415 строки
47 KiB
HTML
415 строки
47 KiB
HTML
<?xml version="1.0" encoding="ascii"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
"DTD/xhtml1-transitional.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
|
|
<head>
|
|
<title>nss</title>
|
|
<link rel="stylesheet" href="epydoc.css" type="text/css" />
|
|
<script type="text/javascript" src="epydoc.js"></script>
|
|
</head>
|
|
|
|
<body bgcolor="white" text="black" link="blue" vlink="#204080"
|
|
alink="#204080">
|
|
<!-- ==================== NAVIGATION BAR ==================== -->
|
|
<table class="navbar" border="0" width="100%" cellpadding="0"
|
|
bgcolor="#a0c0ff" cellspacing="0">
|
|
<tr valign="middle">
|
|
<!-- Home link -->
|
|
<th bgcolor="#70b0f0" class="navbar-select"
|
|
> Home </th>
|
|
|
|
<!-- Tree link -->
|
|
<th> <a
|
|
href="module-tree.html">Trees</a> </th>
|
|
|
|
<!-- Index link -->
|
|
<th> <a
|
|
href="identifier-index.html">Indices</a> </th>
|
|
|
|
<!-- Help link -->
|
|
<th> <a
|
|
href="help.html">Help</a> </th>
|
|
|
|
<th class="navbar" width="100%"></th>
|
|
</tr>
|
|
</table>
|
|
<table width="100%" cellpadding="0" cellspacing="0">
|
|
<tr valign="top">
|
|
<td width="100%">
|
|
<span class="breadcrumbs">
|
|
Package nss
|
|
</span>
|
|
</td>
|
|
<td>
|
|
<table cellpadding="0" cellspacing="0">
|
|
<!-- hide/show private -->
|
|
<tr><td align="right"><span class="options">[<a href="javascript:void(0);" class="privatelink"
|
|
onclick="toggle_private();">hide private</a>]</span></td></tr>
|
|
<tr><td align="right"><span class="options"
|
|
>[<a href="frames.html" target="_top">frames</a
|
|
>] | <a href="nss-pysrc.html"
|
|
target="_top">no frames</a>]</span></td></tr>
|
|
</table>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
<h1 class="epydoc">Source Code for <a href="nss-module.html">Package nss</a></h1>
|
|
<pre class="py-src">
|
|
<a name="L1"></a><tt class="py-lineno"> 1</tt> <tt class="py-line"><tt class="py-comment"># This Source Code Form is subject to the terms of the Mozilla Public</tt> </tt>
|
|
<a name="L2"></a><tt class="py-lineno"> 2</tt> <tt class="py-line"><tt class="py-comment"># License, v. 2.0. If a copy of the MPL was not distributed with this</tt> </tt>
|
|
<a name="L3"></a><tt class="py-lineno"> 3</tt> <tt class="py-line"><tt class="py-comment"># file, You can obtain one at http://mozilla.org/MPL/2.0/.</tt> </tt>
|
|
<a name="L4"></a><tt class="py-lineno"> 4</tt> <tt class="py-line"><tt class="py-docstring">"""</tt> </tt>
|
|
<a name="L5"></a><tt class="py-lineno"> 5</tt> <tt class="py-line"><tt class="py-docstring">============</tt> </tt>
|
|
<a name="L6"></a><tt class="py-lineno"> 6</tt> <tt class="py-line"><tt class="py-docstring">Introduction</tt> </tt>
|
|
<a name="L7"></a><tt class="py-lineno"> 7</tt> <tt class="py-line"><tt class="py-docstring">============</tt> </tt>
|
|
<a name="L8"></a><tt class="py-lineno"> 8</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L9"></a><tt class="py-lineno"> 9</tt> <tt class="py-line"><tt class="py-docstring">This package provides a binding for the Network Security Services</tt> </tt>
|
|
<a name="L10"></a><tt class="py-lineno"> 10</tt> <tt class="py-line"><tt class="py-docstring">(NSS) library. Because NSS directly uses the Netscape Portable Runtime</tt> </tt>
|
|
<a name="L11"></a><tt class="py-lineno"> 11</tt> <tt class="py-line"><tt class="py-docstring">(NSPR) the binding also provides support for NSPR. There is an</tt> </tt>
|
|
<a name="L12"></a><tt class="py-lineno"> 12</tt> <tt class="py-line"><tt class="py-docstring">inherent conflict between NSPR and Python, please see the Issues</tt> </tt>
|
|
<a name="L13"></a><tt class="py-lineno"> 13</tt> <tt class="py-line"><tt class="py-docstring">section for more detail.</tt> </tt>
|
|
<a name="L14"></a><tt class="py-lineno"> 14</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L15"></a><tt class="py-lineno"> 15</tt> <tt class="py-line"><tt class="py-docstring">General documentation on NSS can be found here:</tt> </tt>
|
|
<a name="L16"></a><tt class="py-lineno"> 16</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L17"></a><tt class="py-lineno"> 17</tt> <tt class="py-line"><tt class="py-docstring">http://www.mozilla.org/projects/security/pki/nss</tt> </tt>
|
|
<a name="L18"></a><tt class="py-lineno"> 18</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L19"></a><tt class="py-lineno"> 19</tt> <tt class="py-line"><tt class="py-docstring">General documentation on NSPR can be found here:</tt> </tt>
|
|
<a name="L20"></a><tt class="py-lineno"> 20</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L21"></a><tt class="py-lineno"> 21</tt> <tt class="py-line"><tt class="py-docstring">http://developer.mozilla.org/en/docs/NSPR_API_Reference</tt> </tt>
|
|
<a name="L22"></a><tt class="py-lineno"> 22</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L23"></a><tt class="py-lineno"> 23</tt> <tt class="py-line"><tt class="py-docstring">Please note, the documentation included with this package already</tt> </tt>
|
|
<a name="L24"></a><tt class="py-lineno"> 24</tt> <tt class="py-line"><tt class="py-docstring">encapsultes most of the information at the above two URL's, but is</tt> </tt>
|
|
<a name="L25"></a><tt class="py-lineno"> 25</tt> <tt class="py-line"><tt class="py-docstring">specific to the python binding of NSS/NSPR. It is suggested you refer</tt> </tt>
|
|
<a name="L26"></a><tt class="py-lineno"> 26</tt> <tt class="py-line"><tt class="py-docstring">to the python-nss documentation.</tt> </tt>
|
|
<a name="L27"></a><tt class="py-lineno"> 27</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L28"></a><tt class="py-lineno"> 28</tt> <tt class="py-line"><tt class="py-docstring">Most of the names and symbols in the NSS/NSPR C API have been kept in</tt> </tt>
|
|
