meth:`~socket.socket.recv()`, :meth:`~socket.socket.recv_into()` (but " "passing a non-zero ``flags`` argument is not allowed)" msgstr "" #: library/ssl.rst:1126 msgid "" ":meth:`~socket.socket.send()`, :meth:`~socket.socket.sendall()` (with the " "same limitation)" msgstr "" #: library/ssl.rst:1128 msgid "" ":meth:`~socket.socket.sendfile()` (but :mod:`os.sendfile` will be used for " "plain-text sockets only, else :meth:`~socket.socket.send()` will be used)" msgstr "" #: library/ssl.rst:1130 msgid ":meth:`~socket.socket.shutdown()`" msgstr ":meth:`~socket.socket.shutdown()`" #: library/ssl.rst:1132 msgid "" "However, since the SSL (and TLS) protocol has its own framing atop of TCP, " "the SSL sockets abstraction can, in certain respects, diverge from the " "specification of normal, OS-level sockets. See especially the :ref:`notes " "on non-blocking sockets `." msgstr "" #: library/ssl.rst:1137 msgid "" "Instances of :class:`SSLSocket` must be created using the :meth:`SSLContext." "wrap_socket` method." msgstr "" #: library/ssl.rst:1140 msgid "The :meth:`sendfile` method was added." msgstr "" #: library/ssl.rst:1143 msgid "" "The :meth:`shutdown` does not reset the socket timeout each time bytes are " "received or sent. The socket timeout is now the maximum total duration of " "the shutdown." msgstr "" #: library/ssl.rst:1148 msgid "" "It is deprecated to create a :class:`SSLSocket` instance directly, use :meth:" "`SSLContext.wrap_socket` to wrap a socket." msgstr "" #: library/ssl.rst:1152 msgid "" ":class:`SSLSocket` instances must to created with :meth:`~SSLContext." "wrap_socket`. In earlier versions, it was possible to create instances " "directly. This was never documented or officially supported." msgstr "" #: library/ssl.rst:1158 msgid "" "Python now uses ``SSL_read_ex`` and ``SSL_write_ex`` internally. The " "functions support reading and writing of data larger than 2 GB. Writing zero-" "length data no longer fails with a protocol violation error." msgstr "" #: library/ssl.rst:1163 msgid "SSL sockets also have the following additional methods and attributes:" msgstr "" #: library/ssl.rst:1167 msgid "" "Read up to *len* bytes of data from the SSL socket and return the result as " "a ``bytes`` instance. If *buffer* is specified, then read into the buffer " "instead, and return the number of bytes read." msgstr "" #: library/ssl.rst:1171 msgid "" "Raise :exc:`SSLWantReadError` or :exc:`SSLWantWriteError` if the socket is :" "ref:`non-blocking ` and the read would block." msgstr "" #: library/ssl.rst:1174 msgid "" "As at any time a re-negotiation is possible, a call to :meth:`read` can also " "cause write operations." msgstr "" #: library/ssl.rst:1177 msgid "" "The socket timeout is no longer reset each time bytes are received or sent. " "The socket timeout is now the maximum total duration to read up to *len* " "bytes." msgstr "" #: library/ssl.rst:1182 msgid "Use :meth:`~SSLSocket.recv` instead of :meth:`~SSLSocket.read`." msgstr "" #: library/ssl.rst:1187 msgid "" "Write *buf* to the SSL socket and return the number of bytes written. The " "*buf* argument must be an object supporting the buffer interface." msgstr "" #: library/ssl.rst:1190 msgid "" "Raise :exc:`SSLWantReadError` or :exc:`SSLWantWriteError` if the socket is :" "ref:`non-blocking ` and the write would block." msgstr "" #: library/ssl.rst:1193 msgid "" "As at any time a re-negotiation is possible, a call to :meth:`write` can " "also cause read operations." msgstr "" #: library/ssl.rst:1196 msgid "" "The socket timeout is no longer reset each time bytes are received or sent. " "The socket timeout is now the maximum total duration to write *buf*." msgstr "" #: library/ssl.rst:1200 msgid "Use :meth:`~SSLSocket.send` instead of :meth:`~SSLSocket.write`." msgstr "" #: library/ssl.rst:1205 msgid "" "The :meth:`~SSLSocket.read` and :meth:`~SSLSocket.write` methods are the low-" "level methods that read and write unencrypted, application-level data and " "decrypt/encrypt it to encrypted, wire-level data. These methods require an " "active SSL connection, i.e. the handshake was completed and :meth:`SSLSocket." "unwrap` was not called." msgstr "" #: library/ssl.rst:1211 msgid "" "Normally you should use the socket API methods like :meth:`~socket.socket." "recv` and :meth:`~socket.socket.send` instead of these methods." msgstr "" #: library/ssl.rst:1217 msgid "Perform the SSL setup handshake." msgstr "" #: library/ssl.rst:1219 msgid "" "The handshake method also performs :func:`match_hostname` when the :attr:" "`~SSLContext.check_hostname` attribute of the socket's :attr:`~SSLSocket." "context` is true." msgstr "" #: library/ssl.rst:1224 msgid "" "The socket timeout is no longer reset each time bytes are received or sent. " "The socket timeout is now the maximum total duration of the handshake." msgstr "" #: library/ssl.rst:1228 msgid "" "Hostname or IP address is matched by OpenSSL during handshake. The function :" "func:`match_hostname` is no longer used. In case OpenSSL refuses a hostname " "or IP address, the handshake is aborted early and a TLS alert message is " "sent to the peer." msgstr "" #: library/ssl.rst:1236 msgid "" "If there is no certificate for the peer on the other end of the connection, " "return ``None``. If the SSL handshake hasn't been done yet, raise :exc:" "`ValueError`." msgstr "" #: library/ssl.rst:1240 msgid "" "If the ``binary_form`` parameter is :const:`False`, and a certificate was " "received from the peer, this method returns a :class:`dict` instance. If " "the certificate was not validated, the dict is empty. If the certificate " "was validated, it returns a dict with several keys, amongst them ``subject`` " "(the principal for which the certificate was issued) and ``issuer`` (the " "principal issuing the certificate). If a certificate contains an instance " "of the *Subject Alternative Name* extension (see :rfc:`3280`), there will " "also be a ``subjectAltName`` key in the dictionary." msgstr "" #: library/ssl.rst:1249 msgid "" "The ``subject`` and ``issuer`` fields are tuples containing the sequence of " "relative distinguished names (RDNs) given in the certificate's data " "structure for the respective fields, and each RDN is a sequence of name-" "value pairs. Here is a real-world example::" msgstr "" #: library/ssl.rst:1275 msgid "" "To validate a certificate for a particular service, you can use the :func:" "`match_hostname` function." msgstr "" #: library/ssl.rst:1278 msgid "" "If the ``binary_form`` parameter is :const:`True`, and a certificate was " "provided, this method returns the DER-encoded form of the entire certificate " "as a sequence of bytes, or :const:`None` if the peer did not provide a " "certificate. Whether the peer provides a certificate depends on the SSL " "socket's role:" msgstr "" #: library/ssl.rst:1284 msgid "" "for a client SSL socket, the server will always provide a certificate, " "regardless of whether validation was required;" msgstr "" #: library/ssl.rst:1287 msgid "" "for a server SSL socket, the client will only provide a certificate when " "requested by the server; therefore :meth:`getpeercert` will return :const:" "`None` if you used :const:`CERT_NONE` (rather than :const:`CERT_OPTIONAL` " "or :const:`CERT_REQUIRED`)." msgstr "" #: library/ssl.rst:1292 msgid "" "The returned dictionary includes additional items such as ``issuer`` and " "``notBefore``." msgstr "" #: library/ssl.rst:1296 msgid "" ":exc:`ValueError` is raised when the handshake isn't done. The returned " "dictionary includes additional X509v3 extension items such as " "``crlDistributionPoints``, ``caIssuers`` and ``OCSP`` URIs." msgstr "" #: library/ssl.rst:1301 msgid "IPv6 address strings no longer have a trailing new line." msgstr "" #: library/ssl.rst:1306 msgid "" "Returns a three-value tuple containing the name of the cipher being used, " "the version of the SSL protocol that defines its use, and the number of " "secret bits being used. If no connection has been established, returns " "``None``." msgstr "" #: library/ssl.rst:1312 msgid "" "Return the list of ciphers available in both the client and server. Each " "entry of the returned list