hM,SSKJr SSKrSSKJr SSKJr SSKJr SSK J r SSK J r J r SSKJrJr SS KJr SSKrSS KJrJrJrJr SS KJr SS KJrJr SS KJ r SSK!J"r"J#r# SSK$J%r%J&r&J'r'J(r( SSK)J*r* SSK+J,r, SSK-J.r.J/r/ SSK0J1r1 SSK2J3r3 SSK4J5r5 SSK6J7r7 \*"5r8"SS\5r9\9Rt\Rv\9Rx\Rz\9R|\R~\9R\R\9R\C"\SS50rDSrE"SS\F5rGSrHSrIS rJS!rK\K"5urLrMrN"S"S#\5rO\OR\OR- \OlQS$rRS%S%S&S&S'S'S(S(S)S)S*S*S+S,. rS"S-S.\ \T\U45rV\VrW"S/S05rXS1rY"S2S3\X5rZ"S4S5\X5r["S6S7\Z5r\"S8S95r]"S:S;\]5r^"S<S=\ 5r_\ "\_5"S>S?55r`S@ra\ "\_5"SASB55rbSCrcSDrd\ "\'5"SESF55reS`SSG.SHjjrf\ "\(5"SISJ55rg\/"\"SKSLSS5SM5"\gR5\glh\/"\"SKSLSS5SM5"\gR5\gli\ "\&5\R"SNSNSO9"SPSQ555rk\"SRSS9ST5rl\"SUSS9SV5rm\ "\%5"SWSX55rn\nRSY5rpSZrq"S[S\5rr"S]S^5rsS_rtg)a) annotationsN)hexlify) lru_cachemd5)Dict) Interface implementer)SSLcrypto)lib) FlagConstantFlags NamedConstantNames)Version) isIPAddress isIPv6Address)Deferred)CertificateError VerifyError)IAcceptableCiphersICipherIOpenSSLClientConnectionCreatorIOpenSSLContextFactory)Logger) nativeString)_mutuallyExclusiveArguments deprecated)Failure) secureRandom) nameToLabel) _idnaBytesc^\rSrSrSr\"5r\"5r\"5r\"5r \"5r Sr g) TLSVersion*z< TLS versions that we can negotiate with the client/server. N) __name__ __module__ __qualname____firstlineno____doc__rSSLv3TLSv1_0TLSv1_1TLSv1_2TLSv1_3__static_attributes__r(b/root/1688_scrapy/alibaba-scraper/venv/lib/python3.13/site-packages/twisted/internet/_sslverify.pyr&r&*s, OEoGoGoGoGr4r& OP_NO_TLSv1_3c [[R55nUSURU5Vs/sHo3PM nnU(a2UR X"RU5SVs/sHo3PM sn5 U$s snfs snf)a Given a pair of L{TLSVersion} constants, figure out what versions we want to disable (as OpenSSL is an exclusion based API). @param oldest: The oldest L{TLSVersion} we want to allow. @type oldest: L{TLSVersion} constant @param newest: The newest L{TLSVersion} we want to allow, or L{None} for no upper limit. @type newest: L{TLSVersion} constant or L{None} @return: The versions we want to disable. @rtype: L{list} of L{TLSVersion} constants. N)listr& iterconstantsindexextend)oldestnewestversionsxexcludedVersionss r5_getExcludedTLSProtocolsrABsJ,,./H#+,DhnnV.D#EF#Ea#EF H^^F5K5M,N O,Nq,N OP  G!Ps A<( Bc\rSrSrSrSrg)SimpleVerificationErrorZz' Not a very useful verification error. r(N)r)r*r+r,r-r3r(r4r5rCrCZsr4rCcUR5R5RnX!:wa#[[ U5S-[ U5-5eg)a Check only the common name in the certificate presented by the peer and only for an exact match. This is to provide I{something} in the way of hostname verification to users who haven't installed C{service_identity}. This check is overly strict, relies on a deprecated TLS feature (you're supposed to ignore the commonName if the subjectAlternativeName extensions are present, I believe), and lots of valid certificates will fail. @param connection: the OpenSSL connection to verify. @type connection: L{OpenSSL.SSL.Connection} @param hostname: The hostname expected by the user. @type hostname: L{unicode} @raise twisted.internet.ssl.VerificationError: if the common name and hostname don't match. z!=N)get_peer_certificate get_subject commonNamerCrepr) connectionhostnamerHs r5simpleVerifyHostnamerL`sJ(002>>@KKJ%d:&6&=X&NOOr4c[S5e)a Always fails validation of IP addresses @param connection: the OpenSSL connection to verify. @type connection: L{OpenSSL.SSL.Connection} @param hostname: The hostname expected by the user. @type hostname: L{unicode} @raise twisted.internet.ssl.VerificationError: Always raised z&Cannot verify certificate IP addresses)rC)rJrKs r5simpleVerifyIPAddressrNys ""J KKr4cHSURS5SS5upX4S:$)z Check pyOpenSSL version string whether we can use it for host verification. @param version: A pyOpenSSL version string. @type version: L{str} @rtype: L{bool} c38# UHn[U5v M g7fN)int).0parts r5 #_usablePyOpenSSL..sA*@$CII*@.N)r )split)versionmajorminors r5_usablePyOpenSSLr_s.B'--*W $$r4cSnSSKJn SSKJnJn X#U4$![ a7n[ R"S[U5-S-U-[SSS9 S nAOS nAff=f[[[4$) z Determine if C{service_identity} is installed. If so, use it. If not, use simplistic and incorrect checking as implemented in L{simpleVerifyHostname}. @return: 2-tuple of (C{verify_hostname}, C{VerificationError}) @rtype: L{tuple} zWithout the service_identity module, Twisted can perform only rudimentary TLS client hostname verification. Many valid certificate/hostname mappings may be rejected.r)VerificationError)verify_hostnameverify_ip_addresszHYou do not have a working installation of the service_identity module: 'z'. Please install it from and make sure all of its dependencies are satisfied. )categoryfilenamelinenoN) service_identityraservice_identity.pyopensslrbrc ImportErrorwarnings warn_explicitstr UserWarningrLrNrC) whatsWrongrarbrces r5_selectVerifyImplementationrqs 9  6Q3DDD    )+.q6 25< <?I  I !    !68O OOs A-AAc8\rSrSrSr\"S5r\"S5rSrg)ProtocolNegotiationSupporta L{ProtocolNegotiationSupport} defines flags which are used to indicate the level of NPN/ALPN support provided by the TLS backend. @cvar NOSUPPORT: There is no support for NPN or ALPN. This is exclusive with both L{NPN} and L{ALPN}. @cvar NPN: The implementation supports Next Protocol Negotiation. @cvar ALPN: The implementation supports Application Layer Protocol Negotiation. r#rYr(N) r)r*r+r,r-rNPNALPNr3r(r4r5rsrss  v C  Dr4rsc`[Rn[R"[R5nUR S5 U[R -nURS5 U[R-nU$![[4a N:f=f![[4a U$f=f)a] Checks whether your versions of PyOpenSSL and OpenSSL are recent enough to support protocol negotiation, and if they are, what kind of protocol negotiation is supported. @return: A combination of flags from L{ProtocolNegotiationSupport} that indicate which mechanisms for protocol negotiation are supported. @rtype: L{constantly.FlagConstant} cgrQr(cs r5/protocolNegotiationMechanisms..sr4cgrQr(rys