<a name="L29"></a><tt class="py-lineno"> 29</tt> <tt class="py-line"><tt class="py-docstring">the nss-python binding and should be instantly familar or</tt> </tt>
|
|
<a name="L30"></a><tt class="py-lineno"> 30</tt> <tt class="py-line"><tt class="py-docstring">recognizable. Python has different naming conventions and the</tt> </tt>
|
|
<a name="L31"></a><tt class="py-lineno"> 31</tt> <tt class="py-line"><tt class="py-docstring">nss-python binding has adhered to the python naming convensions,</tt> </tt>
|
|
<a name="L32"></a><tt class="py-lineno"> 32</tt> <tt class="py-line"><tt class="py-docstring">Classes are camel case, otherwise symbols are all lower case with</tt> </tt>
|
|
<a name="L33"></a><tt class="py-lineno"> 33</tt> <tt class="py-line"><tt class="py-docstring">words seperated by underscores. The constants used by NSS/NSPR in C</tt> </tt>
|
|
<a name="L34"></a><tt class="py-lineno"> 34</tt> <tt class="py-line"><tt class="py-docstring">API have been imported literally to add the programmer who might be</tt> </tt>
|
|
<a name="L35"></a><tt class="py-lineno"> 35</tt> <tt class="py-line"><tt class="py-docstring">referring to the Mozilla NSS/NSPR documentation and/or header files or</tt> </tt>
|
|
<a name="L36"></a><tt class="py-lineno"> 36</tt> <tt class="py-line"><tt class="py-docstring">who is porting an existing C application to python. Minor other</tt> </tt>
|
|
<a name="L37"></a><tt class="py-lineno"> 37</tt> <tt class="py-line"><tt class="py-docstring">changes have been made in the interest of being "Pythonic".</tt> </tt>
|
|
<a name="L38"></a><tt class="py-lineno"> 38</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L39"></a><tt class="py-lineno"> 39</tt> <tt class="py-line"><tt class="py-docstring">========================</tt> </tt>
|
|
<a name="L40"></a><tt class="py-lineno"> 40</tt> <tt class="py-line"><tt class="py-docstring">Deprecated Functionality</tt> </tt>
|
|
<a name="L41"></a><tt class="py-lineno"> 41</tt> <tt class="py-line"><tt class="py-docstring">========================</tt> </tt>
|
|
<a name="L42"></a><tt class="py-lineno"> 42</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L43"></a><tt class="py-lineno"> 43</tt> <tt class="py-line"><tt class="py-docstring">Some elements of the binding have been deprecated because of lessons</tt> </tt>
|
|
<a name="L44"></a><tt class="py-lineno"> 44</tt> <tt class="py-line"><tt class="py-docstring">learned along the way. The following emit deprecation warnings and</tt> </tt>
|
|
<a name="L45"></a><tt class="py-lineno"> 45</tt> <tt class="py-line"><tt class="py-docstring">should not be used, they will be removed in a subsequent release.</tt> </tt>
|
|
<a name="L46"></a><tt class="py-lineno"> 46</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L47"></a><tt class="py-lineno"> 47</tt> <tt class="py-line"><tt class="py-docstring">`io.NetworkAddress()`</tt> </tt>
|
|
<a name="L48"></a><tt class="py-lineno"> 48</tt> <tt class="py-line"><tt class="py-docstring"> `NetworkAddress` initialization from a string parameter only works</tt> </tt>
|
|
<a name="L49"></a><tt class="py-lineno"> 49</tt> <tt class="py-line"><tt class="py-docstring"> for IPv4, use `AddrInfo` instead.</tt> </tt>
|
|
<a name="L50"></a><tt class="py-lineno"> 50</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L51"></a><tt class="py-lineno"> 51</tt> <tt class="py-line"><tt class="py-docstring">`io.NetworkAddress.set_from_string()`</tt> </tt>
|
|
<a name="L52"></a><tt class="py-lineno"> 52</tt> <tt class="py-line"><tt class="py-docstring"> `NetworkAddress` initialization from a string parameter only works</tt> </tt>
|
|
<a name="L53"></a><tt class="py-lineno"> 53</tt> <tt class="py-line"><tt class="py-docstring"> for IPv4, use `AddrInfo` instead.</tt> </tt>
|
|
<a name="L54"></a><tt class="py-lineno"> 54</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L55"></a><tt class="py-lineno"> 55</tt> <tt class="py-line"><tt class="py-docstring">`io.NetworkAddress.hostentry`</tt> </tt>
|
|
<a name="L56"></a><tt class="py-lineno"> 56</tt> <tt class="py-line"><tt class="py-docstring"> `HostEntry` objects only support IPv4, this property will be</tt> </tt>
|
|
<a name="L57"></a><tt class="py-lineno"> 57</tt> <tt class="py-line"><tt class="py-docstring"> removed, use `AddrInfo` instead.</tt> </tt>
|
|
<a name="L58"></a><tt class="py-lineno"> 58</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L59"></a><tt class="py-lineno"> 59</tt> <tt class="py-line"><tt class="py-docstring">`io.HostEntry.get_network_addresses()`</tt> </tt>
|
|
<a name="L60"></a><tt class="py-lineno"> 60</tt> <tt class="py-line"><tt class="py-docstring"> Use iteration instead (e.g. for net_adder in hostentry), the port</tt> </tt>
|
|
<a name="L61"></a><tt class="py-lineno"> 61</tt> <tt class="py-line"><tt class="py-docstring"> parameter is not respected, port will be value when `HostEntry`</tt> </tt>
|
|
<a name="L62"></a><tt class="py-lineno"> 62</tt> <tt class="py-line"><tt class="py-docstring"> object was created.</tt> </tt>
|
|
<a name="L63"></a><tt class="py-lineno"> 63</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L64"></a><tt class="py-lineno"> 64</tt> <tt class="py-line"><tt class="py-docstring">`io.HostEntry.get_network_address()`</tt> </tt>
|
|
<a name="L65"></a><tt class="py-lineno"> 65</tt> <tt class="py-line"><tt class="py-docstring"> Use indexing instead (e.g. hostentry[i]), the port parameter is</tt> </tt>
|
|
<a name="L66"></a><tt class="py-lineno"> 66</tt> <tt class="py-line"><tt class="py-docstring"> not respected, port will be value when `HostEntry` object was</tt> </tt>
|
|
<a name="L67"></a><tt class="py-lineno"> 67</tt> <tt class="py-line"><tt class="py-docstring"> created.</tt> </tt>
|
|
<a name="L68"></a><tt class="py-lineno"> 68</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L69"></a><tt class="py-lineno"> 69</tt> <tt class="py-line"><tt class="py-docstring">`io.Socket()` and `ssl.SSLSocket()` without explicit family parameter</tt> </tt>