is a three-value tuple containing the name of the " "cipher, the version of the SSL protocol that defines its use, and the number " "of secret bits the cipher uses. :meth:`~SSLSocket.shared_ciphers` returns " "``None`` if no connection has been established or the socket is a client " "socket." msgstr "" #: library/ssl.rst:1323 msgid "" "Return the compression algorithm being used as a string, or ``None`` if the " "connection isn't compressed." msgstr "" #: library/ssl.rst:1326 msgid "" "If the higher-level protocol supports its own compression mechanism, you can " "use :data:`OP_NO_COMPRESSION` to disable SSL-level compression." msgstr "" #: library/ssl.rst:1333 msgid "" "Get channel binding data for current connection, as a bytes object. Returns " "``None`` if not connected or the handshake has not been completed." msgstr "" #: library/ssl.rst:1336 msgid "" "The *cb_type* parameter allow selection of the desired channel binding type. " "Valid channel binding types are listed in the :data:`CHANNEL_BINDING_TYPES` " "list. Currently only the 'tls-unique' channel binding, defined by :rfc:" "`5929`, is supported. :exc:`ValueError` will be raised if an unsupported " "channel binding type is requested." msgstr "" #: library/ssl.rst:1346 msgid "" "Return the protocol that was selected during the TLS handshake. If :meth:" "`SSLContext.set_alpn_protocols` was not called, if the other party does not " "support ALPN, if this socket does not support any of the client's proposed " "protocols, or if the handshake has not happened yet, ``None`` is returned." msgstr "" #: library/ssl.rst:1356 msgid "" "Return the higher-level protocol that was selected during the TLS/SSL " "handshake. If :meth:`SSLContext.set_npn_protocols` was not called, or if the " "other party does not support NPN, or if the handshake has not yet happened, " "this will return ``None``." msgstr "" #: library/ssl.rst:1725 msgid "NPN has been superseded by ALPN" msgstr "" #: library/ssl.rst:1369 msgid "" "Performs the SSL shutdown handshake, which removes the TLS layer from the " "underlying socket, and returns the underlying socket object. This can be " "used to go from encrypted operation over a connection to unencrypted. The " "returned socket should always be used for further communication with the " "other side of the connection, rather than the original socket." msgstr "" #: library/ssl.rst:1377 msgid "" "Requests post-handshake authentication (PHA) from a TLS 1.3 client. PHA can " "only be initiated for a TLS 1.3 connection from a server-side socket, after " "the initial TLS handshake and with PHA enabled on both sides, see :attr:" "`SSLContext.post_handshake_auth`." msgstr "" #: library/ssl.rst:1382 msgid "" "The method does not perform a cert exchange immediately. The server-side " "sends a CertificateRequest during the next write event and expects the " "client to respond with a certificate on the next read event." msgstr "" #: library/ssl.rst:1386 msgid "" "If any precondition isn't met (e.g. not TLS 1.3, PHA not enabled), an :exc:" "`SSLError` is raised." msgstr "" #: library/ssl.rst:1390 msgid "" "Only available with OpenSSL 1.1.1 and TLS 1.3 enabled. Without TLS 1.3 " "support, the method raises :exc:`NotImplementedError`." msgstr "" #: library/ssl.rst:1397 msgid "" "Return the actual SSL protocol version negotiated by the connection as a " "string, or ``None`` if no secure connection is established. As of this " "writing, possible return values include ``\"SSLv2\"``, ``\"SSLv3\"``, " "``\"TLSv1\"``, ``\"TLSv1.1\"`` and ``\"TLSv1.2\"``. Recent OpenSSL versions " "may define more return values." msgstr "" #: library/ssl.rst:1407 msgid "" "Returns the number of already decrypted bytes available for read, pending on " "the connection." msgstr "" #: library/ssl.rst:1412 msgid "" "The :class:`SSLContext` object this SSL socket is tied to. If the SSL " "socket was created using the deprecated :func:`wrap_socket` function (rather " "than :meth:`SSLContext.wrap_socket`), this is a custom context object " "created for this SSL socket." msgstr "" #: library/ssl.rst:1421 msgid "" "A boolean which is ``True`` for server-side sockets and ``False`` for client-" "side sockets." msgstr "" #: library/ssl.rst:1428 msgid "" "Hostname of the server: :class:`str` type, or ``None`` for server-side " "socket or if the hostname was not specified in the constructor." msgstr "" #: library/ssl.rst:1433 msgid "" "The attribute is now always ASCII text. When ``server_hostname`` is an " "internationalized domain name (IDN), this attribute now stores the A-label " "form (``\"xn--pythn-mua.org\"``), rather than the U-label form (``\"pythön." "org\"``)." msgstr "" #: library/ssl.rst:1441 msgid "" "The :class:`SSLSession` for this SSL connection. The session is available " "for client and server side sockets after the TLS handshake has been " "performed. For client sockets the session can be set before :meth:" "`~SSLSocket.do_handshake` has been called to reuse a session." msgstr "" #: library/ssl.rst:1454 msgid "SSL Contexts" msgstr "" #: library/ssl.rst:1458 msgid "" "An SSL context holds various data longer-lived than single SSL connections, " "such as SSL configuration options, certificate(s) and private key(s). It " "also manages a cache of SSL sessions for server-side sockets, in order to " "speed up repeated connections from the same clients." msgstr "" #: library/ssl.rst:1465 msgid "" "Create a new SSL context. You may pass *protocol* which must be one of the " "``PROTOCOL_*`` constants defined in this module. The parameter specifies " "which version of the SSL protocol to use. Typically, the server chooses a " "particular protocol version, and the client must adapt to the server's " "choice. Most of the versions are not interoperable with the other " "versions. If not specified, the default is :data:`PROTOCOL_TLS`; it " "provides the most compatibility with other versions." msgstr "" #: library/ssl.rst:1474 msgid "" "Here's a table showing which versions in a client (down the side) can " "connect to which versions in a server (along the top):" msgstr "" #: library/ssl.rst:1480 msgid "*client* / **server**" msgstr "" #: library/ssl.rst:1480 msgid "**SSLv2**" msgstr "**SSLv2**" #: library/ssl.rst:1480 msgid "**SSLv3**" msgstr "**SSLv3**" #: library/ssl.rst:1480 msgid "**TLS** [3]_" msgstr "**TLS** [3]_" #: library/ssl.rst:1480 msgid "**TLSv1**" msgstr "**TLSv1**" #: library/ssl.rst:1480 msgid "**TLSv1.1**" msgstr "**TLSv1.1**" #: library/ssl.rst:1480 msgid "**TLSv1.2**" msgstr "**TLSv1.2**" #: library/ssl.rst:1482 msgid "*SSLv2*" msgstr "*SSLv2*" #: library/ssl.rst:1483 library/ssl.rst:1485 library/ssl.rst:1487 msgid "yes" msgstr "oui" #: library/ssl.rst:1483 library/ssl.rst:1486 library/ssl.rst:1487 msgid "no" msgstr "non" #: library/ssl.rst:1484 msgid "no [1]_" msgstr "" #: library/ssl.rst:1483 msgid "*SSLv3*" msgstr "*SSLv3*" #: library/ssl.rst:1484 msgid "no [2]_" msgstr "" #: library/ssl.rst:1484 msgid "*TLS* (*SSLv23*) [3]_" msgstr "" #: library/ssl.rst:1485 msgid "*TLSv1*" msgstr "*TLSv1*" #: library/ssl.rst:1486 msgid "*TLSv1.1*" msgstr "*TLSv1.1*" #: library/ssl.rst:1487 msgid "*TLSv1.2*" msgstr "*TLSv1.2*" #: library/ssl.rst:1490 msgid "Footnotes" msgstr "Notes" #: library/ssl.rst:1491 msgid ":class:`SSLContext` disables SSLv2 with :data:`OP_NO_SSLv2` by default." msgstr "" #: library/ssl.rst:1492 msgid ":class:`SSLContext` disables SSLv3 with :data:`OP_NO_SSLv3` by default." msgstr "" #: library/ssl.rst:1493 msgid "" "TLS 1.3 protocol will be available with :data:`PROTOCOL_TLS` in OpenSSL >= " "1.1.1. There is no dedicated PROTOCOL constant for just TLS 1.3." msgstr "" #: library/ssl.rst:1498 msgid "" ":func:`create_default_context` lets the :mod:`ssl` module choose security " "settings for a given purpose." msgstr "" #: library/ssl.rst:1503 msgid "" "The context is created with secure default values. The options :data:" "`OP_NO_COMPRESSION`, :data:`OP_CIPHER_SERVER_PREFERENCE`, :data:" "`OP_SINGLE_DH_USE`, :data:`OP_SINGLE_ECDH_USE`, :data:`OP_NO_SSLv2` (except " "for :data:`PROTOCOL_SSLv2`), and :data:`OP_NO_SSLv3` (except for :data:" "`PROTOCOL_SSLv3`) are set by default. The initial cipher suite list contains " "only ``HIGH`` ciphers, no ``NULL`` ciphers and no ``MD5`` ciphers (except " "for :data:`PROTOCOL_SSLv2`)." msgstr "" #: library/ssl.rst:1514 msgid "" ":class:`SSLContext` without protocol argument is deprecated. The context " "class will either require :data:`PROTOCOL_TLS_CLIENT` or :data:" "`PROTOCOL_TLS_SERVER` protocol in the future." msgstr "" #: library/ssl.rst:1520 msgid "" "The default cipher suites now include only secure AES and ChaCha20 ciphers " "with forward secrecy and security level 2. RSA and DH keys with less than " "2048 bits and ECC keys with less than 224 bits are prohibited. :data:" "`PROTOCOL_TLS`, :data:`PROTOCOL_TLS_CLIENT`, and :data:`PROTOCOL_TLS_SERVER` " "use TLS 1.2 as minimum TLS version." msgstr "" #: library/ssl.rst:1527 msgid ":class:`SSLContext` objects have the following methods and attributes:" msgstr "" #: library/ssl.rst:1531 msgid "" "Get statistics about quantities of loaded X.509 certificates, count of X.509 " "certificates flagged as CA certificates and certificate revocation lists as " "dictionary." msgstr "" #: library/ssl.rst:1535 msgid "Example for a context with one CA cert and one other cert::" msgstr "" #: library/ssl.rst:1545 msgid "" "Load a private key and the corresponding certificate. The *certfile* string " "must be the path to a single file in PEM format containing the certificate " "as well as any number of CA certificates needed to establish the " "certificate's authenticity. The *keyfile* string, if present, must point to " "a file containing the private key. Otherwise the private key will be taken " "from *certfile* as well. See the discussion of :ref:`ssl-certificates` for " "more information on how the certificate is stored in the *certfile*." msgstr "" #: library/ssl.rst:1554 msgid "" "The *password* argument may be a function to call to get the password for " "decrypting the private key. It will only be called if the private key is " "encrypted and a password is necessary. It will be called with no arguments, " "and it should return a string, bytes, or bytearray. If the return value is " "a string it will be encoded as UTF-8 before using it to decrypt the key. " "Alternatively a string, bytes, or bytearray value may be supplied directly " "as the *password* argument. It will be ignored if the private key is not " "encrypted and no password is needed." msgstr "" #: library/ssl.rst:1563 msgid "" "If the *password* argument is not specified and a password is required, " "OpenSSL's built-in password prompting mechanism will be used to " "interactively prompt the user for a password." msgstr "" #: library/ssl.rst:1567 msgid "" "An :class:`SSLError` is raised if the private key doesn't match with the " "certificate." msgstr "" #: library/ssl.rst:1570 msgid "New optional argument *password*." msgstr "" #: library/ssl.rst:1575 msgid "" "Load a set of default \"certification authority\" (CA) certificates from " "default locations. On Windows it loads CA certs from the ``CA`` and ``ROOT`` " "system stores. On all systems it calls :meth:`SSLContext." "set_default_verify_paths`. In the future the method may load CA certificates " "from other locations, too." msgstr "" #: library/ssl.rst:1581 msgid "" "The *purpose* flag specifies what kind of CA certificates are loaded. The " "default settings :data:`Purpose.SERVER_AUTH` loads certificates, that are " "flagged and trusted for TLS web server authentication (client side " "sockets). :data:`Purpose.CLIENT_AUTH` loads CA certificates for client " "certificate verification on the server side." msgstr "" #: library/ssl.rst:1591 msgid "" "Load a set of \"certification authority\" (CA) certificates used to validate " "other peers' certificates when :data:`verify_mode` is other than :data:" "`CERT_NONE`. At least one of *cafile* or *capath* must be specified." msgstr "" #: library/ssl.rst:1595 msgid "" "This method can also load certification revocation lists (CRLs) in PEM or " "DER format. In order to make use of CRLs, :attr:`SSLContext.verify_flags` " "must be configured properly." msgstr "" #: library/ssl.rst:1599 msgid "" "The *cafile* string, if present, is the path to a file of concatenated CA " "certificates in PEM format. See the discussion of :ref:`ssl-certificates` " "for more information about how to arrange the certificates in this file." msgstr "" #: library/ssl.rst:1604 msgid "" "The *capath* string, if present, is the path to a directory containing " "several CA certificates in PEM format, following an `OpenSSL specific layout " "`_." msgstr "" #: library/ssl.rst:1609 msgid "" "The *cadata* object, if present, is either an ASCII string of one or more " "PEM-encoded certificates or a :term:`bytes-like object` of DER-encoded " "certificates. Like with *capath* extra lines around PEM-encoded certificates " "are ignored but at least one certificate must be present." msgstr "" #: library/ssl.rst:1614 msgid "New optional argument *cadata*" msgstr "" #: library/ssl.rst:1619 msgid "" "Get a list of loaded \"certification authority\" (CA) certificates. If the " "``binary_form`` parameter is :const:`False` each list entry is a dict like " "the output of :meth:`SSLSocket.getpeercert`. Otherwise the method returns a " "list of DER-encoded certificates. The returned list does not contain " "certificates from *capath* unless a certificate was requested and loaded by " "a SSL connection." msgstr "" #: library/ssl.rst:1627 msgid "" "Certificates in a capath directory aren't loaded unless they have been used " "at least once." msgstr "" #: library/ssl.rst:1634 msgid "" "Get a list of enabled ciphers. The list is in order of cipher priority. See :" "meth:`SSLContext.set_ciphers`." msgstr "" #: library/ssl.rst:1671 msgid "" "Load a set of default \"certification authority\" (CA) certificates from a " "filesystem path defined when building the OpenSSL library. Unfortunately, " "there's no easy way to know whether this method succeeds: no error is " "returned if no certificates are to be found. When the OpenSSL library is " "provided as part of the operating system, though, it is likely to be " "configured properly." msgstr "" #: library/ssl.rst:1680 msgid "" "Set the available ciphers for sockets created with this context. It should " "be a string in the `OpenSSL cipher list format `_. If no cipher can be selected (because " "compile-time options or other configuration forbids use of all the specified " "ciphers), an :class:`SSLError` will be raised." msgstr "" #: library/ssl.rst:1688 msgid "" "when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will give " "the currently selected cipher." msgstr "" #: library/ssl.rst:1691 msgid "" "TLS 1.3 cipher suites cannot be disabled with :meth:`~SSLContext." "set_ciphers`." msgstr "" #: library/ssl.rst:1696 msgid "" "Specify which protocols the socket should advertise during the SSL/TLS " "handshake. It should be a list of ASCII strings, like ``['http/1.1', " "'spdy/2']``, ordered by preference. The selection of a protocol will happen " "during the handshake, and will play out according to :rfc:`7301`. After a " "successful handshake, the :meth:`SSLSocket.selected_alpn_protocol` method " "will return the agreed-upon protocol." msgstr "" #: library/ssl.rst:1703 msgid "" "This method will raise :exc:`NotImplementedError` if :data:`HAS_ALPN` is " "``False``." msgstr "" #: library/ssl.rst:1710 msgid "" "Specify which protocols the socket should advertise during the SSL/TLS " "handshake. It should be a list of strings, like ``['http/1.1', 'spdy/2']``, " "ordered by preference. The selection of a protocol will happen during the " "handshake, and will play out according to the `Application Layer Protocol " "Negotiation `_. After a successful handshake, the :meth:" "`SSLSocket.selected_npn_protocol` method will return the agreed-upon " "protocol." msgstr "" #: library/ssl.rst:1718 msgid "" "This method will raise :exc:`NotImplementedError` if :data:`HAS_NPN` is " "``False``." msgstr "" #: library/ssl.rst:1729 msgid "" "Register a callback function that will be called after the TLS Client Hello " "handshake message has been received by the SSL/TLS server when the TLS " "client specifies a server