- class QSslConfiguration#
The
QSslConfiguration
class holds the configuration and state of an SSL connection. More…Synopsis#
Methods#
def
__init__()
def
caCertificates()
def
ciphers()
def
ellipticCurves()
def
isNull()
def
__ne__()
def
__eq__()
def
peerVerifyMode()
def
privateKey()
def
protocol()
def
sessionCipher()
def
sessionTicket()
def
setCiphers()
def
setPrivateKey()
def
setProtocol()
def
setSslOption()
def
swap()
def
testSslOption()
Static functions#
Note
This documentation may contain snippets that were automatically translated from C++ to Python. We always welcome contributions to the snippet translation. If you see an issue with the translation, you can also let us know by creating a ticket on https:/bugreports.qt.io/projects/PYSIDE
Detailed Description#
Warning
This section contains snippets that were automatically translated from C++ to Python and may contain errors.
QSslConfiguration
is used by Qt networking classes to relay information about an open SSL connection and to allow the application to control certain features of that connection.The settings that
QSslConfiguration
currently supports are:The SSL/TLS protocol to be used
The certificate to be presented to the peer during connection and its associated private key
The ciphers allowed to be used for encrypting the connection
The list of Certificate Authorities certificates that are used to validate the peer’s certificate
These settings are applied only during the connection handshake. Setting them after the connection has been established has no effect.
The state that
QSslConfiguration
supports are:The certificate the peer presented during handshake, along with the chain leading to a CA certificate
The cipher used to encrypt this session
The state can only be obtained once the SSL connection starts, but not necessarily before it’s done. Some settings may change during the course of the SSL connection without need to restart it (for instance, the cipher can be changed over time).
State in
QSslConfiguration
objects cannot be changed.QSslConfiguration
can be used withQSslSocket
and the Network Access API.Note that changing settings in
QSslConfiguration
is not enough to change the settings in the related SSL connection. You must call setSslConfiguration on a modifiedQSslConfiguration
object to achieve that. The following example illustrates how to change the protocol to TLSv1_2 in aQSslSocket
object:config = sslSocket.sslConfiguration() config.setProtocol(QSsl.TlsV1_2) sslSocket.setSslConfiguration(config)
- class NextProtocolNegotiationStatus#
Describes the status of the Next Protocol Negotiation (NPN) or Application-Layer Protocol Negotiation (ALPN).
Constant
Description
QSslConfiguration.NextProtocolNegotiationNone
No application protocol has been negotiated (yet).
QSslConfiguration.NextProtocolNegotiationNegotiated
A next protocol has been negotiated (see
nextNegotiatedProtocol()
).QSslConfiguration.NextProtocolNegotiationUnsupported
The client and server could not agree on a common next application protocol.
- PySide6.QtNetwork.QSslConfiguration.ALPNProtocolHTTP2#
- PySide6.QtNetwork.QSslConfiguration.NextProtocolHttp1_1#
- __init__(other)#
- Parameters:
other –
QSslConfiguration
Copies the configuration and state of
other
. Ifother
is null, this object will be null too.- __init__()
Constructs an empty SSL configuration. This configuration contains no valid settings and the state will be empty.
isNull()
will return true after this constructor is called.Once any setter methods are called,
isNull()
will return false.- addCaCertificate(certificate)#
- Parameters:
certificate –
QSslCertificate
Adds
certificate
to this configuration’s CA certificate database. The certificate database must be set prior to the SSL handshake. The CA certificate database is used by the socket during the handshake phase to validate the peer’s certificate.Note
The default configuration uses the system CA certificate database. If that is not available (as is commonly the case on iOS), the default database is empty.
- addCaCertificates(certificates)#
- Parameters:
certificates – .list of QSslCertificate
Adds
certificates
to this configuration’s CA certificate database. The certificate database must be set prior to the SSL handshake. The CA certificate database is used by the socket during the handshake phase to validate the peer’s certificate.Note
The default configuration uses the system CA certificate database. If that is not available (as is commonly the case on iOS), the default database is empty.