|
|
<a name="L70"></a><tt class="py-lineno"> 70</tt> <tt class="py-line"><tt class="py-docstring"> Socket initialization will require the family parameter in the future.</tt> </tt>
|
|
<a name="L71"></a><tt class="py-lineno"> 71</tt> <tt class="py-line"><tt class="py-docstring"> The default family parameter of PR_AF_INET is deprecated because</tt> </tt>
|
|
<a name="L72"></a><tt class="py-lineno"> 72</tt> <tt class="py-line"><tt class="py-docstring"> when iterating through `NetworkAddress` objects returned by</tt> </tt>
|
|
<a name="L73"></a><tt class="py-lineno"> 73</tt> <tt class="py-line"><tt class="py-docstring"> `AddrInfo` some address may be an IPv6 address. Suggest using the</tt> </tt>
|
|
<a name="L74"></a><tt class="py-lineno"> 74</tt> <tt class="py-line"><tt class="py-docstring"> family property of the NetworkAddress object associated with the</tt> </tt>
|
|
<a name="L75"></a><tt class="py-lineno"> 75</tt> <tt class="py-line"><tt class="py-docstring"> socket, e.g. Socket(net_addr.family)</tt> </tt>
|
|
<a name="L76"></a><tt class="py-lineno"> 76</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L77"></a><tt class="py-lineno"> 77</tt> <tt class="py-line"><tt class="py-docstring">===============</tt> </tt>
|
|
<a name="L78"></a><tt class="py-lineno"> 78</tt> <tt class="py-line"><tt class="py-docstring">Getting Started</tt> </tt>
|
|
<a name="L79"></a><tt class="py-lineno"> 79</tt> <tt class="py-line"><tt class="py-docstring">===============</tt> </tt>
|
|
<a name="L80"></a><tt class="py-lineno"> 80</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L81"></a><tt class="py-lineno"> 81</tt> <tt class="py-line"><tt class="py-docstring">NSS stores it's certificates and private keys in a security database</tt> </tt>
|
|
<a name="L82"></a><tt class="py-lineno"> 82</tt> <tt class="py-line"><tt class="py-docstring">unlike OpenSSL which references it's certificates and keys via file</tt> </tt>
|
|
<a name="L83"></a><tt class="py-lineno"> 83</tt> <tt class="py-line"><tt class="py-docstring">pathnames. This means unless you already have an NSS Certificate</tt> </tt>
|
|
<a name="L84"></a><tt class="py-lineno"> 84</tt> <tt class="py-line"><tt class="py-docstring">Database (CertDB) the first order of business will be to create</tt> </tt>
|
|
<a name="L85"></a><tt class="py-lineno"> 85</tt> <tt class="py-line"><tt class="py-docstring">one. When a NSS application initializes itself it will need to specify</tt> </tt>
|
|
<a name="L86"></a><tt class="py-lineno"> 86</tt> <tt class="py-line"><tt class="py-docstring">the path to the CertDB (see "Things All NSS programs must do").</tt> </tt>
|
|
<a name="L87"></a><tt class="py-lineno"> 87</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L88"></a><tt class="py-lineno"> 88</tt> <tt class="py-line"><tt class="py-docstring">The CertDB is created and manipulated by the command line utilities</tt> </tt>
|
|
<a name="L89"></a><tt class="py-lineno"> 89</tt> <tt class="py-line"><tt class="py-docstring">certutil and modutil. Both of these programs are part of the nss-tools</tt> </tt>
|
|
<a name="L90"></a><tt class="py-lineno"> 90</tt> <tt class="py-line"><tt class="py-docstring">RPM. Documentation for these tools can be found here:</tt> </tt>
|
|
<a name="L91"></a><tt class="py-lineno"> 91</tt> <tt class="py-line"><tt class="py-docstring">http://www.mozilla.org/projects/security/pki/nss/tools</tt> </tt>
|
|
<a name="L92"></a><tt class="py-lineno"> 92</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L93"></a><tt class="py-lineno"> 93</tt> <tt class="py-line"><tt class="py-docstring">Here is an example of creating a CertDB and populating it. In the</tt> </tt>
|
|
<a name="L94"></a><tt class="py-lineno"> 94</tt> <tt class="py-line"><tt class="py-docstring">example the CertDB will be created under the directory "./pki", the CA</tt> </tt>
|
|
<a name="L95"></a><tt class="py-lineno"> 95</tt> <tt class="py-line"><tt class="py-docstring">will be called "myca", the database password will be "myca", and the</tt> </tt>
|
|
<a name="L96"></a><tt class="py-lineno"> 96</tt> <tt class="py-line"><tt class="py-docstring">server's hostname will be "myhost.example.com".</tt> </tt>
|
|
<a name="L97"></a><tt class="py-lineno"> 97</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L98"></a><tt class="py-lineno"> 98</tt> <tt class="py-line"><tt class="py-docstring">1. Create the database::</tt> </tt>
|
|
<a name="L99"></a><tt class="py-lineno"> 99</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L100"></a><tt class="py-lineno">100</tt> <tt class="py-line"><tt class="py-docstring"> certutil -N -d ./pki</tt> </tt>
|
|
<a name="L101"></a><tt class="py-lineno">101</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L102"></a><tt class="py-lineno">102</tt> <tt class="py-line"><tt class="py-docstring"> This creates a new database under the directory ./pki</tt> </tt>
|
|
<a name="L103"></a><tt class="py-lineno">103</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L104"></a><tt class="py-lineno">104</tt> <tt class="py-line"><tt class="py-docstring">2. Create a root CA certificate::</tt> </tt>
|
|
<a name="L105"></a><tt class="py-lineno">105</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L106"></a><tt class="py-lineno">106</tt> <tt class="py-line"><tt class="py-docstring"> certutil -d ./pki -S -s "CN=myca" -n myca -x -t "CTu,C,C" -m 1</tt> </tt>
|
|
<a name="L107"></a><tt class="py-lineno">107</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L108"></a><tt class="py-lineno">108</tt> <tt class="py-line"><tt class="py-docstring"> This creates an individual certificate and adds it to the</tt> </tt>
|
|