r5r{r|str4) rs NOSUPPORTr Context SSLv23_METHODset_npn_advertise_callbackruAttributeErrorNotImplementedErrorset_alpn_select_callbackrv)supportctxs r5protocolNegotiationMechanismsrs)22G ++c'' (C2 &&~6 -1113 $$^4 -222 N / 0    / 0   N  s#BBBBB-,B-rHorganizationNameorganizationalUnitName localityNamestateOrProvinceName countryName emailAddress) CNrHOrOUrLrSTrCrrcJ\rSrSrSrSrSrSrSrS Sjr Sr S r S r Sr g ) DistinguishedNameia Identify and describe an entity. Distinguished names are used to provide a minimal amount of identifying information about a certificate issuer or subject. They are commonly created with one or more of the following fields:: commonName (CN) organizationName (O) organizationalUnitName (OU) localityName (L) stateOrProvinceName (ST) countryName (C) emailAddress A L{DistinguishedName} should be constructed using keyword arguments whose keys can be any of the field names above (as a native string), and the values are either Unicode text which is encodable to ASCII, or L{bytes} limited to the ASCII subset. Any fields passed to the constructor will be set as attributes, accessible using both their extended name and their shortened acronym. The attribute values will be the ASCII-encoded bytes. For example:: >>> dn = DistinguishedName(commonName=b'www.example.com', ... C='US') >>> dn.C b'US' >>> dn.countryName b'US' >>> hasattr(dn, "organizationName") False L{DistinguishedName} instances can also be used as dictionaries; the keys are extended name of the fields:: >>> dn.keys() ['countryName', 'commonName'] >>> dn['countryName'] b'US' r(c NUR5Hup#[XU5 M grQ)itemssetattr)selfkwkvs r5__init__DistinguishedName.__init__2sHHJDA DQ r4cX[H n[XS5nUcM[XU5 M" grQ) _x509namesgetattrr)rx509namenamevalues r5 _copyFromDistinguishedName._copyFrom6s(DHD1E E*r4c`UR5Hup#[X[U55 M grQ)rrr)rrrrs r5 _copyIntoDistinguishedName._copyInto<s"JJLDA Ha 1!r4c8S[RU5SS-$)Nzr#)dict__repr__rs r5rDistinguishedName.__repr__@sDMM$/"566r4cNU[U$![a [U5ef=frQ)rKeyErrorr)rattrs r5 __getattr__DistinguishedName.__getattr__Cs1 ' 4() ) ' & & 's $cU[;a[US35e[Un[U[5(dUR S5nX U'g)Nz' is not a valid OpenSSL X509 name fieldascii)rr isinstancebytesencode)rrrrealAttrs r5 __setattr__DistinguishedName.__setattr__IsI z ! D6)P!QR Rd#%''LL)EXr4cn/nSnSn[U"[55HPn[U5n[[ U5U5n[ XS5nUcM4UR U[U545 MR US- n[U5H!unupXURU5S-U-X'M# SRU5$)zP Return a multi-line, human-readable representation of this DN. @rtype: L{str} rc4[UR55$rQ)setvalues)mappings r5 uniqueValues/DistinguishedName.inspect..uniqueValuesZsw~~'( (r4NrYz:  ) sortedrr"maxlenrappendr enumeraterjustjoin) rllablenrrlabelrnattribs r5inspectDistinguishedName.inspectQs  ) Z01ANEUV,F&A}%a12 2 ! "+A, A;;v&-6AD#/yy|r4Nreturnrm)r)r*r+r,r- __slots__rrrrrrrr3r(r4r5rrs2(TI + 27' r4rc0\rSrSrSrSrSrSrSrSr g) CertBaseilz Base class for public (certificate only) and private (certificate + key pair) certificates. @ivar original: The underlying OpenSSL certificate object. @type original: L{OpenSSL.crypto.X509} cXlgrQoriginal)rrs r5rCertBase.__init__us r4ct[5nUR[URSU-5"55 U$)Nget_)rrrr)rsuffixdns r5 _copyNameCertBase._copyNamexs-   WT]]FVO<>? r4c$URS5$)z} Retrieve the subject of this certificate. @return: A copy of the subject of this certificate. @rtype: L{DistinguishedName} subjectrrs r5 getSubjectCertBase.getSubject}s~~i((r4cLU[La[UR/5$[$)a Convert this L{CertBase} into a provider of the given interface. @param interface: The interface to conform to. @type interface: L{zope.interface.interfaces.IInterface} @return: an L{IOpenSSLTrustRoot} provider or L{NotImplemented} @rtype: L{IOpenSSLTrustRoot} or L{NotImplemented} )IOpenSSLTrustRootOpenSSLCertificateAuthoritiesrNotImplemented)r interfaces r5 __conform__CertBase.__conform__s$ ) )0$--A Ar4rN) r)r*r+r,r-rrrrr3r(r4r5rrls! ) r4rc[UR5SUS3S5nUc[SRX55eU"5nUc[SRX55eU"U5$)z (private) Helper for L{Certificate.peerFromTransport} and L{Certificate.hostFromTransport} which checks for incompatible handle types and null certificates and raises the appropriate exception or returns the appropriate certificate object. r _certificateNz2non-TLS transport {!r} did not have {} certificatez.TLS transport {!r} did not have {} certificate)r getHandlerformat)Class transport methodNamemethodcerts r5_handleattrhelperrsY((*d:,l,KT RF ~ @ G G   8D | < C C   ;r4c\rSrSrSrSSjrSSjr\\RS4Sj5r \ r Sr \S5r \S 5r\S 5rS r\R4SS jjrS rSSjrSrSrSrSrSrg) Certificateiz An x509 certificate. cSRURRUR5R SS5UR 5R SS55$)Nz<{} Subject={} Issuer={}>rHrd)r __class__r)rget getIssuerrs r5rCertificate.__repr__sP*11 NN # # OO  ! !, 3 NN  r 2  r4cz[U[5(a!UR5UR5:H$[$rQ)rrdumpr)rothers r5__eq__Certificate.__eq__s, e[ ) )99;%**,. .r4r(c<U"[R"X!5/UQ76$)zK Load a certificate from an ASN.1- or PEM-format string. @rtype: C{Class} )r load_certificate)r requestDatarargss r5loadCertificate.loadsV,,VAIDIIr4c@UR[R5$)zD Dump this certificate to a PEM-format data string. @rtype: L{str} )rr FILETYPE_PEMrs r5dumpPEMCertificate.dumpPEMs yy,,--r4cBURU[R5$)zE Load a certificate from a PEM-format data string. @rtype: C{Class} )rr r rdatas r5loadPEMCertificate.loadPEMszz$ 3 344r4c[XS5$)z Get the certificate for the remote end of the given transport. @param transport: an L{ISystemHandle} provider @rtype: C{Class} @raise CertificateError: if the given transport does not have a peer certificate. peerrrrs r5peerFromTransportCertificate.peerFromTransport!6::r4c[XS5$)z Get the certificate for the local end of the given transport. @param transport: an L{ISystemHandle} provider; the transport we will @rtype: C{Class} @raise CertificateError: if the given transport does not have a host certificate. hostrrs r5hostFromTransportCertificate.hostFromTransportrr4cH[URR55$)z@ Get the public key for this certificate. @rtype: L{PublicKey} ) PublicKeyr get_pubkeyrs r5 getPublicKeyCertificate.getPublicKeys 11344r4cB[R"XR5$rQ)r dump_certificaterrrs r5rCertificate.dumps&&v}}==r4c6URR5$)zA Retrieve the serial number of this certificate. @rtype: L{int} )rget_serial_numberrs r5 serialNumberCertificate.serialNumbers }}..00r4c8URRU5$)z Return a digest hash of this certificate using the specified hash algorithm. @param method: One of C{'md5'} or C{'sha'}. @return: The digest of the object, formatted as b":"-delimited hex pairs @rtype: L{bytes} )rdigest)rrs r5r,Certificate.digest s}}##F++r4c SRSUR5R5SUR5R5SUR 5-S[ UR 55-/5$)NrzCertificate For Subject:z Issuer:z Serial Number: %dz Digest: %s)rrrrr)rr,rs r5_inspectCertificate._inspectshyy*!))