name indication. The server name indication " "mechanism is specified in :rfc:`6066` section 3 - Server Name Indication." msgstr "" #: library/ssl.rst:1734 msgid "" "Only one callback can be set per ``SSLContext``. If *sni_callback* is set " "to ``None`` then the callback is disabled. Calling this function a " "subsequent time will disable the previously registered callback." msgstr "" #: library/ssl.rst:1738 msgid "" "The callback function will be called with three arguments; the first being " "the :class:`ssl.SSLSocket`, the second is a string that represents the " "server name that the client is intending to communicate (or :const:`None` if " "the TLS Client Hello does not contain a server name) and the third argument " "is the original :class:`SSLContext`. The server name argument is text. For " "internationalized domain name, the server name is an IDN A-label (``\"xn--" "pythn-mua.org\"``)." msgstr "" #: library/ssl.rst:1746 msgid "" "A typical use of this callback is to change the :class:`ssl.SSLSocket`'s :" "attr:`SSLSocket.context` attribute to a new object of type :class:" "`SSLContext` representing a certificate chain that matches the server name." msgstr "" #: library/ssl.rst:1751 msgid "" "Due to the early negotiation phase of the TLS connection, only limited " "methods and attributes are usable like :meth:`SSLSocket." "selected_alpn_protocol` and :attr:`SSLSocket.context`. The :meth:`SSLSocket." "getpeercert`, :meth:`SSLSocket.cipher` and :meth:`SSLSocket.compression` " "methods require that the TLS connection has progressed beyond the TLS Client " "Hello and therefore will not return meaningful values nor can they be called " "safely." msgstr "" #: library/ssl.rst:1759 msgid "" "The *sni_callback* function must return ``None`` to allow the TLS " "negotiation to continue. If a TLS failure is required, a constant :const:" "`ALERT_DESCRIPTION_* ` can be returned. " "Other return values will result in a TLS fatal error with :const:" "`ALERT_DESCRIPTION_INTERNAL_ERROR`." msgstr "" #: library/ssl.rst:1765 msgid "" "If an exception is raised from the *sni_callback* function the TLS " "connection will terminate with a fatal TLS alert message :const:" "`ALERT_DESCRIPTION_HANDSHAKE_FAILURE`." msgstr "" #: library/ssl.rst:1769 msgid "" "This method will raise :exc:`NotImplementedError` if the OpenSSL library had " "OPENSSL_NO_TLSEXT defined when it was built." msgstr "" #: library/ssl.rst:1776 msgid "" "This is a legacy API retained for backwards compatibility. When possible, " "you should use :attr:`sni_callback` instead. The given " "*server_name_callback* is similar to *sni_callback*, except that when the " "server hostname is an IDN-encoded internationalized domain name, the " "*server_name_callback* receives a decoded U-label (``\"pythön.org\"``)." msgstr "" #: library/ssl.rst:1782 msgid "" "If there is an decoding error on the server name, the TLS connection will " "terminate with an :const:`ALERT_DESCRIPTION_INTERNAL_ERROR` fatal TLS alert " "message to the client." msgstr "" #: library/ssl.rst:1790 msgid "" "Load the key generation parameters for Diffie-Hellman (DH) key exchange. " "Using DH key exchange improves forward secrecy at the expense of " "computational resources (both on the server and on the client). The *dhfile* " "parameter should be the path to a file containing DH parameters in PEM " "format." msgstr "" #: library/ssl.rst:1796 msgid "" "This setting doesn't apply to client sockets. You can also use the :data:" "`OP_SINGLE_DH_USE` option to further improve security." msgstr "" #: library/ssl.rst:1803 msgid "" "Set the curve name for Elliptic Curve-based Diffie-Hellman (ECDH) key " "exchange. ECDH is significantly faster than regular DH while arguably as " "secure. The *curve_name* parameter should be a string describing a well-" "known elliptic curve, for example ``prime256v1`` for a widely supported " "curve." msgstr "" #: library/ssl.rst:1809 msgid "" "This setting doesn't apply to client sockets. You can also use the :data:" "`OP_SINGLE_ECDH_USE` option to further improve security." msgstr "" #: library/ssl.rst:1812 msgid "This method is not available if :data:`HAS_ECDH` is ``False``." msgstr "" #: library/ssl.rst:1817 msgid "" "`SSL/TLS & Perfect Forward Secrecy `_" msgstr "" #: library/ssl.rst:1818 msgid "Vincent Bernat." msgstr "" #: library/ssl.rst:1824 msgid "" "Wrap an existing Python socket *sock* and return an instance of :attr:" "`SSLContext.sslsocket_class` (default :class:`SSLSocket`). The returned SSL " "socket is tied to the context, its settings and certificates. *sock* must be " "a :data:`~socket.SOCK_STREAM` socket; other socket types are unsupported." msgstr "" #: library/ssl.rst:1830 msgid "" "The parameter ``server_side`` is a boolean which identifies whether server-" "side or client-side behavior is desired from this socket." msgstr "" #: library/ssl.rst:1833 msgid "" "For client-side sockets, the context construction is lazy; if the underlying " "socket isn't connected yet, the context construction will be performed " "after :meth:`connect` is called on the socket. For server-side sockets, if " "the socket has no remote peer, it is assumed to be a listening socket, and " "the server-side SSL wrapping is automatically performed on client " "connections accepted via the :meth:`accept` method. The method may raise :" "exc:`SSLError`." msgstr "" #: library/ssl.rst:1841 msgid "" "On client connections, the optional parameter *server_hostname* specifies " "the hostname of the service which we are connecting to. This allows a " "single server to host multiple SSL-based services with distinct " "certificates, quite similarly to HTTP virtual hosts. Specifying " "*server_hostname* will raise a :exc:`ValueError` if *server_side* is true." msgstr "" #: library/ssl.rst:1847 msgid "" "The parameter ``do_handshake_on_connect`` specifies whether to do the SSL " "handshake automatically after doing a :meth:`socket.connect`, or whether the " "application program will call it explicitly, by invoking the :meth:" "`SSLSocket.do_handshake` method. Calling :meth:`SSLSocket.do_handshake` " "explicitly gives the program control over the blocking behavior of the " "socket I/O involved in the handshake." msgstr "" #: library/ssl.rst:1854 msgid "" "The parameter ``suppress_ragged_eofs`` specifies how the :meth:`SSLSocket." "recv` method should signal unexpected EOF from the other end of the " "connection. If specified as :const:`True` (the default), it returns a " "normal EOF (an empty bytes object) in response to unexpected EOF errors " "raised from the underlying socket; if :const:`False`, it will raise the " "exceptions back to the caller." msgstr "" #: library/ssl.rst:1861 msgid "*session*, see :attr:`~SSLSocket.session`." msgstr "" #: library/ssl.rst:1863 msgid "" "Always allow a server_hostname to be passed, even if OpenSSL does not have " "SNI." msgstr "" #: library/ssl.rst:1893 msgid "*session* argument was added." msgstr "" #: library/ssl.rst:1870 msgid "" "The method returns an instance of :attr:`SSLContext.sslsocket_class` instead " "of hard-coded :class:`SSLSocket`." msgstr "" #: library/ssl.rst:1876 msgid "" "The return type of :meth:`SSLContext.wrap_socket`, defaults to :class:" "`SSLSocket`. The attribute can be overridden on instance of class in order " "to return a custom subclass of :class:`SSLSocket`." msgstr "" #: library/ssl.rst:1885 msgid "" "Wrap the BIO objects *incoming* and *outgoing* and return an instance of :" "attr:`SSLContext.sslobject_class` (default :class:`SSLObject`). The SSL " "routines will read input data from the incoming BIO and write data to the " "outgoing BIO." msgstr "" #: library/ssl.rst:1890 msgid "" "The *server_side*, *server_hostname* and *session* parameters have the same " "meaning as in :meth:`SSLContext.wrap_socket`." msgstr "" #: library/ssl.rst:1896 msgid "" "The method returns an instance of :attr:`SSLContext.sslobject_class` instead " "of hard-coded :class:`SSLObject`." msgstr "" #: library/ssl.rst:1902 msgid "" "The return type of :meth:`SSLContext.wrap_bio`, defaults to :class:" "`SSLObject`. The attribute can be overridden on instance of class in order " "to