<a name="L109"></a><tt class="py-lineno">109</tt> <tt class="py-line"><tt class="py-docstring"> certificate database with a subject of "CN=myca", a nickname of</tt> </tt>
|
|
<a name="L110"></a><tt class="py-lineno">110</tt> <tt class="py-line"><tt class="py-docstring"> "myca", trust flags indicating for SSL indicating it can issue</tt> </tt>
|
|
<a name="L111"></a><tt class="py-lineno">111</tt> <tt class="py-line"><tt class="py-docstring"> server certificates (C), can issue client certificates (T), and the</tt> </tt>
|
|
<a name="L112"></a><tt class="py-lineno">112</tt> <tt class="py-line"><tt class="py-docstring"> certificate can be used for authentication and signing (u). For</tt> </tt>
|
|
<a name="L113"></a><tt class="py-lineno">113</tt> <tt class="py-line"><tt class="py-docstring"> email and object signing it's trusted to create server</tt> </tt>
|
|
<a name="L114"></a><tt class="py-lineno">114</tt> <tt class="py-line"><tt class="py-docstring"> certificates. The certificate serial number is set to 1.</tt> </tt>
|
|
<a name="L115"></a><tt class="py-lineno">115</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L116"></a><tt class="py-lineno">116</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L117"></a><tt class="py-lineno">117</tt> <tt class="py-line"><tt class="py-docstring">3. Create a server certificate and sign it. Our example server will</tt> </tt>
|
|
<a name="L118"></a><tt class="py-lineno">118</tt> <tt class="py-line"><tt class="py-docstring"> use this::</tt> </tt>
|
|
<a name="L119"></a><tt class="py-lineno">119</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L120"></a><tt class="py-lineno">120</tt> <tt class="py-line"><tt class="py-docstring"> certutil -d pki -S -c myca -s "CN=myhost.example.com" -n myhost -t "u,u,u" -m 2</tt> </tt>
|
|
<a name="L121"></a><tt class="py-lineno">121</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L122"></a><tt class="py-lineno">122</tt> <tt class="py-line"><tt class="py-docstring"> This creates an individual certificate issued by the CA "myca" and</tt> </tt>
|
|
<a name="L123"></a><tt class="py-lineno">123</tt> <tt class="py-line"><tt class="py-docstring"> adds it to the certificate database with a subject of</tt> </tt>
|
|
<a name="L124"></a><tt class="py-lineno">124</tt> <tt class="py-line"><tt class="py-docstring"> "CN=myhost.example.com", a nickname of "myhost". The certificate</tt> </tt>
|
|
<a name="L125"></a><tt class="py-lineno">125</tt> <tt class="py-line"><tt class="py-docstring"> serial number is set to 2.</tt> </tt>
|
|
<a name="L126"></a><tt class="py-lineno">126</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L127"></a><tt class="py-lineno">127</tt> <tt class="py-line"><tt class="py-docstring">4. Import public root CA's::</tt> </tt>
|
|
<a name="L128"></a><tt class="py-lineno">128</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L129"></a><tt class="py-lineno">129</tt> <tt class="py-line"><tt class="py-docstring"> modutil -add ca_certs -libfile /usr/lib/libnssckbi.so -dbdir ./pki</tt> </tt>
|
|
<a name="L130"></a><tt class="py-lineno">130</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L131"></a><tt class="py-lineno">131</tt> <tt class="py-line"><tt class="py-docstring"> This is necessary to verify certificates presented by a SSL server a</tt> </tt>
|
|
<a name="L132"></a><tt class="py-lineno">132</tt> <tt class="py-line"><tt class="py-docstring"> NSS client might connect to. When verifying a certificate the NSS</tt> </tt>
|
|
<a name="L133"></a><tt class="py-lineno">133</tt> <tt class="py-line"><tt class="py-docstring"> library will "walk the certificate chain" back to a root CA which</tt> </tt>
|
|
<a name="L134"></a><tt class="py-lineno">134</tt> <tt class="py-line"><tt class="py-docstring"> must be trusted. This command imports the well known root CA's as a</tt> </tt>
|
|
<a name="L135"></a><tt class="py-lineno">135</tt> <tt class="py-line"><tt class="py-docstring"> PKCS #11 module.</tt> </tt>
|
|
<a name="L136"></a><tt class="py-lineno">136</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L137"></a><tt class="py-lineno">137</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L138"></a><tt class="py-lineno">138</tt> <tt class="py-line"><tt class="py-docstring">===============================</tt> </tt>
|
|
<a name="L139"></a><tt class="py-lineno">139</tt> <tt class="py-line"><tt class="py-docstring">Things All NSS programs must do</tt> </tt>
|
|
<a name="L140"></a><tt class="py-lineno">140</tt> <tt class="py-line"><tt class="py-docstring">===============================</tt> </tt>
|
|
<a name="L141"></a><tt class="py-lineno">141</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L142"></a><tt class="py-lineno">142</tt> <tt class="py-line"><tt class="py-docstring">- Import the NSS/NSPR modules::</tt> </tt>
|
|
<a name="L143"></a><tt class="py-lineno">143</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L144"></a><tt class="py-lineno">144</tt> <tt class="py-line"><tt class="py-docstring"> from nss.error import NSPRError</tt> </tt>
|
|
<a name="L145"></a><tt class="py-lineno">145</tt> <tt class="py-line"><tt class="py-docstring"> import nss.io as io</tt> </tt>
|
|
<a name="L146"></a><tt class="py-lineno">146</tt> <tt class="py-line"><tt class="py-docstring"> import nss.nss as nss</tt> </tt>
|
|
<a name="L147"></a><tt class="py-lineno">147</tt> <tt class="py-line"><tt class="py-docstring"> import nss.ssl as ssl</tt> </tt>
|
|
<a name="L148"></a><tt class="py-lineno">148</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L149"></a><tt class="py-lineno">149</tt> <tt class="py-line"><tt class="py-docstring"> In the interest of code brevity we drop the leading "nss." from the</tt> </tt>
|
|
<a name="L150"></a><tt class="py-lineno">150</tt> <tt class="py-line"><tt class="py-docstring"> module namespace.</tt> </tt>
|
|