+ ((*%(9(9(;;|DKKM::    r4c|SRUR5UR5R545$)z Return a multi-line, human-readable representation of this Certificate, including information about the subject, issuer, and public key. r)rr/r!rrs r5rCertificate.inspect$s0 yy$--/4+<+<+>+F+F+HIJJr4c$URS5$)z{ Retrieve the issuer of this certificate. @rtype: L{DistinguishedName} @return: A copy of the issuer of this certificate. issuerrrs r5rCertificate.getIssuer,s~~h''r4c[S5e)Nz'Possible, but doubtful we need this yet)r)r authoritiess r5optionsCertificate.options5s!"KLLr4Nr)robjectrbool)rrRrrr)r)r*r+r,r-rr classmethodr FILETYPE_ASN1r_loadr rrrr!rr)r,r/rrr8r3r(r4r5rrs  (.(<(<2JJ E.55 ; ; ; ;5"(!5!5>1 ,  K(Mr4rcb\rSrSrSr\\R4Sj5r\R4Sjr Sr g)CertificateRequesti9z An x509 certificate request. Certificate requests are given to certificate authorities to be signed and returned resulting in an actual certificate. c[R"X!5n[5nURUR 55 UR UR 55(d[SU<S35eU"U5$)NzCan't verify that request for z is self-signed.)r load_certificate_requestrrrGverifyr r)rr requestFormatreqrs r5rCertificateRequest.loadAsc--mI   S__&'zz#..*++ >rfDTUV VSzr4cB[R"XR5$rQ)r dump_certificate_requestrr%s r5rCertificateRequest.dumpJs..v}}EEr4r(N) r)r*r+r,r-r<r r=rrr3r(r4r5r@r@9s5/5/C/C!..Fr4r@c \rSrSrSrSSjrSr\R4Sjr \ \R4Sj5r Sr Sr \ S 5r\ S 5rS r\RS 4S jr\R\R4SjrSSjrSrg)PrivateCertificateiNz& An x509 certificate and private key. c^[RU5S-[UR5-$)Nz with )rrrI privateKeyrs r5rPrivateCertificate.__repr__Ss&##D)H4tDOO7LLLr4cpURUR55(d [S5eXlU$)Nz1Certificate public and private keys do not match.)matchesr!rrM)rrMs r5_setPrivateKey!PrivateCertificate._setPrivateKeyVs2!!$"3"3"566QR R$ r4c:URXRU5$)ze Create a new L{PrivateCertificate} from the given certificate data and this instance's private key. )rrMr newCertDatars r5newCertificate!PrivateCertificate.newCertificate\s yyoov>>r4cBURX5RU5$rQ)r>rQ)rrrMrs r5rPrivateCertificate.loadcs{{4(77 CCr4c~SR[RU5URR 5/5$)Nr)rrr/rMrrs r5rPrivateCertificate.inspectgs.yy+..t4doo6M6M6OPQQr4cUR[R5URR[R5-$)zQ Dump both public and private parts of a private certificate to PEM-format data. )rr r rMrs r5r PrivateCertificate.dumpPEMjs: yy,,-0D0D   1   r4cURU[RU[R5[R5$)z^ Load both private and public parts of a private certificate from a chunk of PEM-format data. )rKeyPairr r rs r5rPrivateCertificate.loadPEMss3 zz ',,tV%8%896;N;N  r4cHU"UR5nURU5$rQ)rrQ)rcertificateInstancerMprivcerts r5fromCertificateAndKeyPair,PrivateCertificate.fromCertificateAndKeyPair}s$,556&&z22r4c [URRURS9nU(a;UR[[ UVs/sHo3RPM sn5S95 [ S0UD6$s snf)z Create a context factory using this L{PrivateCertificate}'s certificate and private key. @param authorities: A list of L{Certificate} object @return: A context factory. @rtype: L{CertificateOptions } rM certificate) trustRootr()rrMrupdaterOpenSSLCertificateOptions)rr7r8auths r5r8PrivateCertificate.optionssg$//":": V  NN;3>?;4;? )3733 @s A6sha256cVURRUR5X5$rQ)rMcertificateRequestr)rrdigestAlgorithms r5rp%PrivateCertificate.certificateRequests%11 OO v  r4cbUR5nURRUUUUUU5$rQ)rrMsignCertificateRequest)rrverifyDNCallbackr)rDcertificateFormatr4s r5rt)PrivateCertificate.signCertificateRequests9"55         r4c\URRUR5UUUU5$rQ)rMsignRequestObjectr)rrpr)secondsToExpiryrqs r5ry$PrivateCertificate.signRequestObjects100 OO        r4)rMNr3rn)r)r*r+r,r-rrQr r=rVr<rrr rrdr8rprtryr3r(r4r5rKrKNsM 281E1E?-3-A-ADDR   334*)/(<()rr)rrs r5rPublicKey.__repr__s)4>>**+1T\\^,>r4c[R"[RUR5n[ 5nUR U5 UR 5$)a Compute a hash of the underlying PKey object. The purpose of this method is to allow you to determine if two certificates share the same public key; it is not really useful for anything else. In versions of Twisted prior to 15.0, C{keyHash} used a technique involving certificate requests for computing the hash that was not stable in the face of changes to the underlying OpenSSL library. @return: Return a 32-character hexadecimal string uniquely identifying this public key, I{for this version of Twisted}. @rtype: native L{str} )r dump_publickeyr=rrrj hexdigest)rrawhs r5rPublicKey.keyHashs> ##F$8$8$--H E  {{}r4c(SUR53$)NzPublic Key with Hash: rrs r5rPublicKey.inspects' '788r4rNr) r)r*r+r,r-rrPrrrr3r(r4r5rrs  ! 4?*9r4rc\rSrSr\\R 4Sj5r\R 4Sjr\ "\ "SSSS5S5S5r \ "\ "SSSS5S5S 5r S r \\RS 4S j5r\R 4S jrSSjr\R S4Sjr\R \R SS4SjrSSjrSrSrg)r_ic:U"[R"X!55$rQ)r load_privatekey)rrrs r5r KeyPair.loadsV++F9::r4cB[R"XR5$rQ)r dump_privatekeyrr%s r5r KeyPair.dumps%%fmm< U(d[SRT T55eTRTTTTT5RT5$)Nz)DN callback {!r} rejected request DN {!r})rrryr) rrvrqrhlreqissuerDistinguishedNamerzrr)rus r5verified0KeyPair.signCertificateRequest..verifiedFsW!?FF(" ))'  d$%  &r4)r@rrrr addCallback) rrrrur)rDrvrzrqvvalrrrs `` `` ``` @@r5rtKeyPair.signCertificateRequest/sb$#'' C    # & & dH % %##H- -D> !r4cURn[R"5nURUR 55 UR UR 55 URUR55 URS5 URU5 URU5 URURU5 [U5$)zG Sign a CertificateRequest instance, returning a Certificate instance. r)rr X509r get_issuer set_subjectrGrr gmtime_adj_notBeforegmtime_adj_notAfterset_serial_numberrr)rrrr)rzrqrErs r5ryKeyPair.signRequestObjectZs$${{}))$//*;< *+ () !!!