- addCaCertificates(path[, format=QSsl.Pem[, syntax=QSslCertificate.PatternSyntax.FixedString]])
- Parameters:
path – str
format –
EncodingFormat
syntax –
PatternSyntax
- Return type:
bool
Searches all files in the
path
for certificates encoded in the specifiedformat
and adds them to this socket’s CA certificate database.path
must be a file or a pattern matching one or more files, as specified bysyntax
. Returnstrue
if one or more certificates are added to the socket’s CA certificate database; otherwise returnsfalse
.The CA certificate database is used by the socket during the handshake phase to validate the peer’s certificate.
For more precise control, use
addCaCertificate()
.See also
- allowedNextProtocols()#
- Return type:
.list of QByteArray
This function returns the allowed protocols to be negotiated with the server through the Next Protocol Negotiation (NPN) or Application-Layer Protocol Negotiation (ALPN) TLS extension, as set by
setAllowedNextProtocols()
.- backendConfiguration()#
- Return type:
Dictionary with keys of type .QByteArray and values of type QVariant.
Returns the backend-specific configuration.
Only options set by
setBackendConfigurationOption()
orsetBackendConfiguration()
will be returned. The internal standard configuration of the backend is not reported.- caCertificates()#
- Return type:
.list of QSslCertificate
Returns this connection’s CA certificate database. The CA certificate database is used by the socket during the handshake phase to validate the peer’s certificate. It can be modified prior to the handshake with
setCaCertificates()
, or withaddCaCertificate()
andaddCaCertificates()
.- ciphers()#
- Return type:
.list of QSslCipher
Returns this connection’s current cryptographic cipher suite. This list is used during the handshake phase for choosing a session cipher. The returned list of ciphers is ordered by descending preference. (i.e., the first cipher in the list is the most preferred cipher). The session cipher will be the first one in the list that is also supported by the peer.
By default, the handshake phase can choose any of the ciphers supported by this system’s SSL libraries, which may vary from system to system. The list of ciphers supported by this system’s SSL libraries is returned by
supportedCiphers()
. You can restrict the list of ciphers used for choosing the session cipher for this socket by callingsetCiphers()
with a subset of the supported ciphers. You can revert to using the entire set by callingsetCiphers()
with the list returned bysupportedCiphers()
.See also
- static defaultConfiguration()#
- Return type:
Returns the default SSL configuration to be used in new SSL connections.
The default SSL configuration consists of:
no local certificate and no private key
protocol
SecureProtocols
the system’s default CA certificate list
the cipher list equal to the list of the SSL libraries’ supported SSL ciphers that are 128 bits or more
- static defaultDtlsConfiguration()#
- Return type:
Returns the default DTLS configuration to be used in new DTLS connections.
The default DTLS configuration consists of:
no local certificate and no private key
protocol DtlsV1_2OrLater
the system’s default CA certificate list
the cipher list equal to the list of the SSL libraries’ supported TLS 1.2 ciphers that use 128 or more secret bits for the cipher.
See also
- diffieHellmanParameters()#
- Return type:
Retrieves the current set of Diffie-Hellman parameters.
If no Diffie-Hellman parameters have been set, the
QSslConfiguration
object defaults to using the 2048-bit MODP group from RFC 3526.Note
The default parameters may change in future Qt versions. Please check the documentation of the exact Qt version that you are using in order to know what defaults that version uses.
See also
- dtlsCookieVerificationEnabled()#
- Return type:
bool
This function returns true if DTLS cookie verification was enabled on a server-side socket.
See also
- ellipticCurves()#
- Return type:
.list of QSslEllipticCurve
Returns this connection’s current list of elliptic curves. This list is used during the handshake phase for choosing an elliptic curve (when using an elliptic curve cipher). The returned list of curves is ordered by descending preference (i.e., the first curve in the list is the most preferred one).
By default, the handshake phase can choose any of the curves supported by this system’s SSL libraries, which may vary from system to system. The list of curves supported by this system’s SSL libraries is returned by QSslSocket::supportedEllipticCurves().