<a name="L151"></a><tt class="py-lineno">151</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L152"></a><tt class="py-lineno">152</tt> <tt class="py-line"><tt class="py-docstring">- Initialize NSS and indicate the certficate database (CertDB)::</tt> </tt>
|
|
<a name="L153"></a><tt class="py-lineno">153</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L154"></a><tt class="py-lineno">154</tt> <tt class="py-line"><tt class="py-docstring"> db_name = 'sql:pki'</tt> </tt>
|
|
<a name="L155"></a><tt class="py-lineno">155</tt> <tt class="py-line"><tt class="py-docstring"> ssl.nssinit(db_name)</tt> </tt>
|
|
<a name="L156"></a><tt class="py-lineno">156</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L157"></a><tt class="py-lineno">157</tt> <tt class="py-line"><tt class="py-docstring">- If you are implementing an SSL server call config_secure_server()</tt> </tt>
|
|
<a name="L158"></a><tt class="py-lineno">158</tt> <tt class="py-line"><tt class="py-docstring"> (see ssl_example.py)::</tt> </tt>
|
|
<a name="L159"></a><tt class="py-lineno">159</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L160"></a><tt class="py-lineno">160</tt> <tt class="py-line"><tt class="py-docstring"> sock = ssl.SSLSocket(net_addr.family)</tt> </tt>
|
|
<a name="L161"></a><tt class="py-lineno">161</tt> <tt class="py-line"><tt class="py-docstring"> sock.config_secure_server(server_cert, priv_key, server_cert_kea)</tt> </tt>
|
|
<a name="L162"></a><tt class="py-lineno">162</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L163"></a><tt class="py-lineno">163</tt> <tt class="py-line"><tt class="py-docstring"> **WARNING** you must call config_secure_server() for SSL servers, if</tt> </tt>
|
|
<a name="L164"></a><tt class="py-lineno">164</tt> <tt class="py-line"><tt class="py-docstring"> you do not call it the most likely result will be the NSS library</tt> </tt>
|
|
<a name="L165"></a><tt class="py-lineno">165</tt> <tt class="py-line"><tt class="py-docstring"> will segfault (not pretty).</tt> </tt>
|
|
<a name="L166"></a><tt class="py-lineno">166</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L167"></a><tt class="py-lineno">167</tt> <tt class="py-line"><tt class="py-docstring">========</tt> </tt>
|
|
<a name="L168"></a><tt class="py-lineno">168</tt> <tt class="py-line"><tt class="py-docstring">Examples</tt> </tt>
|
|
<a name="L169"></a><tt class="py-lineno">169</tt> <tt class="py-line"><tt class="py-docstring">========</tt> </tt>
|
|
<a name="L170"></a><tt class="py-lineno">170</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L171"></a><tt class="py-lineno">171</tt> <tt class="py-line"><tt class="py-docstring">There are example programs in under "examples" in the documentation</tt> </tt>
|
|
<a name="L172"></a><tt class="py-lineno">172</tt> <tt class="py-line"><tt class="py-docstring">directory. On Fedora/RHEL/CentOS systems this will be</tt> </tt>
|
|
<a name="L173"></a><tt class="py-lineno">173</tt> <tt class="py-line"><tt class="py-docstring">/usr/share/doc/python-nss.</tt> </tt>
|
|
<a name="L174"></a><tt class="py-lineno">174</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L175"></a><tt class="py-lineno">175</tt> <tt class="py-line"><tt class="py-docstring">The ssl_example.py sample implements both a client and server in one</tt> </tt>
|
|
<a name="L176"></a><tt class="py-lineno">176</tt> <tt class="py-line"><tt class="py-docstring">script. You tell it whether to run as a client (-C) or a server (-S)</tt> </tt>
|
|
<a name="L177"></a><tt class="py-lineno">177</tt> <tt class="py-line"><tt class="py-docstring">when you invoke it. The sample shows many of the NSS/NSPR calls and</tt> </tt>
|
|
<a name="L178"></a><tt class="py-lineno">178</tt> <tt class="py-line"><tt class="py-docstring">fully implements basic non-SSL client/server using NSPR, SSL</tt> </tt>
|
|
<a name="L179"></a><tt class="py-lineno">179</tt> <tt class="py-line"><tt class="py-docstring">client/server using NSS, certificate validation, CertDB operations,</tt> </tt>
|
|
<a name="L180"></a><tt class="py-lineno">180</tt> <tt class="py-line"><tt class="py-docstring">and client authentication using certificates.</tt> </tt>
|
|
<a name="L181"></a><tt class="py-lineno">181</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L182"></a><tt class="py-lineno">182</tt> <tt class="py-line"><tt class="py-docstring">To get a list of command line options::</tt> </tt>
|
|
<a name="L183"></a><tt class="py-lineno">183</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L184"></a><tt class="py-lineno">184</tt> <tt class="py-line"><tt class="py-docstring"> ssl_example.py --help</tt> </tt>
|
|
<a name="L185"></a><tt class="py-lineno">185</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L186"></a><tt class="py-lineno">186</tt> <tt class="py-line"><tt class="py-docstring">Using the above example certificate database server can be run like</tt> </tt>
|
|
<a name="L187"></a><tt class="py-lineno">187</tt> <tt class="py-line"><tt class="py-docstring">this::</tt> </tt>
|
|
<a name="L188"></a><tt class="py-lineno">188</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L189"></a><tt class="py-lineno">189</tt> <tt class="py-line"><tt class="py-docstring"> ssl_example.py -S -c ./pki -n myhost</tt> </tt>
|
|
<a name="L190"></a><tt class="py-lineno">190</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L191"></a><tt class="py-lineno">191</tt> <tt class="py-line"><tt class="py-docstring">The client can be run like this::</tt> </tt>
|
|
<a name="L192"></a><tt class="py-lineno">192</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L193"></a><tt class="py-lineno">193</tt> <tt class="py-line"><tt class="py-docstring"> ssl_example.py -C -c ./pki</tt> </tt>
|
|
<a name="L194"></a><tt class="py-lineno">194</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L195"></a><tt class="py-lineno">195</tt> <tt class="py-line"><tt class="py-docstring">======</tt> </tt>