$   1 |, $--14  r4c [S0UD6n[RURX0R U5U5U5$)Nr()DNrKrdryr)rr)rrs r5selfSignedCertKeyPair.selfSignedCertps= X"X!;;  " "2'9'9"'=| Ld  r4r(N)rnr|)r)r*r+r,r<r r=rrrrrrrrrrVrrprtryrr3r(r4r5r_r_s!'!5!5;;!..= 2q!,.IJK 2q!,.IJKKK 6#__4 281E1EB')/(<(}. c$UR5 grQ)set_default_verify_paths)rrs r5r(OpenSSLDefaultPaths._addCACertsToContexts((*r4r(Nrr(r4r5rrs  +r4rc[5$)at Attempt to discover a set of trusted certificate authority certificates (or, in other words: trust roots, or root certificates) whose trust is managed and updated by tools outside of Twisted. If you are writing any client-side TLS code with Twisted, you should use this as the C{trustRoot} argument to L{CertificateOptions }. The result of this function should be like the up-to-date list of certificates in a web browser. When developing code that uses C{platformTrust}, you can think of it that way. However, the choice of which certificate authorities to trust is never Twisted's responsibility. Unless you're writing a very unusual application or library, it's not your code's responsibility either. The user may use platform-specific tools for defining which server certificates should be trusted by programs using TLS. The purpose of using this API is to respect that decision as much as possible. This should be a set of trust settings most appropriate for I{client} TLS connections; i.e. those which need to verify a server's authenticity. You should probably use this by default for any client TLS connection that you create. For servers, however, client certificates are typically not verified; or, if they are, their verification will depend on a custom, application-specific certificate authority. @since: 14.0 @note: Currently, L{platformTrust} depends entirely upon your OpenSSL build supporting a set of "L{default verify paths }" which correspond to certificate authority trust roots. Unfortunately, whether this is true of your system is both outside of Twisted's control and difficult (if not impossible) for Twisted to detect automatically. Nevertheless, this ought to work as desired by default on: - Ubuntu Linux machines with the U{ca-certificates } package installed, - macOS when using the system-installed version of OpenSSL (i.e. I{not} one installed via MacPorts or Homebrew), - any build of OpenSSL which has had certificate authority certificates installed into its default verify paths (by default, C{/usr/local/ssl/certs} if you've built your own OpenSSL), or - any process where the C{SSL_CERT_FILE} environment variable is set to the path of a file containing your desired CA certificates bundle. Hopefully soon, this API will be updated to use more sophisticated trust-root discovery mechanisms. Until then, you can follow tickets in the Twisted tracker for progress on this implementation on U{Microsoft Windows }, U{macOS }, and U{a fallback for other platforms which do not have native trust management tools }. @return: an appropriate trust settings object for your platform. @rtype: L{IOpenSSLTrustRoot} @raise NotImplementedError: if this platform is not yet supported by Twisted. At present, only OpenSSL is supported. )rr(r4r5 platformTrustrsF   r4c^SU4SjjnU$)a Wrap up an C{info_callback} for pyOpenSSL so that if something goes wrong the error is immediately logged and the connection is dropped if possible. This wrapper exists because some versions of pyOpenSSL don't handle errors from callbacks at I{all}, and those which do write tracebacks directly to stderr rather than to a supplied logging system. This reports unexpected errors to the Twisted logging system. Also, this terminates the connection immediately if possible because if you've got bugs in your verification logic it's much safer to just give up. @param wrapped: A valid C{info_callback} for pyOpenSSL. @type wrapped: L{callable} @return: A valid C{info_callback} for pyOpenSSL that handles any errors in C{wrapped}. @rtype: L{callable} c>Sn[RS5nT"XU5nSSS5 WR=nbUR5R U5 U$!,(df  N>=f)NzError during info_callback)_logfailuresHandledfailure get_app_datafailVerification)rJwhereretresultopfwrappeds r5 infoCallback%_tolerateErrors..infoCallback's_  ! !"> ?2Z4F@OA (  # # % 6 6q 9 @ ?s A A))rJzSSL.ConnectionrrRrrRrr:r()rrs` r5_tolerateErrorsrs* r4c*\rSrSrSrSrSrSrSrg)ClientTLSOptionsi2a Client creator for TLS. Private implementation type (not exposed to applications) for public L{optionsForClientTLS} API. @ivar _ctx: The context to use for new connections. @type _ctx: L{OpenSSL.SSL.Context} @ivar _hostname: The hostname to verify, as specified by the application, as some human-readable text. @type _hostname: L{unicode} @ivar _hostnameBytes: The hostname to verify, decoded into IDNA-encoded bytes. This is passed to APIs which think that hostnames are bytes, such as OpenSSL's SNI implementation. @type _hostnameBytes: L{bytes} @ivar _hostnameASCII: The hostname, as transcoded into IDNA ASCII-range unicode code points. This is pre-transcoded because the C{service_identity} package is rather strict about requiring the C{idna} package from PyPI for internationalized domain names, rather than working with Python's built-in (but sometimes broken) IDNA encoding. ASCII values, however, will always work. @type _hostnameASCII: L{unicode} @ivar _hostnameIsDnsName: Whether or not the C{_hostname} is a DNSName. Will be L{False} if C{_hostname} is an IP address or L{True} if C{_hostname} is a DNSName @type _hostnameIsDnsName: L{bool} cNX lXl[U5(d[U5(aUR S5UlSUlO[U5UlSUlUR RS5Ul UR[UR55 g)z Initialize L{ClientTLSOptions}. @param hostname: The hostname to verify as input by a human. @type hostname: L{unicode} @param ctx: an L{OpenSSL.SSL.Context} to use for new connections. @type ctx: L{OpenSSL.SSL.Context}. rFTN) _ctx _hostnamerrr_hostnameBytes_hostnameIsDnsNamer$decode_hostnameASCIIset_info_callbackr_identityVerifyingInfoCallback)rrKrs r5rClientTLSOptions.