return a custom subclass of :class:`SSLObject`." msgstr "" #: library/ssl.rst:1910 msgid "" "Get statistics about the SSL sessions created or managed by this context. A " "dictionary is returned which maps the names of each `piece of information " "`_ to " "their numeric values. For example, here is the total number of hits and " "misses in the session cache since the context was created::" msgstr "" #: library/ssl.rst:1921 msgid "" "Whether to match the peer cert's hostname in :meth:`SSLSocket.do_handshake`. " "The context's :attr:`~SSLContext.verify_mode` must be set to :data:" "`CERT_OPTIONAL` or :data:`CERT_REQUIRED`, and you must pass " "*server_hostname* to :meth:`~SSLContext.wrap_socket` in order to match the " "hostname. Enabling hostname checking automatically sets :attr:`~SSLContext." "verify_mode` from :data:`CERT_NONE` to :data:`CERT_REQUIRED`. It cannot be " "set back to :data:`CERT_NONE` as long as hostname checking is enabled. The :" "data:`PROTOCOL_TLS_CLIENT` protocol enables hostname checking by default. " "With other protocols, hostname checking must be enabled explicitly." msgstr "" #: library/ssl.rst:1949 msgid "" ":attr:`~SSLContext.verify_mode` is now automatically changed to :data:" "`CERT_REQUIRED` when hostname checking is enabled and :attr:`~SSLContext." "verify_mode` is :data:`CERT_NONE`. Previously the same operation would have " "failed with a :exc:`ValueError`." msgstr "" #: library/ssl.rst:1956 msgid "" "Write TLS keys to a keylog file, whenever key material is generated or " "received. The keylog file is designed for debugging purposes only. The file " "format is specified by NSS and used by many traffic analyzers such as " "Wireshark. The log file is opened in append-only mode. Writes are " "synchronized between threads, but not between processes." msgstr "" #: library/ssl.rst:1966 msgid "" "A :class:`TLSVersion` enum member representing the highest supported TLS " "version. The value defaults to :attr:`TLSVersion.MAXIMUM_SUPPORTED`. The " "attribute is read-only for protocols other than :attr:`PROTOCOL_TLS`, :attr:" "`PROTOCOL_TLS_CLIENT`, and :attr:`PROTOCOL_TLS_SERVER`." msgstr "" #: library/ssl.rst:1971 msgid "" "The attributes :attr:`~SSLContext.maximum_version`, :attr:`~SSLContext." "minimum_version` and :attr:`SSLContext.options` all affect the supported SSL " "and TLS versions of the context. The implementation does not prevent invalid " "combination. For example a context with :attr:`OP_NO_TLSv1_2` in :attr:" "`~SSLContext.options` and :attr:`~SSLContext.maximum_version` set to :attr:" "`TLSVersion.TLSv1_2` will not be able to establish a TLS 1.2 connection." msgstr "" #: library/ssl.rst:1984 msgid "" "Like :attr:`SSLContext.maximum_version` except it is the lowest supported " "version or :attr:`TLSVersion.MINIMUM_SUPPORTED`." msgstr "" #: library/ssl.rst:1991 msgid "" "Control the number of TLS 1.3 session tickets of a :attr:" "`PROTOCOL_TLS_SERVER` context. The setting has no impact on TLS 1.0 to 1.2 " "connections." msgstr "" #: library/ssl.rst:1999 msgid "" "An integer representing the set of SSL options enabled on this context. The " "default value is :data:`OP_ALL`, but you can specify other options such as :" "data:`OP_NO_SSLv2` by ORing them together." msgstr "" #: library/ssl.rst:2003 msgid ":attr:`SSLContext.options` returns :class:`Options` flags:" msgstr "" #: library/ssl.rst:2011 msgid "" "All ``OP_NO_SSL*`` and ``OP_NO_TLS*`` options have been deprecated since " "Python 3.7. Use :attr:`SSLContext.minimum_version` and :attr:`SSLContext." "maximum_version` instead." msgstr "" #: library/ssl.rst:2017 msgid "" "Enable TLS 1.3 post-handshake client authentication. Post-handshake auth is " "disabled by default and a server can only request a TLS client certificate " "during the initial handshake. When enabled, a server may request a TLS " "client certificate at any time after the handshake." msgstr "" #: library/ssl.rst:2022 msgid "" "When enabled on client-side sockets, the client signals the server that it " "supports post-handshake authentication." msgstr "" #: library/ssl.rst:2025 msgid "" "When enabled on server-side sockets, :attr:`SSLContext.verify_mode` must be " "set to :data:`CERT_OPTIONAL` or :data:`CERT_REQUIRED`, too. The actual " "client cert exchange is delayed until :meth:`SSLSocket." "verify_client_post_handshake` is called and some I/O is performed." msgstr "" #: library/ssl.rst:2035 msgid "" "The protocol version chosen when constructing the context. This attribute " "is read-only." msgstr "" #: library/ssl.rst:2040 msgid "" "Whether :attr:`~SSLContext.check_hostname` falls back to verify the cert's " "subject common name in the absence of a subject alternative name extension " "(default: true)." msgstr "" #: library/ssl.rst:2048 msgid "" "The flag had no effect with OpenSSL before version 1.1.1k. Python 3.8.9, " "3.9.3, and 3.10 include workarounds for previous versions." msgstr "" #: library/ssl.rst:2053 msgid "" "An integer representing the `security level `_ for the context. This " "attribute is read-only." msgstr "" #: library/ssl.rst:2061 msgid "" "The flags for certificate verification operations. You can set flags like :" "data:`VERIFY_CRL_CHECK_LEAF` by ORing them together. By default OpenSSL does " "neither require nor verify certificate revocation lists (CRLs)." msgstr "" #: library/ssl.rst:2067 msgid ":attr:`SSLContext.verify_flags` returns :class:`VerifyFlags` flags:" msgstr "" #: library/ssl.rst:2075 msgid "" "Whether to try to verify other peers' certificates and how to behave if " "verification fails. This attribute must be one of :data:`CERT_NONE`, :data:" "`CERT_OPTIONAL` or :data:`CERT_REQUIRED`." msgstr "" #: library/ssl.rst:2079 msgid ":attr:`SSLContext.verify_mode` returns :class:`VerifyMode` enum:" msgstr "" #: library/ssl.rst:2092 msgid "Certificates" msgstr "" #: library/ssl.rst:2094 msgid "" "Certificates in general are part of a public-key / private-key system. In " "this system, each *principal*, (which may be a machine, or a person, or an " "organization) is assigned a unique two-part encryption key. One part of the " "key is public, and is called the *public key*; the other part is kept " "secret, and is called the *private key*. The two parts are related, in that " "if you encrypt a message with one of the parts, you can decrypt it with the " "other part, and **only** with the other part." msgstr "" #: library/ssl.rst:2102 msgid "" "A certificate contains information about two principals. It contains the " "name of a *subject*, and the subject's public key. It also contains a " "statement by a second principal, the *issuer*, that the subject is who they " "claim to be, and that this is indeed the subject's public key. The issuer's " "statement is signed with the issuer's private key, which only the issuer " "knows. However, anyone can verify the issuer's statement by finding the " "issuer's public key, decrypting the statement with it, and comparing it to " "the other information in the certificate. The certificate also contains " "information about the time period over which it is valid. This is expressed " "as two fields, called \"notBefore\" and \"notAfter\"." msgstr "" #: library/ssl.rst:2112 msgid "" "In the Python use of certificates, a client or server can use a certificate " "to prove who they are. The other side of a network connection can also be " "required to produce a certificate, and that certificate can be validated to " "the satisfaction of the client or server that requires such validation. The " "connection attempt can be set to raise an exception if the validation fails. " "Validation is done automatically, by the underlying OpenSSL framework; the " "application need not concern itself with its mechanics. But the application " "does usually need to provide sets of certificates to allow this process to " "take place." msgstr "" #: library/ssl.rst:2122 msgid "" "Python uses files to contain certificates. They should be formatted as " "\"PEM\" (see :rfc:`1422`), which is a base-64 encoded form wrapped with a " "header line and a footer line::" msgstr "" #: library/ssl.rst:2131 msgid "Certificate chains" msgstr "" #: library/ssl.rst:2133 