|
|
<a name="L196"></a><tt class="py-lineno">196</tt> <tt class="py-line"><tt class="py-docstring">Issues</tt> </tt>
|
|
<a name="L197"></a><tt class="py-lineno">197</tt> <tt class="py-line"><tt class="py-docstring">======</tt> </tt>
|
|
<a name="L198"></a><tt class="py-lineno">198</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L199"></a><tt class="py-lineno">199</tt> <tt class="py-line"><tt class="py-docstring">- The current partitioning of the NSS and NSPR API's into Python</tt> </tt>
|
|
<a name="L200"></a><tt class="py-lineno">200</tt> <tt class="py-line"><tt class="py-docstring"> modules (i.e. the Python namespaces and their symbols) is a first</tt> </tt>
|
|
<a name="L201"></a><tt class="py-lineno">201</tt> <tt class="py-line"><tt class="py-docstring"> cut and may not be ideal. One should be prepared for name changes as</tt> </tt>
|
|
<a name="L202"></a><tt class="py-lineno">202</tt> <tt class="py-line"><tt class="py-docstring"> the binding matures.</tt> </tt>
|
|
<a name="L203"></a><tt class="py-lineno">203</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L204"></a><tt class="py-lineno">204</tt> <tt class="py-line"><tt class="py-docstring">- NSPR vs. Python</tt> </tt>
|
|
<a name="L205"></a><tt class="py-lineno">205</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L206"></a><tt class="py-lineno">206</tt> <tt class="py-line"><tt class="py-docstring"> An original design goal of NSS was to be portable, however NSS</tt> </tt>
|
|
<a name="L207"></a><tt class="py-lineno">207</tt> <tt class="py-line"><tt class="py-docstring"> required access to many system level functions which can vary</tt> </tt>
|
|
<a name="L208"></a><tt class="py-lineno">208</tt> <tt class="py-line"><tt class="py-docstring"> widely between platforms and OS's. Therefore NSPR was written to</tt> </tt>
|
|
<a name="L209"></a><tt class="py-lineno">209</tt> <tt class="py-line"><tt class="py-docstring"> encapsulate system services such as IO, sockets, threads, timers,</tt> </tt>
|
|
<a name="L210"></a><tt class="py-lineno">210</tt> <tt class="py-line"><tt class="py-docstring"> etc. into a common API to insulate NSS from the underlying</tt> </tt>
|
|
<a name="L211"></a><tt class="py-lineno">211</tt> <tt class="py-line"><tt class="py-docstring"> platform.</tt> </tt>
|
|
<a name="L212"></a><tt class="py-lineno">212</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L213"></a><tt class="py-lineno">213</tt> <tt class="py-line"><tt class="py-docstring"> In many respects Python and its collection of packages and modules</tt> </tt>
|
|
<a name="L214"></a><tt class="py-lineno">214</tt> <tt class="py-line"><tt class="py-docstring"> provides the same type of platform independence for applications</tt> </tt>
|
|
<a name="L215"></a><tt class="py-lineno">215</tt> <tt class="py-line"><tt class="py-docstring"> and libraries and provides it's own implementation of IO, sockets,</tt> </tt>
|
|
<a name="L216"></a><tt class="py-lineno">216</tt> <tt class="py-line"><tt class="py-docstring"> threads, timers, etc.</tt> </tt>
|
|
<a name="L217"></a><tt class="py-lineno">217</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L218"></a><tt class="py-lineno">218</tt> <tt class="py-line"><tt class="py-docstring"> Unfortunately NSPR's and Python's run time abstractions are not</tt> </tt>
|
|
<a name="L219"></a><tt class="py-lineno">219</tt> <tt class="py-line"><tt class="py-docstring"> the same nor can either be configured to use a different</tt> </tt>
|
|
<a name="L220"></a><tt class="py-lineno">220</tt> <tt class="py-line"><tt class="py-docstring"> underlying abstraction layer.</tt> </tt>
|
|
<a name="L221"></a><tt class="py-lineno">221</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L222"></a><tt class="py-lineno">222</tt> <tt class="py-line"><tt class="py-docstring"> Currently the NSS binding utilizes *only* the NSPR abstraction</tt> </tt>
|
|
<a name="L223"></a><tt class="py-lineno">223</tt> <tt class="py-line"><tt class="py-docstring"> layer. One consequence of this is it is not possible to create a</tt> </tt>
|
|
<a name="L224"></a><tt class="py-lineno">224</tt> <tt class="py-line"><tt class="py-docstring"> Python socket and use it as the foundation for any NSS functions</tt> </tt>
|
|
<a name="L225"></a><tt class="py-lineno">225</tt> <tt class="py-line"><tt class="py-docstring"> expecting a socket, or visa versa.</tt> </tt>
|
|
<a name="L226"></a><tt class="py-lineno">226</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L227"></a><tt class="py-lineno">227</tt> <tt class="py-line"><tt class="py-docstring"> You **must** use the nss.io module to create and manipulate a</tt> </tt>
|
|
<a name="L228"></a><tt class="py-lineno">228</tt> <tt class="py-line"><tt class="py-docstring"> socket used by NSS. You cannot pass this socket to any Python</tt> </tt>
|
|
<a name="L229"></a><tt class="py-lineno">229</tt> <tt class="py-line"><tt class="py-docstring"> library function expecting a socket. The two are not compatible.</tt> </tt>
|
|
<a name="L230"></a><tt class="py-lineno">230</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L231"></a><tt class="py-lineno">231</tt> <tt class="py-line"><tt class="py-docstring"> Here are some reasons for this incompatibility, perhaps in the</tt> </tt>
|
|
<a name="L232"></a><tt class="py-lineno">232</tt> <tt class="py-line"><tt class="py-docstring"> future we can find a solution but the immediate goal of the NSS</tt> </tt>
|
|
<a name="L233"></a><tt class="py-lineno">233</tt> <tt class="py-line"><tt class="py-docstring"> Python binding was to expose NSS through Python, not necessarily</tt> </tt>
|
|
<a name="L234"></a><tt class="py-lineno">234</tt> <tt class="py-line"><tt class="py-docstring"> to solve the larger integration issue of Python run-time and NSPR</tt> </tt>
|
|