__init__Ts ! x M($;$;"*//'":D &+D #",X"6D &*D #"1188A od.Q.QRSr4cnURn[R"US5nURU5 U$)a Create a TLS connection for a client. @note: This will call C{set_app_data} on its connection. If you're delegating to this implementation of this method, don't ever call C{set_app_data} or C{set_info_callback} on the returned connection, or you'll break the implementation of various features of this class. @param tlsProtocol: the TLS protocol initiating the connection. @type tlsProtocol: L{twisted.protocols.tls.TLSMemoryBIOProtocol} @return: the configured client connection. @rtype: L{OpenSSL.SSL.Connection} N)r r Connection set_app_data)r tlsProtocolrrJs r5clientConnectionForTLS'ClientTLSOptions.clientConnectionForTLSks1 ))^^GT2  ,r4cU[R-(a-UR(aURUR5 gU[R -(a>UR(a[ XR5 g[XR5 gg![a. [5nUR5nURU5 gf=f)a U{info_callback } for pyOpenSSL that verifies the hostname in the presented certificate matches the one passed to this L{ClientTLSOptions}. @param connection: the connection which is handshaking. @type connection: L{OpenSSL.SSL.Connection} @param where: flags indicating progress through a TLS handshake. @type where: L{int} @param ret: ignored @type ret: ignored N) r SSL_CB_HANDSHAKE_STARTr set_tlsext_host_namer SSL_CB_HANDSHAKE_DONEverifyHostnamerverifyIPAddressrar rr)rrJrrrrs r5r/ClientTLSOptions._identityVerifyingInfoCallbacks$ 3-- -$2I2I  + +D,?,? @ S.. . .**":/B/BC#J0C0CD / % .I&335 **1- .s&BB5CC)r r rr r N) r)r*r+r,r-rrrr3r(r4r5rr2s@T.*.r4r)extraCertificateOptionscLUc0nUc [5n[U[5(d"[SURR -5eU(a.UR URRURS9 [SUUS.UD6n[XR55$)a5 Create a L{client connection creator } for use with APIs such as L{SSL4ClientEndpoint }, L{connectSSL }, and L{startTLS }. @since: 14.0 @param hostname: The expected name of the remote host. This serves two purposes: first, and most importantly, it verifies that the certificate received from the server correctly identifies the specified hostname. The second purpose is to use the U{Server Name Indication extension } to indicate to the server which certificate should be used. @type hostname: L{unicode} @param trustRoot: Specification of trust requirements of peers. This may be a L{Certificate} or the result of L{platformTrust}. By default it is L{platformTrust} and you probably shouldn't adjust it unless you really know what you're doing. Be aware that clients using this interface I{must} verify the server; you cannot explicitly pass L{None} since that just means to use L{platformTrust}. @type trustRoot: L{IOpenSSLTrustRoot} @param clientCertificate: The certificate and private key that the client will use to authenticate to the server. If unspecified, the client will not authenticate. @type clientCertificate: L{PrivateCertificate} @param acceptableProtocols: The protocols this peer is willing to speak after the TLS negotiation has completed, advertised over both ALPN and NPN. If this argument is specified, and no overlap can be found with the other peer, the connection will fail to be established. If the remote peer does not offer NPN or ALPN, the connection will be established, but no protocol wil be negotiated. Protocols earlier in the list are preferred over those later in the list. @type acceptableProtocols: L{list} of L{bytes} @param extraCertificateOptions: A dictionary of additional keyword arguments to be presented to L{CertificateOptions}. Please avoid using this unless you absolutely need to; any time you need to pass an option here that is a bug in this interface. @type extraCertificateOptions: L{dict} @return: A client connection creator. @rtype: L{IOpenSSLClientConnectionCreator} z6optionsForClientTLS requires text for host names, not rg)riacceptableProtocolsr() rrrmrrr)rjrMrrkr getContext)rKriclientCertificater!rcertificateOptionss r5optionsForClientTLSr%sp&"$!O h $ $ D  )) *  &&(33<<)22 ' 3/ " H&C&C&E FFr4c \rSrSrSr\R rSr\ \ Rr \ Rr\"SS/SS/SS/SS /SS /S S /SS //5SS j5rS rSrSrSrSrg)rkia A L{CertificateOptions } specifies the security properties for a client or server TLS connection used with OpenSSL. @ivar _options: Any option flags to set on the L{OpenSSL.SSL.Context} object that will be created. @type _options: L{int} @ivar _cipherString: An OpenSSL-specific cipher string. @type _cipherString: L{unicode} @ivar _defaultMinimumTLSVersion: The default TLS version that will be negotiated. This should be a "safe default", with wide client and server support, vs an optimally secure one that excludes a large number of users. As of May 2022, TLSv1.2 is that safe default. @type _defaultMinimumTLSVersion: L{TLSVersion} constant NrirequireCertificaterCrrinsecurelyLowerMinimumToraiseMinimumTolowerMaximumSecurityToc USLUSL:wa [S5eXlX l[R[R -[R -Ul[RUl Uc[RUl U(a*U(aUU:a [S5eUUR:aUnUcURnU(aUU:aUnU(aUU:a [S5e[UU5nUHnU=R[U-slM! O [R "S["SS9 X0l U(aU(d [S5eX@lU bSX4;a [S 5eU bXlO/UlXPlX`lXplXlXlU (a4U=R[R2[R4--slXlXlU (a#U=R[R:-slXlU (d#U=R[R>-slXl [C[RD[F[HS 9Ul%Uc[LnS ROS URQ[SS URUR5555Ul*URTS:Xa [S5eUcUR$(a [WU5nOSUlSUl[YU5nUUl-Ub[]5(d [_S5eUUl0g)a Create an OpenSSL context SSL connection context factory. @param privateKey: A PKey object holding the private key. @param certificate: An X509 