You can restrict the list of curves used for choosing the session cipher for this socket by calling
setEllipticCurves()
with a subset of the supported ciphers. You can revert to using the entire set by callingsetEllipticCurves()
with the list returned by QSslSocket::supportedEllipticCurves().See also
Returns the ephemeral server key used for cipher algorithms with forward secrecy, e.g. DHE-RSA-AES128-SHA.
The ephemeral key is only available when running in client mode, i.e.
SslClientMode
. When running in server mode or using a cipher algorithm without forward secrecy a null key is returned. The ephemeral server key will be set before emitting the encrypted() signal.- handshakeMustInterruptOnError()#
- Return type:
bool
Returns true if a verification callback will emit
handshakeInterruptedOnError()
early, before concluding the handshake.Note
This function always returns false for all backends but OpenSSL.
- isNull()#
- Return type:
bool
Returns
true
if this is a nullQSslConfiguration
object.A
QSslConfiguration
object is null if it has been default-constructed and no setter methods have been called.- localCertificate()#
- Return type:
Returns the certificate to be presented to the peer during the SSL handshake process.
See also
- localCertificateChain()#
- Return type:
.list of QSslCertificate
Returns the certificate chain to be presented to the peer during the SSL handshake process.
- missingCertificateIsFatal()#
- Return type:
bool
Returns true if errors with code
NoPeerCertificate
cannot be ignored.Note
Always returns false for all TLS backends but OpenSSL.
- nextNegotiatedProtocol()#
- Return type:
This function returns the protocol negotiated with the server if the Next Protocol Negotiation (NPN) or Application-Layer Protocol Negotiation (ALPN) TLS extension was enabled. In order for the NPN/ALPN extension to be enabled,
setAllowedNextProtocols()
needs to be called explicitly before connecting to the server.If no protocol could be negotiated or the extension was not enabled, this function returns a QByteArray which is null.
- nextProtocolNegotiationStatus()#
- Return type:
This function returns the status of the Next Protocol Negotiation (NPN) or Application-Layer Protocol Negotiation (ALPN). If the feature has not been enabled through
setAllowedNextProtocols()
, this function returnsNextProtocolNegotiationNone
. The status will be set before emitting the encrypted() signal.- ocspStaplingEnabled()#
- Return type:
bool
Returns true if OCSP stapling was enabled by setOCSPStaplingEnabled(), otherwise false (which is the default value).
See also
- __ne__(other)#
- Parameters:
other –
QSslConfiguration
- Return type:
bool
Returns
true
if thisQSslConfiguration
differs fromother
. TwoQSslConfiguration
objects are considered different if any state or setting is different.See also
operator==()
- __eq__(other)#
- Parameters:
other –
QSslConfiguration
- Return type:
bool
Returns
true
if thisQSslConfiguration
object is equal toother
.Two
QSslConfiguration
objects are considered equal if they have the exact same settings and state.See also
operator!=()
- peerCertificate()#
- Return type:
Returns the peer’s digital certificate (i.e., the immediate certificate of the host you are connected to), or a null certificate, if the peer has not assigned a certificate.
The peer certificate is checked automatically during the handshake phase, so this function is normally used to fetch the certificate for display or for connection diagnostic purposes. It contains information about the peer, including its host name, the certificate issuer, and the peer’s public key.
Because the peer certificate is set during the handshake phase, it is safe to access the peer certificate from a slot connected to the
sslErrors()
signal,sslErrors()
signal, or theencrypted()
signal.If a null certificate is returned, it can mean the SSL handshake failed, or it can mean the host you are connected to doesn’t have a certificate, or it can mean there is no connection.
If you want to check the peer’s complete chain of certificates, use
peerCertificateChain()
to get them all at once.- peerCertificateChain()#
- Return type:
.list of QSslCertificate
Returns the peer’s chain of digital certificates, starting with the peer’s immediate certificate and ending with the CA’s certificate.
Peer certificates are checked automatically during the handshake phase. This function is normally used to fetch certificates for display, or for performing connection diagnostics. Certificates contain information about the peer and the certificate issuers, including host name, issuer names, and issuer public keys.
Because the peer certificate is set during the handshake phase, it is safe to access the peer certificate from a slot connected to the
sslErrors()
signal,sslErrors()
signal, or theencrypted()
signal.If an empty list is returned, it can mean the SSL handshake failed, or it can mean the host you are connected to doesn’t have a certificate, or it can mean there is no connection.