<a name="L235"></a><tt class="py-lineno">235</tt> <tt class="py-line"><tt class="py-docstring"> run-time.</tt> </tt>
|
|
<a name="L236"></a><tt class="py-lineno">236</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L237"></a><tt class="py-lineno">237</tt> <tt class="py-line"><tt class="py-docstring"> - NSPR would like to hide the underlying platform socket (in the</tt> </tt>
|
|
<a name="L238"></a><tt class="py-lineno">238</tt> <tt class="py-line"><tt class="py-docstring"> NSPR code this is called "osfd"). There are NSPR API's which</tt> </tt>
|
|
<a name="L239"></a><tt class="py-lineno">239</tt> <tt class="py-line"><tt class="py-docstring"> will operate on osfd's</tt> </tt>
|
|
<a name="L240"></a><tt class="py-lineno">240</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L241"></a><tt class="py-lineno">241</tt> <tt class="py-line"><tt class="py-docstring"> - One can base a NSPR socket on an existing osfd via:</tt> </tt>
|
|
<a name="L242"></a><tt class="py-lineno">242</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L243"></a><tt class="py-lineno">243</tt> <tt class="py-line"><tt class="py-docstring"> - PR_ImportFile()</tt> </tt>
|
|
<a name="L244"></a><tt class="py-lineno">244</tt> <tt class="py-line"><tt class="py-docstring"> - PR_ImportPipe()</tt> </tt>
|
|
<a name="L245"></a><tt class="py-lineno">245</tt> <tt class="py-line"><tt class="py-docstring"> - PR_ImportTCPSocket()</tt> </tt>
|
|
<a name="L246"></a><tt class="py-lineno">246</tt> <tt class="py-line"><tt class="py-docstring"> - PR_ImportUDPSocket()</tt> </tt>
|
|
<a name="L247"></a><tt class="py-lineno">247</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L248"></a><tt class="py-lineno">248</tt> <tt class="py-line"><tt class="py-docstring"> - One can obtain the osfd in use by NSPR, either when the</tt> </tt>
|
|
<a name="L249"></a><tt class="py-lineno">249</tt> <tt class="py-line"><tt class="py-docstring"> osfd was imported or because NSPR created the osfd itself via:</tt> </tt>
|
|
<a name="L250"></a><tt class="py-lineno">250</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L251"></a><tt class="py-lineno">251</tt> <tt class="py-line"><tt class="py-docstring"> - PR_FileDesc2NativeHandle();</tt> </tt>
|
|
<a name="L252"></a><tt class="py-lineno">252</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L253"></a><tt class="py-lineno">253</tt> <tt class="py-line"><tt class="py-docstring"> But note this function is not meant to be public in the NSPR</tt> </tt>
|
|
<a name="L254"></a><tt class="py-lineno">254</tt> <tt class="py-line"><tt class="py-docstring"> API and is documented as being deprecated and carries an</tt> </tt>
|
|
<a name="L255"></a><tt class="py-lineno">255</tt> <tt class="py-line"><tt class="py-docstring"> explicit warning against it's use.</tt> </tt>
|
|
<a name="L256"></a><tt class="py-lineno">256</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L257"></a><tt class="py-lineno">257</tt> <tt class="py-line"><tt class="py-docstring"> Once NSPR gets a hold of an osfd it manipulates it in a manner</tt> </tt>
|
|
<a name="L258"></a><tt class="py-lineno">258</tt> <tt class="py-line"><tt class="py-docstring"> as if it were the only owner of the osfd. Other native code</tt> </tt>
|
|
<a name="L259"></a><tt class="py-lineno">259</tt> <tt class="py-line"><tt class="py-docstring"> (e.g. the CPython socket code) which operates on the fd may run</tt> </tt>
|
|
<a name="L260"></a><tt class="py-lineno">260</tt> <tt class="py-line"><tt class="py-docstring"> afoul of NSPR belief it is the only code in the system operating</tt> </tt>
|
|
<a name="L261"></a><tt class="py-lineno">261</tt> <tt class="py-line"><tt class="py-docstring"> on the fd. For example in CPython the non-blocking flag is</tt> </tt>
|
|
<a name="L262"></a><tt class="py-lineno">262</tt> <tt class="py-line"><tt class="py-docstring"> directly set on the fd and non-blocking behavior is implemented</tt> </tt>
|
|
<a name="L263"></a><tt class="py-lineno">263</tt> <tt class="py-line"><tt class="py-docstring"> by the OS. However, NSPR manages non-blocking behavior</tt> </tt>
|
|
<a name="L264"></a><tt class="py-lineno">264</tt> <tt class="py-line"><tt class="py-docstring"> internally to the NSPR library eschewing direct OS support for</tt> </tt>
|
|
<a name="L265"></a><tt class="py-lineno">265</tt> <tt class="py-line"><tt class="py-docstring"> non-blocking. Thus CPython and NSPR are in direct conflict over</tt> </tt>
|
|
<a name="L266"></a><tt class="py-lineno">266</tt> <tt class="py-line"><tt class="py-docstring"> when and how non-blocking is set on an fd. Examples of this</tt> </tt>
|
|
<a name="L267"></a><tt class="py-lineno">267</tt> <tt class="py-line"><tt class="py-docstring"> problem can be seen in the Python socket.makefile() operation</tt> </tt>
|
|
<a name="L268"></a><tt class="py-lineno">268</tt> <tt class="py-line"><tt class="py-docstring"> which takes the fd belonging to a system socket, dups it, and</tt> </tt>
|
|
<a name="L269"></a><tt class="py-lineno">269</tt> <tt class="py-line"><tt class="py-docstring"> calls fdopen() on the dup'ed fd to return a FILE stream (all</tt> </tt>
|
|
<a name="L270"></a><tt class="py-lineno">270</tt> <tt class="py-line"><tt class="py-docstring"> Python file IO is based on file objects utilizing a FILE</tt> </tt>
|
|
<a name="L271"></a><tt class="py-lineno">271</tt> <tt class="py-line"><tt class="py-docstring"> stream). However, the dup'ed fd does not share the same</tt> </tt>
|
|
<a name="L272"></a><tt class="py-lineno">272</tt> <tt class="py-line"><tt class="py-docstring"> non-blocking flag, NSPR explicitly forces the flag off, Python</tt> </tt>
|
|
<a name="L273"></a><tt class="py-lineno">273</tt> <tt class="py-line"><tt class="py-docstring"> wants to directly manipulate it. Dup'ed fd's share their flags</tt> </tt>
|
|
<a name="L274"></a><tt class="py-lineno">274</tt> <tt class="py-line"><tt class="py-docstring"> thus if Python operates on the dup'ed fd returned by NSPR it's</tt> </tt>
|
|
<a name="L275"></a><tt class="py-lineno">275</tt> <tt class="py-line"><tt class="py-docstring"> going to confuse NSPR. Likewise if one sets non-blocking via</tt> </tt>
|
|
<a name="L276"></a><tt class="py-lineno">276</tt> <tt class="py-line"><tt class="py-docstring"> NSPR then Python won't honor the flag because Python is</tt> </tt>
|
|
<a name="L277"></a><tt class="py-lineno">277</tt> <tt class="py-line"><tt class="py-docstring"> expecting the flag to be set on the fd, not in some other</tt> </tt>
|
|
<a name="L278"></a><tt class="py-lineno">278</tt> <tt class="py-line"><tt class="py-docstring"> location (e.g. internal to NSPR).</tt> </tt>
|
|
<a name="L279"></a><tt class="py-lineno">279</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L280"></a><tt class="py-lineno">280</tt> <tt class="py-line"><tt class="py-docstring"> - Python's socket implementation is a very thin layer over the</tt> </tt>
|
|
<a name="L281"></a><tt class="py-lineno">281</tt> <tt class="py-line"><tt class="py-docstring"> Berkely socket API. There is very little abstraction, thus</tt> </tt>
|
|
<a name="L282"></a><tt class="py-lineno">282</tt> <tt class="py-line"><tt class="py-docstring"> Python and Python program expect to manipulate sockets directly</tt> </tt>
|
|
<a name="L283"></a><tt class="py-lineno">283</tt> <tt class="py-line"><tt class="py-docstring"> via their fd's.</tt> </tt>
|
|
<a name="L284"></a><tt class="py-lineno">284</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L285"></a><tt class="py-lineno">285</tt> <tt class="py-line"><tt class="py-docstring"> - The error and exception model for Python sockets and SSL is an</tt> </tt>
|
|
<a name="L286"></a><tt class="py-lineno">286</tt> <tt class="py-line"><tt class="py-docstring"> almost direct one-to-one mapping of the Posix and OpenSSL</tt> </tt>
|
|
<a name="L287"></a><tt class="py-lineno">287</tt> <tt class="py-line"><tt class="py-docstring"> errors. But NSS uses NSPR errors, thus Python code which has</tt> </tt>
|
|
<a name="L288"></a><tt class="py-lineno">288</tt> <tt class="py-line"><tt class="py-docstring"> exception handlers for sockets and SSL are expecting a complete</tt> </tt>
|
|
<a name="L289"></a><tt class="py-lineno">289</tt> <tt class="py-line"><tt class="py-docstring"> different set of exceptions.</tt> </tt>
|
|
<a name="L290"></a><tt class="py-lineno">290</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L291"></a><tt class="py-lineno">291</tt> <tt class="py-line"><tt class="py-docstring"> - Python's SSL implementation is a very thin layer over the</tt> </tt>
|
|
<a name="L292"></a><tt class="py-lineno">292</tt> <tt class="py-line"><tt class="py-docstring"> OpenSSL API, there is little abstraction. Thus there is a</tt> </tt>
|
|
<a name="L293"></a><tt class="py-lineno">293</tt> <tt class="py-line"><tt class="py-docstring"> sizeable body of Python code which expects the OpenSSL model for</tt> </tt>
|
|
<a name="L294"></a><tt class="py-lineno">294</tt> <tt class="py-line"><tt class="py-docstring"> IO ready and has exception handlers based on OpenSSL.</tt> </tt>
|
|
<a name="L295"></a><tt class="py-lineno">295</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L296"></a><tt class="py-lineno">296</tt> <tt class="py-line"><tt class="py-docstring">===</tt> </tt>
|
|
<a name="L297"></a><tt class="py-lineno">297</tt> <tt class="py-line"><tt class="py-docstring">FAQ</tt> </tt>
|
|
<a name="L298"></a><tt class="py-lineno">298</tt> <tt class="py-line"><tt class="py-docstring">===</tt> </tt>
|
|
<a name="L299"></a><tt class="py-lineno">299</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L300"></a><tt class="py-lineno">300</tt> <tt class="py-line"><tt class="py-docstring">To be added</tt> </tt>
|
|
<a name="L301"></a><tt class="py-lineno">301</tt> <tt class="py-line"><tt class="py-docstring"></tt> </tt>
|
|
<a name="L302"></a><tt class="py-lineno">302</tt> <tt class="py-line"><tt class="py-docstring">"""</tt> </tt>
|
|
<a name="L303"></a><tt class="py-lineno">303</tt> <tt class="py-line"> </tt>
|
|
<a name="L304"></a><tt class="py-lineno">304</tt> <tt class="py-line"><tt class="py-name">__version__</tt> <tt class="py-op">=</tt> <tt class="py-string">'1.0.0'</tt> </tt>
|
|
<a name="L305"></a><tt class="py-lineno">305</tt> <tt class="py-line"> </tt><script type="text/javascript">
|
|
<!--
|
|
expandto(location.href);
|
|
// -->
|
|
</script>
|
|
</pre>
|
|
<br />
|
|
<!-- ==================== NAVIGATION BAR ==================== -->
|
|
<table class="navbar" border="0" width="100%" cellpadding="0"
|
|
bgcolor="#a0c0ff" cellspacing="0">
|
|
<tr valign="middle">
|
|
<!-- Home link -->
|
|
<th bgcolor="#70b0f0" class="navbar-select"
|
|
> Home </th>
|
|
|
|
<!-- Tree link -->
|
|
<th> <a
|
|
href="module-tree.html">Trees</a> </th>
|
|
|
|
<!-- Index link -->
|
|
<th> <a
|
|
href="identifier-index.html">Indices</a> </th>
|
|
|
|
<!-- Help link -->
|
|
<th> <a
|
|
href="help.html">Help</a> </th>
|
|
|
|
<th class="navbar" width="100%"></th>
|
|
</tr>
|
|
</table>
|
|
<table border="0" cellpadding="0" cellspacing="0" width="100%%">
|
|
<tr>
|
|
<td align="left" class="footer">
|
|
Generated by Epydoc 3.0.1
|
|
</td>
|
|
<td align="right" class="footer">
|
|
<a target="mainFrame" href="http://epydoc.sourceforge.net"
|
|
>http://epydoc.sourceforge.net</a>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<script type="text/javascript">
|
|
<!--
|
|
// Private objects are initially displayed (because if
|
|
// javascript is turned off then we want them to be
|
|
// visible); but by default, we want to hide them. So hide
|
|
// them unless we have a cookie that says to show them.
|
|
checkCookie();
|
|
// -->
|
|
</script>
|
|
</body>
|
|
</html>
|