object holding the certificate. @param method: Deprecated, use a combination of C{insecurelyLowerMinimumTo}, C{raiseMinimumTo}, or C{lowerMaximumSecurityTo} instead. The SSL protocol to use, one of C{TLS_METHOD}, C{TLSv1_2_METHOD}, or C{TLSv1_2_METHOD} (or any future method constants provided by pyOpenSSL). By default, a setting will be used which allows TLSv1.2 and TLSv1.3. Can not be used with C{insecurelyLowerMinimumTo}, C{raiseMinimumTo}, or C{lowerMaximumSecurityTo}. @param verify: Please use a C{trustRoot} keyword argument instead, since it provides the same functionality in a less error-prone way. By default this is L{False}. If L{True}, verify certificates received from the peer and fail the handshake if verification fails. Otherwise, allow anonymous sessions and sessions with certificates which fail validation. @param caCerts: Please use a C{trustRoot} keyword argument instead, since it provides the same functionality in a less error-prone way. List of certificate authority certificate objects to use to verify the peer's certificate. Only used if verify is L{True} and will be ignored otherwise. Since verify is L{False} by default, this is L{None} by default. @type caCerts: L{list} of L{OpenSSL.crypto.X509} @param verifyDepth: Depth in certificate chain down to which to verify. If unspecified, use the underlying default (9). @param requireCertificate: Please use a C{trustRoot} keyword argument instead, since it provides the same functionality in a less error-prone way. If L{True}, do not allow anonymous sessions; defaults to L{True}. @param verifyOnce: If True, do not re-verify the certificate on session resumption. @param enableSingleUseKeys: If L{True}, generate a new key whenever ephemeral DH and ECDH parameters are used to prevent small subgroup attacks and to ensure perfect forward secrecy. @param enableSessions: This allows a shortened handshake to be used when a known client reconnects to the same process. If True, enable OpenSSL's session caching. Note that session caching only works on a single Twisted node at once. Also, it is currently somewhat risky due to U{a crashing bug when using OpenSSL 1.1.1 }. @param fixBrokenPeers: If True, enable various non-spec protocol fixes for broken SSL implementations. This should be entirely safe, according to the OpenSSL documentation, but YMMV. This option is now off by default, because it causes problems with connections between peers using OpenSSL 0.9.8a. @param enableSessionTickets: If L{True}, enable session ticket extension for session resumption per RFC 5077. Note there is no support for controlling session tickets. This option is off by default, as some server implementations don't correctly process incoming empty session ticket extensions in the hello. @param extraCertChain: List of certificates that I{complete} your verification chain if the certificate authority that signed your C{certificate} isn't widely supported. Do I{not} add C{certificate} to it. @type extraCertChain: C{list} of L{OpenSSL.crypto.X509} @param acceptableCiphers: Ciphers that are acceptable for connections. Uses a secure default if left L{None}. @type acceptableCiphers: L{IAcceptableCiphers} @param dhParameters: Key generation parameters that are required for Diffie-Hellman key exchange. If this argument is left L{None}, C{EDH} ciphers are I{disabled} regardless of C{acceptableCiphers}. @type dhParameters: L{DiffieHellmanParameters } @param trustRoot: Specification of trust requirements of peers. If this argument is specified, the peer is verified. It requires a certificate, and that certificate must be signed by one of the certificate authorities specified by this object. Note that since this option specifies the same information as C{caCerts}, C{verify}, and C{requireCertificate}, specifying any of those options in combination with this one will raise a L{TypeError}. @type trustRoot: L{IOpenSSLTrustRoot} @param acceptableProtocols: The protocols this peer is willing to speak after the TLS negotiation has completed, advertised over both ALPN and NPN. If this argument is specified, and no overlap can be found with the other peer, the connection will fail to be established. If the remote peer does not offer NPN or ALPN, the connection will be established, but no protocol wil be negotiated. Protocols earlier in the list are preferred over those later in the list. @type acceptableProtocols: L{list} of L{bytes} @param raiseMinimumTo: The minimum TLS version that you want to use, or Twisted's default if it is higher. Use this if you want to make your client/server more secure than Twisted's default, but will accept Twisted's default instead if it moves higher than this value. You probably want to use this over C{insecurelyLowerMinimumTo}. @type raiseMinimumTo: L{TLSVersion} constant @param insecurelyLowerMinimumTo: The minimum TLS version to use, possibly lower than Twisted's default. If not specified, it is a generally considered safe default (TLSv1.0). If you want to raise your minimum TLS version to above that of this default, use C{raiseMinimumTo}. DO NOT use this argument unless you are absolutely sure this is what you want. @type insecurelyLowerMinimumTo: L{TLSVersion} constant @param lowerMaximumSecurityTo: The maximum TLS version to use. If not specified, it is the most recent your OpenSSL supports. You only want to set this if the peer that you are communicating with has problems with more recent TLS versions, it lowers your security when communicating with newer peers. DO NOT use this argument unless you are absolutely sure