Class SSL.Context
- Description
Keeps the state that is shared by all SSL-connections on a client, or for one port on a server. It includes policy configuration, the server or client certificate(s), the corresponding private key(s), etc. It also includes the session cache.
The defaults are usually suitable for a client, but for a server some configuration is necessary.
Typical use is to:
Call add_cert() with the certificates belonging to the server or client. Note that clients often don't have or need any certificates, and also that certificate-less server operation is possible, albeit discouraged and not enabled by default.
Suitable self-signed certificates can be created with Standards.X509.make_selfsigned_certificate().
Optionally call get_suites() to get a set of cipher_suites to assign to preferred_suites. This is only needed if the default set of suites from
get_suites(128, 1)isn't satisfactory.
The initialized Context object is then passed to File()->create() or used as is embedded in Port.
- See also
- Variable advertised_protocols
array(string(8bit)) SSL.Context.advertised_protocols- Description
List of advertised protocols using using TLS application level protocol negotiation.
- Variable auth_level
intSSL.Context.auth_level- Description
Policy for client authentication. One of
SSL.Constants.AUTHLEVEL_none,SSL.Constants.AUTHLEVEL_askandSSL.Constants.AUTHLEVEL_require.
- Variable certificates
__deprecated__array(string(8bit)) SSL.Context.certificates- Description
Getting
The server's certificate, or a chain of X509.v3 certificates, with the server's certificate first and root certificate last.
Compatibility, don't use.
- Deprecated
Replaced by
find_cert.- See also
`rsa,find_cert()Setting
The server's certificate, or a chain of X509.v3 certificates, with the server's certificate first and root certificate last.
Compatibility, don't use.
- Deprecated
Replaced by
find_cert.- See also
`rsa,find_cert()
- Variable client_certificates
__deprecated__array(array(string(8bit))) SSL.Context.client_certificates- Description
Getting
The client's certificate, or a chain of X509.v3 certificates, with the client's certificate first and root certificate last.
Compatibility, don't use.
- Deprecated
Replaced by
find_cert.- See also
`rsa,find_cert()Setting
The client's certificate, or a chain of X509.v3 certificates, with the client's certificate first and root certificate last.
Compatibility, don't use.
- Deprecated
Replaced by
find_cert.- See also
`rsa,find_cert()
- Variable client_rsa
__deprecated__Crypto.RSA.StateSSL.Context.client_rsa- Description
Getting
The clients RSA private key.
Compatibility, don't use.
- Deprecated
Replaced by
find_cert.- See also
`certificates,find_cert()Setting
The clients RSA private key.
Compatibility, don't use.
- Deprecated
Replaced by
find_cert.- See also
`certificates,find_cert()
- Variable dh_groups
array(Crypto.DH.Parameters) SSL.Context.dh_groups- Description
Supported DH groups for DHE key exchanges, in order of preference. Defaults to FFDHE-2048.
- Variable dsa
__deprecated__Crypto.DSA.StateSSL.Context.dsa- Description
Getting
Compatibility.
- Deprecated
Replaced by
find_cert.Setting
Compatibility.
- Deprecated
Replaced by
find_cert.
- Variable ecc_curves
array(int) SSL.Context.ecc_curves- Description
Supported elliptical curve cipher curves in order of preference.
- Variable encrypt_then_mac
intSSL.Context.encrypt_then_mac- Description
Attempt to enable encrypt-then-mac mode.
- Variable heartbleed_probe
boolSSL.Context.heartbleed_probe- Description
If set, the other peer will be probed for the heartbleed bug during handshake. If heartbleed is found the connection is closed with insufficient security fatal error.
- Variable
long_rsa
Variable short_rsa
Crypto.RSA.StateSSL.Context.long_rsa
Crypto.RSA.StateSSL.Context.short_rsa- Description
Temporary, non-certified, private keys, used for RSA key exchange in export mode. They are used as follows:
short_rsa is a 512-bit RSA key used for the SSL 3.0 and TLS 1.0 export cipher suites.
long_rsa is a 1024-bit RSA key to be used for the RSA_EXPORT1024 suites from draft-ietf-tls-56-bit-ciphersuites-01.txt.