If you want to get only the peer’s immediate certificate, use
peerCertificate()
.- peerVerifyDepth()#
- Return type:
int
Returns the maximum number of certificates in the peer’s certificate chain to be checked during the SSL handshake phase, or 0 (the default) if no maximum depth has been set, indicating that the whole certificate chain should be checked.
The certificates are checked in issuing order, starting with the peer’s own certificate, then its issuer’s certificate, and so on.
See also
- peerVerifyMode()#
- Return type:
Returns the verify mode. This mode decides whether
QSslSocket
should request a certificate from the peer (i.e., the client requests a certificate from the server, or a server requesting a certificate from the client), and whether it should require that this certificate is valid.The default mode is AutoVerifyPeer, which tells
QSslSocket
to use VerifyPeer for clients, QueryPeer for servers.See also
- Return type:
Returns the identity hint.
See also
Returns the
SSL key
assigned to this connection or a null key if none has been assigned yet.See also
- protocol()#
- Return type:
Returns the protocol setting for this SSL configuration.
See also
- sessionCipher()#
- Return type:
Returns the socket’s cryptographic
cipher
, or a null cipher if the connection isn’t encrypted. The socket’s cipher for the session is set during the handshake phase. The cipher is used to encrypt and decrypt data transmitted through the socket.The SSL infrastructure also provides functions for setting the ordered list of ciphers from which the handshake phase will eventually select the session cipher. This ordered list must be in place before the handshake phase begins.
See also
- sessionProtocol()#
- Return type:
Returns the socket’s SSL/TLS protocol or UnknownProtocol if the connection isn’t encrypted. The socket’s protocol for the session is set during the handshake phase.
See also
- sessionTicket()#
- Return type:
If
SslOptionDisableSessionPersistence
was turned off, this function returns the session ticket used in the SSL handshake in ASN.1 format, suitable to e.g. be persisted to disk. If no session ticket was used orSslOptionDisableSessionPersistence
was not turned off, this function returns an empty QByteArray.Note
When persisting the session ticket to disk or similar, be careful not to expose the session to a potential attacker, as knowledge of the session allows for eavesdropping on data encrypted with the session parameters.
- sessionTicketLifeTimeHint()#
- Return type:
int
If
SslOptionDisableSessionPersistence
was turned off, this function returns the session ticket life time hint sent by the server (which might be 0). If the server did not send a session ticket (e.g. when resuming a session or when the server does not support it) orSslOptionDisableSessionPersistence
was not turned off, this function returns -1.- setAllowedNextProtocols(protocols)#
- Parameters:
protocols – .list of QByteArray
This function sets the allowed
protocols
to be negotiated with the server through the Next Protocol Negotiation (NPN) or Application-Layer Protocol Negotiation (ALPN) TLS extension; each element inprotocols
must define one allowed protocol. The function must be called explicitly before connecting to send the NPN/ALPN extension in the SSL handshake. Whether or not the negotiation succeeded can be queried throughnextProtocolNegotiationStatus()
.- setBackendConfiguration([backendConfiguration=QMap<QByteArray, QVariant>()])#
- Parameters:
backendConfiguration – Dictionary with keys of type .QByteArray and values of type QVariant.
Sets or clears the backend-specific configuration.
Without a
backendConfiguration
parameter this function will clear the backend-specific configuration. More information about the supported options is available in the documentation ofsetBackendConfigurationOption()
.- setBackendConfigurationOption(name, value)#
- Parameters:
name –
QByteArray
value – object
Sets the option
name
in the backend-specific configuration tovalue
.Options supported by the OpenSSL (>= 1.0.2) backend are available in the supported configuration file commands documentation. The expected type for the
value
parameter is a QByteArray for all options. The examples show how to use some of the options.Note
The backend-specific configuration will be applied after the general configuration. Using the backend-specific configuration to set a general configuration option again will overwrite the general configuration option.