this is what you want. @type lowerMaximumSecurityTo: L{TLSVersion} constant @raise ValueError: when C{privateKey} or C{certificate} are set without setting the respective other. @raise ValueError: when C{verify} is L{True} but C{caCerts} doesn't specify any CA certificates. @raise ValueError: when C{extraCertChain} is passed without specifying C{privateKey} or C{certificate}. @raise ValueError: when C{acceptableCiphers} doesn't yield any usable ciphers for the current platform. @raise TypeError: if C{trustRoot} is passed in combination with C{caCert}, C{verify}, or C{requireCertificate}. Please prefer C{trustRoot} in new code, as its semantics are less tricky. @raise TypeError: if C{method} is passed in combination with C{tlsProtocols}. Please prefer the more explicit C{tlsProtocols} in new code. @raises NotImplementedError: If acceptableProtocols were provided but no negotiation mechanism is available. Nz5Specify neither or both of privateKey and certificatez.5s&  JJsALLrdzGSupplied IAcceptableCiphers yielded no usable ciphers on this platform.Tz5No support for protocol negotiation on this platform.)1 ValueErrorrMrhr OP_NO_SSLv2OP_NO_COMPRESSIONOP_CIPHER_SERVER_PREFERENCE_optionsMODE_RELEASE_BUFFERS_mode TLS_METHODr_defaultMinimumTLSVersionrA_tlsDisableFlagsrkwarnDeprecationWarningrCextraCertChainr verifyDepthr' verifyOnceenableSingleUseKeysOP_SINGLE_DH_USEOP_SINGLE_ECDH_USEenableSessionsfixBrokenPeersOP_ALLenableSessionTickets OP_NO_TICKET dhParameters!_ChooseDiffieHellmanEllipticCurveOPENSSL_VERSION_NUMBER pyOpenSSLlibr _ecChooserdefaultCiphersr selectCiphers_expandCipherString _cipherStringrrrirr_acceptableProtocols)rrMrhrrCrrBr'rCrDrGrHrJrAacceptableCiphersrLrir!r)r(r*r@r\s r5r"OpenSSLCertificateOptions.__init__ sr $ K4$7 8TU U$& OOc33 3c6U6U U -- >..DK)n?U.U$1 "D$B$BB/=,'/+/+I+I( +03II/E,',/EE - 8(*@  , !1'!:: , MM, # !K '=   %$:2K*K@   %"0 "$D  &"4$#6  MMS11C4J4JJ JM,,  MMSZZ 'M$8!# MMS-- -M(;  & &#    $ .  XX& &44#E4;; F&      #$   {{9'B DK&*D #))4I"  *3P3R3R%G %8!r4cdURR5nUS U$![a U$f=f)N_context)__dict__copyr)rds r5r&OpenSSLCertificateOptions.__getstate__Qs@ MM    *    s ! //cXlgrQ)rZrs r5r&OpenSSLCertificateOptions.__setstate__Ys r4c^URcUR5UlUR$)z* Return an L{OpenSSL.SSL.Context} object. )rY _makeContextrs r5r"$OpenSSLCertificateOptions.getContext\s( ==  --/DM}}r4cURUR5nURUR5 UR UR 5 UR bwURbjURUR 5 URUR5 URHnURU5 M UR5 [RnUR(as[R nUR"(aU[R$-nUR&(aU[R(-nUR*R-U5 UR/U5 UR0bUR3UR05 [5[7S55nUR9U5 UR:(a UR=[R>5 OUR=[R@5 URB(a/UREURBRFRH5 URKURLROS55 URPRSU5 URT(a[WXRT5 U$)Nr),_contextFactoryr set_optionsr9set_moder;rhrMuse_certificateuse_privatekeyrAadd_extra_chain_certcheck_privatekeyr VERIFY_NONErC VERIFY_PEERr'VERIFY_FAIL_IF_NO_PEER_CERTrCVERIFY_CLIENT_ONCErir set_verifyrBset_verify_depthrr!set_session_idrGset_session_cache_modeSESS_CACHE_SERVERSESS_CACHE_OFFrL load_tmp_dh_dhFilepathset_cipher_listrTrrPconfigureECDHCurverU_setAcceptableProtocols)rr extraCert verifyFlagssessionIDContexts r5ra&OpenSSLCertificateOptions._makeContextds""4;;/  & TZZ    'DOO,G    0 0 1   t /!00 ((31  "oo ;;//K&&s>>> s555 NN / / 4 {#    '  !1!1 2 #<?3 +,     & &s'<'< =  & &s'9'9 :    OOD--55:: ; D..55g>? **3/  $ $ $C)B)B C r4)rZrUrTrYrPr;r9rrhrLrJrGrDrArHrrMr'rirCrBrC)NNNFN TTTFFFNNNNNNNN)r)r*r+r,r-r rrerYr>r&r2_OP_NO_TLSv1_3r1r=rrrrr"rar3r(r4r5rkrks(kkOH%j&8&89N * 2 2 . / ( # ) $ 1 2 ' ( 9 : / 0   " !%#+y8 y8v 8r4rkrrrT)frozen auto_attribsc$\rSrSr%SrS\S'Srg) OpenSSLCipheriz A representation of an OpenSSL cipher. @ivar fullName: The full name of the cipher. For example C{u"ECDHE-RSA-AES256-GCM-SHA384"}. @type fullName: L{unicode} rmr2r(N)r)r*r+r,r-__annotations__r3r(r4r5rrsMr4r )maxsizec([R"U5nURU5 URUR S55 [R"US5nUR5n[US[5(a[SU55$[SU55$![R aQnUR S(d[5sSnA$UR SSSS:Xa[5sSnA$eSnAff=f)a6 Expand C{cipherString} according to C{method} and C{options} to a tuple of explicit ciphers that are supported by the current platform. @param cipherString: An OpenSSL cipher string to expand. @type cipherString: L{unicode} @param method: An OpenSSL method like C{SSL.TLS_METHOD} used for determining the effective ciphers. @param options: OpenSSL options like C{SSL.OP_NO_SSLv3} ORed together. @type options: L{int} @return: The effective list of explicit ciphers that results from the arguments on the current platform. @rtype: L{tuple} of L{ICipher} rrNrYzno cipher matchc38# UHn[U5v M g7frQ)rrSciphers r5rU&_expandCipherString..sAv]6**rWc3V# UHn[URS55v M! g7f)rN)rr rs r5rUrs!Qv]6==#9::s')) r rrfryrErrorrtuplerget_cipher_listrrm) cipherStringrr8rrpconncipherss r5rSrSs& ++f COOG  L//89 >>#t $D""$G'!*c""AAAAQQQQ! 99  vvay7N 66!9Q<?/ /7N  s/ B,,DD D#"D D D  Dc.^[U4SjU55$)ah Caclulate the acceptable list of ciphers from the ciphers we want and the ciphers we have support for. @param wantedCiphers: The ciphers we want to use. @type wantedCiphers: L{tuple} of L{OpenSSLCipher} @param availableCiphers: The ciphers we have available to use. @type availableCiphers: L{tuple} of L{OpenSSLCipher} @rtype: L{tuple} of L{OpenSSLCipher} c36># UHoT;dM Uv M g7frQr()rSravailableCipherss r5rU!_selectCiphers..sRmFAQ7Qms  )r) wantedCiphersrs `r5_selectCiphersrs RmR RRr4c4\rSrSrSrSrSr\S5rSr g)OpenSSLAcceptableCiphersizF A representation of ciphers that are acceptable for TLS connections. c$[U5UlgrQ)r_ciphers)rrs r5r!OpenSSLAcceptableCiphers.