They have associated counters short_rsa_counter and long_rsa_counter, which are decremented each time the keys are used.
When the counters reach zero, the corresponding RSA key is cleared, and a new generated on demand at which time the counter is reset.
- Variable
long_rsa_counter
Variable short_rsa_counter
intSSL.Context.long_rsa_counter
intSSL.Context.short_rsa_counter- Description
Counters for export RSA keys.
- Variable max_sessions
intSSL.Context.max_sessions- Description
Maximum number of sessions to keep in the cache.
- Variable max_version
ProtocolVersionSSL.Context.max_version- Description
The maximum supported protocol version.
Defaults to PROTOCOL_TLS_MAX.
- Note
This value should not be less than min_version.
- Variable min_version
ProtocolVersionSSL.Context.min_version- Description
The minimum supported protocol version.
Defaults to PROTOCOL_TLS_1_0.
- Note
This value should not be greater than max_version.
- Variable packet_max_size
intSSL.Context.packet_max_size- Description
The maximum amount of data that is sent in each SSL packet by File. A value between 1 and
Constants.PACKET_MAX_SIZE.
- Variable preferred_auth_methods
array(int) SSL.Context.preferred_auth_methods- Description
For client authentication. Used only if auth_level is AUTH_ask or AUTH_require.
- Variable preferred_compressors
array(int) SSL.Context.preferred_compressors- Description
Lists the supported compression algorithms in order of preference.
Defaults to
({ COMPRESSION_null })due to SSL attacks that target compression.
- Variable preferred_suites
array(int) SSL.Context.preferred_suites- Description
Cipher suites we want to support, in order of preference, best first.
- Variable random
function(int(0..):string(8bit)) SSL.Context.random- Description
Used to generate random cookies for the hello-message. If we use the RSA keyexchange method, and this is a server, this random number generator is not used for generating the master_secret. By default set to Crypto.Random.random_string.
- Variable require_trust
intSSL.Context.require_trust- Description
When set, require the chain to be known, even if the root is self signed.
Note that if set, and certificates are set to be verified, trusted issuers must be provided, or no connections will be accepted.
- Variable rsa
__deprecated__Crypto.RSA.StateSSL.Context.rsa- Description
Getting
The servers default private RSA key.
Compatibility, don't use.
- Deprecated
Replaced by
find_cert.- See also
`certificates,find_cert()Setting
The servers default private RSA key.
Compatibility, don't use.
- Deprecated
Replaced by
find_cert.- See also
`certificates,find_cert()
- Variable session_lifetime
intSSL.Context.session_lifetime- Description
Sessions are removed from the cache when they are older than this limit (in seconds). Sessions are also removed from the cache if a connection using the session dies unexpectedly.
- Variable signature_algorithms
array(array(int)) SSL.Context.signature_algorithms- Description
The set of <hash, signature> combinations to use by us.
Only used with TLS 1.2 and later.
Defaults to all combinations supported by Pike except for MD5.
This list is typically filtered by get_signature_algorithms() to get rid of combinations not supported by the runtime.
- Note
According to RFC 5246 7.4.2 all certificates needs to be signed by any of the supported signature algorithms. To be forward compatible this list needs to be limited to the combinations that have existing PKCS identifiers.
- See also
- Variable use_cache
intSSL.Context.use_cache- Description
Non-zero to enable caching of sessions
- Variable verifier_algorithms
mapping(Standards.ASN1.Types.Identifier:Crypto.Hash) SSL.Context.verifier_algorithms- Description
Mapping of supported verifier algorithms to hash implementation.
- See also
- Variable verify_certificates
intSSL.Context.verify_certificates- Description
Determines whether certificates presented by the peer are verified, or just accepted as being valid.