- setCaCertificates(certificates)#
- Parameters:
certificates – .list of QSslCertificate
Sets this socket’s CA certificate database to be
certificates
. The certificate database must be set prior to the SSL handshake. The CA certificate database is used by the socket during the handshake phase to validate the peer’s certificate.Note
The default configuration uses the system CA certificate database. If that is not available (as is commonly the case on iOS), the default database is empty.
- setCiphers(ciphers)#
- Parameters:
ciphers – .list of QSslCipher
Sets the cryptographic cipher suite for this socket to
ciphers
, which must contain a subset of the ciphers in the list returned bysupportedCiphers()
.Restricting the cipher suite must be done before the handshake phase, where the session cipher is chosen.
See also
- setCiphers(ciphers)
- Parameters:
ciphers – str
Sets the cryptographic cipher suite for this configuration to
ciphers
, which is a colon-separated list of cipher suite names. The ciphers are listed in order of preference, starting with the most preferred cipher. Each cipher name inciphers
must be the name of a cipher in the list returned bysupportedCiphers()
. Restricting the cipher suite must be done before the handshake phase, where the session cipher is chosen.Note
With the Schannel backend the order of the ciphers is ignored and Schannel picks the most secure one during the handshake.
See also
- static setDefaultConfiguration(configuration)#
- Parameters:
configuration –
QSslConfiguration
Sets the default SSL configuration to be used in new SSL connections to be
configuration
. Existing connections are not affected by this call.See also
- static setDefaultDtlsConfiguration(configuration)#
- Parameters:
configuration –
QSslConfiguration
Sets the default DTLS configuration to be used in new DTLS connections to be
configuration
. Existing connections are not affected by this call.See also
- setDiffieHellmanParameters(dhparams)#
- Parameters:
dhparams –
QSslDiffieHellmanParameters
Sets a custom set of Diffie-Hellman parameters to be used by this socket when functioning as a server to
dhparams
.If no Diffie-Hellman parameters have been set, the
QSslConfiguration
object defaults to using the 2048-bit MODP group from RFC 3526.Since 6.7 you can provide an empty Diffie-Hellman parameter to use auto selection (see SSL_CTX_set_dh_auto of openssl) if the tls backend supports it.
Note
The default parameters may change in future Qt versions. Please check the documentation of the exact Qt version that you are using in order to know what defaults that version uses.
See also
- setDtlsCookieVerificationEnabled(enable)#
- Parameters:
enable – bool
This function enables DTLS cookie verification when
enable
is true.See also
- setEllipticCurves(curves)#
- Parameters:
curves – .list of QSslEllipticCurve
Sets the list of elliptic curves to be used by this socket to
curves
, which must contain a subset of the curves in the list returned bysupportedEllipticCurves()
.Restricting the elliptic curves must be done before the handshake phase, where the session cipher is chosen.
See also
- setHandshakeMustInterruptOnError(interrupt)#
- Parameters:
interrupt – bool
If
interrupt
is true and the underlying backend supports this option, errors found during certificate verification are reported immediately by emittinghandshakeInterruptedOnError()
. This allows to stop the unfinished handshake and send a proper alert message to a peer. No special action is required from the application in this case.QSslSocket
will close the connection after sending the alert message. If the application after inspecting the error wants to continue the handshake, it must callcontinueInterruptedHandshake()
from its slot function. The signal-slot connection must be direct.Note
When interrupting handshake is enabled, errors that would otherwise be reported by
peerVerifyError()
are instead only reported byhandshakeInterruptedOnError()
.Note
Even if the handshake was continued, these errors will be reported when emitting
sslErrors()
signal (and thus must be ignored in the corresponding function slot).- setLocalCertificate(certificate)#
- Parameters:
certificate –
QSslCertificate
Sets the certificate to be presented to the peer during SSL handshake to be
certificate
.Setting the certificate once the connection has been established has no effect.
A certificate is the means of identification used in the SSL process. The local certificate is used by the remote end to verify the local user’s identity against its list of Certification Authorities. In most cases, such as in HTTP web browsing, only servers identify to the clients, so the client does not send a certificate.