__init__s g r4c@[UR[U55$rQ)rrr)rrs r5rR&OpenSSLAcceptableCiphers.selectCipherssdmmU3C-DEEr4cU"[[U5[R[R[R -55$)a Create a new instance using an OpenSSL cipher string. @param cipherString: An OpenSSL cipher string that describes what cipher suites are acceptable. See the documentation of U{OpenSSL } or U{Apache } for details. @type cipherString: L{unicode} @return: Instance representing C{cipherString}. @rtype: L{twisted.internet.ssl.AcceptableCiphers} )rSrr r<r6 OP_NO_SSLv3)clsrs r5fromOpenSSLCipherString0OpenSSLAcceptableCiphers.fromOpenSSLCipherStrings8" \*#//1   r4)rN) r)r*r+r,r-rrRr<rr3r(r4r5rrs&'F  r4rzTLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS prime256v1c6\rSrSrSrSrSrSrSrSr Sr g ) rMi/a Chooses the best elliptic curve for Elliptic Curve Diffie-Hellman key exchange, and provides a C{configureECDHCurve} method to set the curve, when appropriate, on a new L{OpenSSL.SSL.Context}. The C{configureECDHCurve} method will be set to one of the following based on the provided OpenSSL version and configuration: - L{_configureOpenSSL110} - L{_configureOpenSSL102} - L{_configureOpenSSL101} - L{_configureOpenSSL101NoCurves}. @param openSSLVersion: The OpenSSL version number. @type openSSLVersion: L{int} @see: L{OpenSSL.SSL.OPENSSL_VERSION_NUMBER} @param openSSLlib: The OpenSSL C{cffi} library module. @param openSSLcrypto: The OpenSSL L{crypto} module. @see: L{crypto} cX lX0lUS:aURUlgUS:aURUlgUR [ 5UlURUlg![a URUlgf=f)Nii ) _openSSLlib_openSSLcrypto_configureOpenSSL110rz_configureOpenSSL102get_elliptic_curve_defaultCurveName_ecCurve_configureOpenSSL101r5_configureOpenSSL101NoCurves)ropenSSLVersionr.r/s r5r*_ChooseDiffieHellmanEllipticCurve.__init__Ks%+ Z '&*&?&?D # z )&*&?&?D # D - @ @AR S +/*C*C'  L+/*K*K' LsA**BBcg)z OpenSSL 1.1.0 Contexts are preconfigured with an optimal set of ECDH curves. This method does nothing. @param ctx: L{OpenSSL.SSL.Context} Nr(rrs r5r6_ChooseDiffieHellmanEllipticCurve._configureOpenSSL110\rr4cvURnURRUS5 g![a gf=f)z Have the context automatically choose elliptic curves for ECDH. Run on OpenSSL 1.0.2 and OpenSSL 1.1.0+, but only has an effect on OpenSSL 1.0.2. @param ctx: The context which . @type ctx: L{OpenSSL.SSL.Context} TN)rYrSSL_CTX_set_ecdh_auto BaseException)rrctxPtrs r5r6_ChooseDiffieHellmanEllipticCurve._configureOpenSSL102ds:     2 264 @   s + 88c\URUR5 g![a gf=f)z Set the default elliptic curve for ECDH on the context. Only run on OpenSSL 1.0.1. @param ctx: The context on which to set the ECDH curve. @type ctx: L{OpenSSL.SSL.Context} N) set_tmp_ecdhrrrs r5r6_ChooseDiffieHellmanEllipticCurve._configureOpenSSL101ss+    T]] +   s  ++cg)z No elliptic curves are available on OpenSSL 1.0.1. We can't set anything, so do nothing. @param ctx: The context on which to set the ECDH curve. @type ctx: L{OpenSSL.SSL.Context} Nr(rs r5r>_ChooseDiffieHellmanEllipticCurve._configureOpenSSL101NoCurvesrr4)rrrrzN) r)r*r+r,r-rrrrrr3r(r4r5rMrM/s!6D"    r4rMc.\rSrSrSrSr\S5rSrg)OpenSSLDiffieHellmanParametersizb A representation of key generation parameters that are required for Diffie-Hellman key exchange. cXlgrQrw)r parameterss r5r'OpenSSLDiffieHellmanParameters.__init__s! r4cU"U5$)aK Load parameters from a file. Such a file can be generated using the C{openssl} command line tool as following: C{openssl dhparam -out dh_param_2048.pem -2 2048} Please refer to U{OpenSSL's C{dhparam} documentation } for further details. @param filePath: A file containing parameters for Diffie-Hellman key exchange. @type filePath: L{FilePath } @return: An instance that loads its parameters from C{filePath}. @rtype: L{DiffieHellmanParameters } r()rfilePaths r5fromFile'OpenSSLDiffieHellmanParameters.fromFiles*8}r4rN) r)r*r+r,r-rr<rr3r(r4r5rrs  "r4rc,^U4SjnT(dg[5nU[R-(a(U4SjnURU5 UR U5 U[R -(a#UR U5 URT5 gg)a Called to set up the L{OpenSSL.SSL.Context} for doing NPN and/or ALPN negotiation. @param context: The context which is set up. @type context: L{OpenSSL.SSL.Context} @param acceptableProtocols: The protocols this peer is willing to speak after the TLS negotiation has completed, advertised over both ALPN and NPN. If this argument is specified, and no overlap can be found with the other peer, the connection will fail to be established. If the remote peer does not offer NPN or ALPN, the connection will be established, but no protocol wil be negotiated. Protocols earlier in the list are preferred over those later in the list. @type acceptableProtocols: L{list} of L{bytes} cX>[U5[T5-nTH nX2;dM Us $ g)a4 NPN client-side and ALPN server-side callback used to select the next protocol. Prefers protocols found earlier in C{_acceptableProtocols}. @param conn: The context which is set up. @type conn: L{OpenSSL.SSL.Connection} @param conn: Protocols advertised by the other side. @type conn: L{list} of L{bytes} r4)r)r protocolsoverlappr!s r5protoSelectCallback4_setAcceptableProtocols..protoSelectCallbacks2i.3':#;;$A|%r4Nc>T$rQr()rr!s r5npnAdvertiseCallback5_setAcceptableProtocols..npnAdvertiseCallbacks & &r4)rrsrurset_npn_select_callbackrvrset_alpn_protos)rr!r supportedrs ` r5r{r{s~$0 -/I-111 ' **+?@''(;<-222(()<= 343r4)NNN)u __future__rrkbinasciir functoolsrhashlibrtypingrzope.interfacer r OpenSSLr r OpenSSL._utilr rOr constantlyrrrr incrementalrtwisted.internet.abstractrrtwisted.internet.deferrtwisted.internet.errorrrtwisted.internet.interfacesrrrrtwisted.loggerrtwisted.python.compatrtwisted.python.deprecaterrtwisted.python.failurer twisted.python.randbytesr!twisted.python.utilr"_idnar$rr&r.rr/ OP_NO_TLSv1r0 OP_NO_TLSv1_1r1 OP_NO_TLSv1_2r2rr>rA ExceptionrCrLrNr_rqrrrarsrur~rrrmrrrrrrr@rKrr_rrrrrrrr%rkrrsrrSrrrrQrrMrr{r(r4r5rs #1- @@@+@ ".L*1+ x  coo))))_d; 0i P2 L %"PJ6Q5R2!2    *""%?%C%CC$ >  * "6 " 0  " "aS%Z(aH&&R0IM(IMXFF*m m `9999xz iz z  * !! !(0> ++ +C!L@ ,-j.j..j.^ KG ! KG\ #$mm%m` *4 Ir1a "=*((**&*4 Ir1a "=*((**&  Wt$'  (  2&R&RR 3 S S   " " !" h*AA!X X vB95r4