Enabling TLS/SSL

Creating Contexts

When calling enable_ssl() on any given TCP object, the **kwargs will be passed to one of the two context functions below. Alternatively, you can call these functions separately (or create your own context) and pass it to enable_ssl().

omniserver.certs.create_client_context(protocol=_SSLMethod.PROTOCOL_TLS_CLIENT, cert_required=True, ca_cert=None, ca_path=None, ca_data=None, certfile=None, keyfile=None)

Create SSL context for client sockets

Arguments can be passed to initialization functions as **kwargs, or this function can be called directly.

Parameters:

  • protocol – Protocol to be passed to ssl.SSLContext()

  • cert_required (bool) – Require a valid certificate from the server

  • ca_cert (str) – Path to certificate to be used to verify server against

  • ca_path (str) – Path to folder with certificates to verify server against

  • ca_data – Ascii string of PEM-encoded cert, or DER-encoded bytes

  • certfile (str) – Certificate to be sent if asked to verify self

  • keyfile (str) – Private key file

Returns context:

SSLContext that can be used to wrap a client socket

Return type:

ssl.SSLContext

omniserver.certs.create_server_context(protocol=_SSLMethod.PROTOCOL_TLS_SERVER, certfile=None, keyfile=None)

Create SSL context for server sockets

Arguments can be passed to initialization functions as **kwargs, or this function can be called directly.

Parameters:

  • protocol – Protocol to be passed to ssl.SSLContext()

  • certfile (str) – Certificate to be sent if asked to verify self

  • keyfile (str) – Private key file (Not required if in certfile)

Returns context:

SSLContext that can be used to wrap a server socket

Return type:

ssl.SSLContext

Generating Certificates

Server-side TLS/SSL requires a certificate of some sort. They can be generated with the following function:

omniserver.certs.create_cert_key(cert='ca.crt', key='private.key', keysize=4096, days=365, **kwargs)

Generate self signed cert and private key

Create self signed CA cert and private key, primarily for use by servers. Currently only available on Linux.

Parameters:

  • cert (str) – Name of created cert

  • key (str) – Name of created private key

  • keysize (int) – Bit-size of private key encryption

  • days (int) – Days

  • **kwargs

    Cert subj information (C, ST, L, O, OU, CN)

Returns cert_key:

Absolute path to cert and private key

Return type:

tuple