See also
- setLocalCertificateChain(localChain)#
- Parameters:
localChain – .list of QSslCertificate
Sets the certificate chain to be presented to the peer during the SSL handshake to be
localChain
.Setting the certificate chain once the connection has been established has no effect.
A certificate is the means of identification used in the SSL process. The local certificate is used by the remote end to verify the local user’s identity against its list of Certification Authorities. In most cases, such as in HTTP web browsing, only servers identify to the clients, so the client does not send a certificate.
Unlike
setLocalCertificate()
this method allows you to specify any intermediate certificates required in order to validate your certificate. The first item in the list must be the leaf certificate.See also
- setMissingCertificateIsFatal(cannotRecover)#
- Parameters:
cannotRecover – bool
If
cannotRecover
is true, and verification mode in use isVerifyPeer
orAutoVerifyPeer
(for a client-side socket), the missing peer’s certificate would be treated as an unrecoverable error that cannot be ignored. A proper alert message will be sent to the peer before closing the connection.Note
Only available if Qt was configured and built with OpenSSL backend.
- setOcspStaplingEnabled(enable)#
- Parameters:
enable – bool
If
enabled
is true, clientQSslSocket
will send a certificate status request to its peer when initiating a handshake. During the handshakeQSslSocket
will verify the server’s response. This value must be set before the handshake starts.See also
- setPeerVerifyDepth(depth)#
- Parameters:
depth – int
Sets the maximum number of certificates in the peer’s certificate chain to be checked during the SSL handshake phase, to
depth
. Setting a depth of 0 means that no maximum depth is set, indicating that the whole certificate chain should be checked.The certificates are checked in issuing order, starting with the peer’s own certificate, then its issuer’s certificate, and so on.
See also
- setPeerVerifyMode(mode)#
- Parameters:
mode –
PeerVerifyMode
Sets the verify mode to
mode
. This mode decides whetherQSslSocket
should request a certificate from the peer (i.e., the client requests a certificate from the server, or a server requesting a certificate from the client), and whether it should require that this certificate is valid.The default mode is AutoVerifyPeer, which tells
QSslSocket
to use VerifyPeer for clients, QueryPeer for servers.See also
- Parameters:
hint –
QByteArray
Sets the identity hint for a preshared key authentication to
hint
. This will affect the next initiated handshake; calling this function on an already-encrypted socket will not affect the socket’s identity hint.The identity hint is used in
SslServerMode
only!See also
Sets the connection’s private
key
tokey
. The private key and the localcertificate
are used by clients and servers that must prove their identity to SSL peers.Both the key and the local certificate are required if you are creating an SSL server socket. If you are creating an SSL client socket, the key and local certificate are required if your client must identify itself to an SSL server.
See also
- setProtocol(protocol)#
- Parameters:
protocol –
SslProtocol
Sets the protocol setting for this configuration to be
protocol
.Setting the protocol once the connection has already been established has no effect.
See also
- setSessionTicket(sessionTicket)#
- Parameters:
sessionTicket –
QByteArray
Sets the session ticket to be used in an SSL handshake.
SslOptionDisableSessionPersistence
must be turned off for this to work, andsessionTicket
must be in ASN.1 format as returned bysessionTicket()
.Enables or disables an SSL compatibility
option
. Ifon
is true, theoption
is enabled. Ifon
is false, theoption
is disabled.See also
- static supportedCiphers()#
- Return type:
.list of QSslCipher
Returns the list of cryptographic ciphers supported by this system. This list is set by the system’s SSL libraries and may vary from system to system.
See also
- static supportedEllipticCurves()#
- Return type:
.list of QSslEllipticCurve
Returns the list of elliptic curves supported by this system. This list is set by the system’s SSL libraries and may vary from system to system.
See also
- swap(other)#
- Parameters:
other –
QSslConfiguration
Swaps this SSL configuration instance with
other
. This function is very fast and never fails.- static systemCaCertificates()#
- Return type:
.list of QSslCertificate
This function provides the CA certificate database provided by the operating system. The CA certificate database returned by this function is used to initialize the database returned by
caCertificates()
on the defaultQSslConfiguration
.Returns
true
if the specified SSL compatibilityoption
is enabled.See also