msgid "" "The Python files which contain certificates can contain a sequence of " "certificates, sometimes called a *certificate chain*. This chain should " "start with the specific certificate for the principal who \"is\" the client " "or server, and then the certificate for the issuer of that certificate, and " "then the certificate for the issuer of *that* certificate, and so on up the " "chain till you get to a certificate which is *self-signed*, that is, a " "certificate which has the same subject and issuer, sometimes called a *root " "certificate*. The certificates should just be concatenated together in the " "certificate file. For example, suppose we had a three certificate chain, " "from our server certificate to the certificate of the certification " "authority that signed our server certificate, to the root certificate of the " "agency which issued the certification authority's certificate::" msgstr "" #: library/ssl.rst:2157 msgid "CA certificates" msgstr "" #: library/ssl.rst:2159 msgid "" "If you are going to require validation of the other side of the connection's " "certificate, you need to provide a \"CA certs\" file, filled with the " "certificate chains for each issuer you are willing to trust. Again, this " "file just contains these chains concatenated together. For validation, " "Python will use the first chain it finds in the file which matches. The " "platform's certificates file can be used by calling :meth:`SSLContext." "load_default_certs`, this is done automatically with :func:`." "create_default_context`." msgstr "" #: library/ssl.rst:2168 msgid "Combined key and certificate" msgstr "" #: library/ssl.rst:2170 msgid "" "Often the private key is stored in the same file as the certificate; in this " "case, only the ``certfile`` parameter to :meth:`SSLContext.load_cert_chain` " "and :func:`wrap_socket` needs to be passed. If the private key is stored " "with the certificate, it should come before the first certificate in the " "certificate chain::" msgstr "" #: library/ssl.rst:2184 msgid "Self-signed certificates" msgstr "" #: library/ssl.rst:2186 msgid "" "If you are going to create a server that provides SSL-encrypted connection " "services, you will need to acquire a certificate for that service. There " "are many ways of acquiring appropriate certificates, such as buying one from " "a certification authority. Another common practice is to generate a self-" "signed certificate. The simplest way to do this is with the OpenSSL " "package, using something like the following::" msgstr "" #: library/ssl.rst:2215 msgid "" "The disadvantage of a self-signed certificate is that it is its own root " "certificate, and no one else will have it in their cache of known (and " "trusted) root certificates." msgstr "" #: library/ssl.rst:2221 msgid "Examples" msgstr "Exemples" #: library/ssl.rst:2224 msgid "Testing for SSL support" msgstr "" #: library/ssl.rst:2226 msgid "" "To test for the presence of SSL support in a Python installation, user code " "should use the following idiom::" msgstr "" #: library/ssl.rst:2237 msgid "Client-side operation" msgstr "" #: library/ssl.rst:2239 msgid "" "This example creates a SSL context with the recommended security settings " "for client sockets, including automatic certificate verification::" msgstr "" #: library/ssl.rst:2244 msgid "" "If you prefer to tune security settings yourself, you might create a context " "from scratch (but beware that you might not get the settings right)::" msgstr "" #: library/ssl.rst:2251 msgid "" "(this snippet assumes your operating system places a bundle of all CA " "certificates in ``/etc/ssl/certs/ca-bundle.crt``; if not, you'll get an " "error and have to adjust the location)" msgstr "" #: library/ssl.rst:2255 msgid "" "The :data:`PROTOCOL_TLS_CLIENT` protocol configures the context for cert " "validation and hostname verification. :attr:`~SSLContext.verify_mode` is set " "to :data:`CERT_REQUIRED` and :attr:`~SSLContext.check_hostname` is set to " "``True``. All other protocols create SSL contexts with insecure defaults." msgstr "" #: library/ssl.rst:2260 msgid "" "When you use the context to connect to a server, :const:`CERT_REQUIRED` and :" "attr:`~SSLContext.check_hostname` validate the server certificate: it " "ensures that the server certificate was signed with one of the CA " "certificates, checks the signature for correctness, and verifies other " "properties like validity and identity of the hostname::" msgstr "" #: library/ssl.rst:2270 msgid "You may then fetch the certificate::" msgstr "" #: library/ssl.rst:2274 msgid "" "Visual inspection shows that the certificate does identify the desired " "service (that is, the HTTPS host ``www.python.org``)::" msgstr "" #: library/ssl.rst:2317 msgid "" "Now the SSL channel is established and the certificate verified, you can " "proceed to talk with the server::" msgstr "" #: library/ssl.rst:2344 msgid "Server-side operation" msgstr "" #: library/ssl.rst:2346 msgid "" "For server operation, typically you'll need to have a server certificate, " "and private key, each in a file. You'll first create a context holding the " "key and the certificate, so that clients can check your authenticity. Then " "you'll open a socket, bind it to a port, call :meth:`listen` on it, and " "start waiting for clients to connect::" msgstr "" #: library/ssl.rst:2361 msgid "" "When a client connects, you'll call :meth:`accept` on the socket to get the " "new socket from the other end, and use the context's :meth:`SSLContext." "wrap_socket` method to create a server-side SSL socket for the connection::" msgstr "" #: library/ssl.rst:2374 msgid "" "Then you'll read data from the ``connstream`` and do something with it till " "you are finished with the client (or the client is finished with you)::" msgstr "" #: library/ssl.rst:2388 msgid "" "And go back to listening for new client connections (of course, a real " "server would probably handle each client connection in a separate thread, or " "put the sockets in :ref:`non-blocking mode ` and use an " "event loop)." msgstr "" #: library/ssl.rst:2396 msgid "Notes on non-blocking sockets" msgstr "" #: library/ssl.rst:2398 msgid "" "SSL sockets behave slightly different than regular sockets in non-blocking " "mode. When working with non-blocking sockets, there are thus several things " "you need to be aware of:" msgstr "" #: library/ssl.rst:2402 msgid "" "Most :class:`SSLSocket` methods will raise either :exc:`SSLWantWriteError` " "or :exc:`SSLWantReadError` instead of :exc:`BlockingIOError` if an I/O " "operation would block. :exc:`SSLWantReadError` will be raised if a read " "operation on the underlying socket is necessary, and :exc:" "`SSLWantWriteError` for a write operation on the underlying socket. Note " "that attempts to *write* to an SSL socket may require *reading* from the " "underlying socket first, and attempts to *read* from the SSL socket may " "require a prior *write* to the underlying socket." msgstr "" #: library/ssl.rst:2414 msgid "" "In earlier Python versions, the :meth:`!SSLSocket.send` method returned zero " "instead of raising :exc:`SSLWantWriteError` or :exc:`SSLWantReadError`." msgstr "" #: library/ssl.rst:2418 msgid "" "Calling :func:`~select.select` tells you that the OS-level socket can be " "read from (or written to), but it does not imply that there is sufficient " "data at the upper SSL layer. For example, only part of an SSL frame might " "have arrived. Therefore, you must be ready to handle :meth:`SSLSocket.recv` " "and :meth:`SSLSocket.send` failures, and retry after another call to :func:" "`~select.select`." msgstr "" #: library/ssl.rst:2425 msgid "" "Conversely, since the SSL layer has its own framing, a SSL socket may still " "have data available for reading without :func:`~select.select` being aware " "of it. Therefore, you should first call :meth:`SSLSocket.recv` to drain any " "potentially available data, and then only block on a :func:`~select.select` " "call if still necessary." msgstr "" #: library/ssl.rst:2431 msgid "" "(of course, similar provisions apply when using other primitives such as :" "func:`~select.poll`, or those in the :mod:`selectors` module)" msgstr "" #: library/ssl.rst:2434 msgid "" "The SSL handshake itself will be non-blocking: the :meth:`SSLSocket." "do_handshake` method has to be retried until it returns successfully. Here " "is a synopsis using :func:`~select.select` to wait for the socket's " "readiness::" msgstr "" #: library/ssl.rst:2450 msgid "" "The :mod:`asyncio` module supports :ref:`non-blocking SSL sockets ` and provides a higher level API. It polls for events using " "the :mod:`selectors` module and handles :exc:`SSLWantWriteError`, :exc:" "`SSLWantReadError` and :exc:`BlockingIOError` exceptions. It runs the SSL " "handshake asynchronously as well." msgstr "" #: library/ssl.rst:2459 msgid "Memory BIO Support" msgstr "" #: library/ssl.rst:2463 msgid "" "Ever since the SSL module was introduced in Python 2.6, the :class:" "`SSLSocket` class has provided two related but distinct areas of " "functionality:" msgstr "" #: library/ssl.rst:2466 msgid "SSL protocol handling" msgstr "" #: library/ssl.rst:2467 msgid "Network IO" msgstr "" #: library/ssl.rst:2469 msgid "" "The network IO API is identical to that provided by :class:`socket.socket`, " "from which :class:`SSLSocket` also inherits. This allows an SSL socket to be " "used as a drop-in replacement for a regular socket, making it very easy to " "add SSL support to an existing application." msgstr "" #: library/ssl.rst:2474 msgid "" "Combining SSL protocol handling and network IO usually works well, but there " "are some cases where it doesn't. An example is async IO frameworks that want " "to use a different IO multiplexing model than the \"select/poll on a file " "descriptor\" (readiness based) model that is assumed by :class:`socket." "socket` and by the internal OpenSSL socket IO routines. This is mostly " "relevant for platforms like Windows where this model is not efficient. For " "this purpose, a reduced scope variant of :class:`SSLSocket` called :class:" "`SSLObject` is provided." msgstr "" #: library/ssl.rst:2485 msgid "" "A reduced-scope variant of :class:`SSLSocket` representing an SSL protocol " "instance that does not contain any network IO methods. This class is " "typically used by framework authors that want to implement asynchronous IO " "for SSL through memory buffers." msgstr "" #: library/ssl.rst:2490 msgid "" "This class implements an interface on top of a low-level SSL object as " "implemented by OpenSSL. This object captures the state of an SSL connection " "but does not provide any network IO itself. IO needs to be performed through " "separate \"BIO\" objects which are OpenSSL's IO abstraction layer." msgstr "" #: library/ssl.rst:2495 msgid "" "This class has no public constructor. An :class:`SSLObject` instance must " "be created using the :meth:`~SSLContext.wrap_bio` method. This method will " "create the :class:`SSLObject` instance and bind it to a pair of BIOs. The " "*incoming* BIO is used to pass data from Python to the SSL protocol " "instance, while the *outgoing* BIO is used to pass data the other way around." msgstr "" #: library/ssl.rst:2502 msgid "The following methods are available:" msgstr "" #: library/ssl.rst:2504 msgid ":attr:`~SSLSocket.context`" msgstr ":attr:`~SSLSocket.context`" #: library/ssl.rst:2505 msgid ":attr:`~SSLSocket.server_side`" msgstr ":attr:`~SSLSocket.server_side`" #: library/ssl.rst:2506 msgid ":attr:`~SSLSocket.server_hostname`" msgstr ":attr:`~SSLSocket.server_hostname`" #: library/ssl.rst:2507 msgid ":attr:`~SSLSocket.session`" msgstr ":attr:`~SSLSocket.session`" #: library/ssl.rst:2508 msgid ":attr:`~SSLSocket.session_reused`" msgstr ":attr:`~SSLSocket.session_reused`" #: library/ssl.rst:2509 msgid ":meth:`~SSLSocket.read`" msgstr ":meth:`~SSLSocket.read`" #: library/ssl.rst:2510 msgid ":meth:`~SSLSocket.write`" msgstr ":meth:`~SSLSocket.write`" #: library/ssl.rst:2511 msgid ":meth:`~SSLSocket.getpeercert`" msgstr ":meth:`~SSLSocket.getpeercert`" #: library/ssl.rst:2512 msgid ":meth:`~SSLSocket.selected_alpn_protocol`" msgstr ":meth:`~SSLSocket.selected_alpn_protocol`" #: library/ssl.rst:2513 msgid ":meth:`~SSLSocket.selected_npn_protocol`" msgstr ":meth:`~SSLSocket.selected_npn_protocol`" #: library/ssl.rst:2514 msgid ":meth:`~SSLSocket.cipher`" msgstr ":meth:`~SSLSocket.cipher`" #: library/ssl.rst:2515 msgid ":meth:`~SSLSocket.shared_ciphers`" msgstr ":meth:`~SSLSocket.shared_ciphers`" #: library/ssl.rst:2516 msgid ":meth:`~SSLSocket.compression`" msgstr ":meth:`~SSLSocket.compression`" #: library/ssl.rst:2517 msgid ":meth:`~SSLSocket.pending`" msgstr ":meth:`~SSLSocket.pending`" #: library/ssl.rst:2518 msgid ":meth:`~SSLSocket.do_handshake`" msgstr ":meth:`~SSLSocket.do_handshake`" #: library/ssl.rst:2519 msgid ":meth:`~SSLSocket.verify_client_post_handshake`" msgstr ":meth:`~SSLSocket.verify_client_post_handshake`" #: library/ssl.rst:2520 msgid ":meth:`~SSLSocket.unwrap`" msgstr ":meth:`~SSLSocket.unwrap`" #: library/ssl.rst:2521 msgid ":meth:`~SSLSocket.get_channel_binding`" msgstr ":meth:`~SSLSocket.get_channel_binding`" #: library/ssl.rst:2522 msgid ":meth:`~SSLSocket.version`" msgstr ":meth:`~SSLSocket.version`" #: library/ssl.rst:2524 msgid "" "When compared to :class:`SSLSocket`, this object lacks the following " "features:" msgstr "" #: library/ssl.rst:2527 msgid "" "Any form of network IO; ``recv()`` and ``send()`` read and write only to the " "underlying :class:`MemoryBIO` buffers." msgstr "" #: library/ssl.rst:2530 msgid "" "There is no *do_handshake_on_connect* machinery. You must always manually " "call :meth:`~SSLSocket.do_handshake` to start the handshake." msgstr "" #: library/ssl.rst:2533 msgid "" "There is no handling of *suppress_ragged_eofs*. All end-of-file conditions " "that are in violation of the protocol are reported via the :exc:" "`SSLEOFError` exception." msgstr "" #: library/ssl.rst:2537 msgid "" "The method :meth:`~SSLSocket.unwrap` call does not return anything, unlike " "for an SSL socket where it returns the underlying socket." msgstr "" #: library/ssl.rst:2540 msgid "" "The *server_name_callback* callback passed to :meth:`SSLContext." "set_servername_callback` will get an :class:`SSLObject` instance instead of " "a :class:`SSLSocket` instance as its first parameter." msgstr "" #: library/ssl.rst:2544 msgid "Some notes related to the use of :class:`SSLObject`:" msgstr "" #: library/ssl.rst:2546 msgid "" "All IO on an :class:`SSLObject` is :ref:`non-blocking `. " "This means that for example :meth:`~SSLSocket.read` will raise an :exc:" "`SSLWantReadError` if it needs more data than the incoming BIO has available." msgstr "" #: library/ssl.rst:2551 msgid "" "There is no module-level ``wrap_bio()`` call like there is for :meth:" "`~SSLContext.wrap_socket`. An :class:`SSLObject` is always created via an :" "class:`SSLContext`." msgstr "" #: library/ssl.rst:2555 msgid "" ":class:`SSLObject` instances must to created with :meth:`~SSLContext." "wrap_bio`. In earlier versions, it was possible to create instances " "directly. This was never documented or officially supported." msgstr "" #: library/ssl.rst:2561 msgid "" "An SSLObject communicates with the outside world using memory buffers. The " "class :class:`MemoryBIO` provides a memory buffer that can be used for this " "purpose. It wraps an OpenSSL memory BIO (Basic IO) object:" msgstr "" #: library/ssl.rst:2567 msgid "" "A memory buffer that can be used to pass data between Python and an SSL " "protocol instance." msgstr "" #: library/ssl.rst:2572 msgid "Return the number of bytes currently in the memory buffer." msgstr "" #: library/ssl.rst:2576 msgid "" "A boolean indicating whether the memory BIO is current at the end-of-file " "position." msgstr "" #: library/ssl.rst:2581 msgid "" "Read up to *n* bytes from the memory buffer. If *n* is not specified or " "negative, all bytes are returned." msgstr "" #: library/ssl.rst:2586 msgid "" "Write the bytes from *buf* to the memory BIO. The *buf* argument must be an " "object supporting the buffer protocol." msgstr "" #: library/ssl.rst:2589 msgid "" "The return value is the number of bytes written, which is always equal to " "the length of *buf*." msgstr "" #: library/ssl.rst:2594 msgid "" "Write an EOF marker to the memory BIO. After this method has been called, it " "is illegal to call :meth:`~MemoryBIO.write`. The attribute :attr:`eof` will " "become true after all data currently in the buffer has been read." msgstr "" #: library/ssl.rst:2600 msgid "SSL session" msgstr "" #: library/ssl.rst:2606 msgid "Session object used by :attr:`~SSLSocket.session`." msgstr "" #: library/ssl.rst:2618 #, fuzzy msgid "Security considerations" msgstr "Considérations de sécurité" #: library/ssl.rst:2621 msgid "Best defaults" msgstr "" #: library/ssl.rst:2623 msgid "" "For **client use**, if you don't have any special requirements for your " "security policy, it is highly recommended that you use the :func:" "`create_default_context` function to create your SSL context. It will load " "the system's trusted CA certificates, enable certificate validation and " "hostname checking, and try to choose reasonably secure protocol and cipher " "settings." msgstr "" #: library/ssl.rst:2630 msgid "" "For example, here is how you would use the :class:`smtplib.SMTP` class to " "create a trusted, secure connection to a SMTP server::" msgstr "" #: library/ssl.rst:2639 msgid "" "If a client certificate is needed for the connection, it can be added with :" "meth:`SSLContext.load_cert_chain`." msgstr "" #: library/ssl.rst:2642 msgid "" "By contrast, if you create the SSL context by calling the :class:" "`SSLContext` constructor yourself, it will not have certificate validation " "nor hostname checking enabled by default. If you do so, please read the " "paragraphs below to achieve a good security level." msgstr "" #: library/ssl.rst:2648 msgid "Manual settings" msgstr "" #: library/ssl.rst:2651 msgid "Verifying certificates" msgstr "" #: library/ssl.rst:2653 msgid "" "When calling the :class:`SSLContext` constructor directly, :const:" "`CERT_NONE` is the default. Since it does not authenticate the other peer, " "it can be insecure, especially in client mode where most of time you would " "like to ensure the authenticity of the server you're talking to. Therefore, " "when in client mode, it is highly recommended to use :const:" "`CERT_REQUIRED`. However, it is in itself not sufficient; you also have to " "check that the server certificate, which can be obtained by calling :meth:" "`SSLSocket.getpeercert`, matches the desired service. For many protocols " "and applications, the service can be identified by the hostname; in this " "case, the :func:`match_hostname` function can be used. This common check is " "automatically performed when :attr:`SSLContext.check_hostname` is enabled." msgstr "" #: library/ssl.rst:2666 msgid "" "Hostname matchings is now performed by OpenSSL. Python no longer uses :func:" "`match_hostname`." msgstr "" #: library/ssl.rst:2670 msgid "" "In server mode, if you want to authenticate your clients using the SSL layer " "(rather than using a higher-level authentication mechanism), you'll also " "have to specify :const:`CERT_REQUIRED` and similarly check the client " "certificate." msgstr "" #: library/ssl.rst:2676 msgid "Protocol versions" msgstr "" #: library/ssl.rst:2678 msgid "" "SSL versions 2 and 3 are considered insecure and are therefore dangerous to " "use. If you want maximum compatibility between clients and servers, it is " "recommended to use :const:`PROTOCOL_TLS_CLIENT` or :const:" "`PROTOCOL_TLS_SERVER` as the protocol version. SSLv2 and SSLv3 are disabled " "by default." msgstr "" #: library/ssl.rst:2691 msgid "" "The SSL context created above will only allow TLSv1.2 and later (if " "supported by your system) connections to a server. :const:" "`PROTOCOL_TLS_CLIENT` implies certificate validation and hostname checks by " "default. You have to load certificates into the context." msgstr "" #: library/ssl.rst:2698 msgid "Cipher selection" msgstr "" #: library/ssl.rst:2700 msgid "" "If you have advanced security requirements, fine-tuning of the ciphers " "enabled when negotiating a SSL session is possible through the :meth:" "`SSLContext.set_ciphers` method. Starting from Python 3.2.3, the ssl module " "disables certain weak ciphers by default, but you may want to further " "restrict the cipher choice. Be sure to read OpenSSL's documentation about " "the `cipher list format `_. If you want to check which ciphers are enabled " "by a given cipher list, use :meth:`SSLContext.get_ciphers` or the ``openssl " "ciphers`` command on your system." msgstr "" #: library/ssl.rst:2711 msgid "Multi-processing" msgstr "" #: library/ssl.rst:2713 msgid "" "If using this module as part of a multi-processed application (using, for " "example the :mod:`multiprocessing` or :mod:`concurrent.futures` modules), be " "aware that OpenSSL's internal random number generator does not properly " "handle forked processes. Applications must change the PRNG state of the " "parent process if they use any SSL feature with :func:`os.fork`. Any " "successful call of :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or :func:" "`~ssl.RAND_pseudo_bytes` is sufficient." msgstr "" #: library/ssl.rst:2725 msgid "TLS 1.3" msgstr "" #: library/ssl.rst:2729 msgid "" "The TLS 1.3 protocol behaves slightly differently than previous version of " "TLS/SSL. Some new TLS 1.3 features are not yet available." msgstr "" #: library/ssl.rst:2732 msgid "" "TLS 1.3 uses a disjunct set of cipher suites. All AES-GCM and ChaCha20 " "cipher suites are enabled by default. The method :meth:`SSLContext." "set_ciphers` cannot enable or disable any TLS 1.3 ciphers yet, but :meth:" "`SSLContext.get_ciphers` returns them." msgstr "" #: library/ssl.rst:2736 msgid "" "Session tickets are no longer sent as part of the initial handshake and are " "handled differently. :attr:`SSLSocket.session` and :class:`SSLSession` are " "not compatible with TLS 1.3." msgstr "" #: library/ssl.rst:2739 msgid "" "Client-side certificates are also no longer verified during the initial " "handshake. A server can request a certificate at any time. Clients process " "certificate requests while they send or receive application data from the " "server." msgstr "" #: library/ssl.rst:2743 msgid "" "TLS 1.3 features like early data, deferred TLS client cert request, " "signature algorithm configuration, and rekeying are not supported yet." msgstr "" #: library/ssl.rst:2750 msgid "Class :class:`socket.socket`" msgstr "" #: library/ssl.rst:2750 msgid "Documentation of underlying :mod:`socket` class" msgstr "" #: library/ssl.rst:2753 msgid "" "`SSL/TLS Strong Encryption: An Introduction `_" msgstr "" #: library/ssl.rst:2753 msgid "Intro from the Apache HTTP Server documentation" msgstr "" #: library/ssl.rst:2756 msgid "" ":rfc:`RFC 1422: Privacy Enhancement for Internet Electronic Mail: Part II: " "Certificate-Based Key Management <1422>`" msgstr "" #: library/ssl.rst:2756 msgid "Steve Kent" msgstr "" #: library/ssl.rst:2759 msgid ":rfc:`RFC 4086: Randomness Requirements for Security <4086>`" msgstr "" #: library/ssl.rst:2759 msgid "Donald E., Jeffrey I. Schiller" msgstr "" #: library/ssl.rst:2762 msgid "" ":rfc:`RFC 5280: Internet X.509 Public Key Infrastructure Certificate and " "Certificate Revocation List (CRL) Profile <5280>`" msgstr "" #: library/ssl.rst:2762 msgid "D. Cooper" msgstr "" #: library/ssl.rst:2765 msgid "" ":rfc:`RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2 " "<5246>`" msgstr "" #: library/ssl.rst:2765 msgid "T. Dierks et. al." msgstr "" #: library/ssl.rst:2768 msgid ":rfc:`RFC 6066: Transport Layer Security (TLS) Extensions <6066>`" msgstr "" #: library/ssl.rst:2768 msgid "D. Eastlake" msgstr "" #: library/ssl.rst:2771 msgid "" "`IANA TLS: Transport Layer Security (TLS) Parameters `_" msgstr "" #: library/ssl.rst:2771 msgid "IANA" msgstr "" #: library/ssl.rst:2774 msgid "" ":rfc:`RFC 7525: Recommendations for Secure Use of Transport Layer Security " "(TLS) and Datagram Transport Layer Security (DTLS) <7525>`" msgstr "" #: library/ssl.rst:2774 msgid "IETF" msgstr "" #: library/ssl.rst:2776 msgid "" "`Mozilla's Server Side TLS recommendations `_" msgstr "" #: library/ssl.rst:2777 msgid "Mozilla" msgstr "" #, fuzzy #~ msgid ":ref:`Availability `: OpenSSL 1.0.2+." #~ msgstr ":ref:`Disponibilité ` : OpenSSL 1.1+."