As described earlier, the SSL framework provides a way to customize the SSL handshake process. This is done using the ssl.client_handshake and ssl.server_handshake hashes. These hashes are indexed by the keywords listed below.
The tuple can be separated to two parts: 1) tuple type, 2) parameters for the given type. For now only SSL_HS_POLICY is valid as tuple type, and it requires a function reference as parameter.
The following keys are accepted as indexes:
- setup_key
This function is called when the proxy needs the private key/certificate pair to be set up. All attributes filled in the earlier phases can be used to decide which key/certificate to use. The function expects two parameters: self, side.
- setup_ca_list
This function is called when the proxy needs the trusted CA list to be set up. The function expects two parameters: self, side.
- setup_crl_list
This function is called when the proxy needs the CRL list to be set up. This function gets a single string parameter which contains the name of the CA whose CRL is to be filled up. The function expects three parameters: self, side, ca_name.
- verify_cert
This function is called to finalize the verification process. The function expects two parameters: self, side.
The function arguments as referenced above are defined as:
- self
The proxy instance.
- side
The side where handshake is being performed.
- ca_name
Name of an X.509 certificate.
The functions returns one of the SSL_HS_* constants. Generally if the function returns SSL_HS_ACCEPT the handshake continues, otherwise the handshake is aborted. As an exception, verify_cert may return SSL_HS_VERIFIED in which case the certificate is accepted without further verification.
Published on May 30, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu
