""" TLS/SSL wrapper for socket objects. MicroPython module: https://docs.micropython.org/en/v1.26.0/library/ssl.html CPython module: :mod:`python:ssl` https://docs.python.org/3/library/ssl.html . This module provides access to Transport Layer Security (previously and widely known as “Secure Sockets Layer”) encryption and peer authentication facilities for network sockets, both client-side and server-side. """ from __future__ import annotations import enum import socket import sys from _ssl import ( _DEFAULT_CIPHERS as _DEFAULT_CIPHERS, _OPENSSL_API_VERSION as _OPENSSL_API_VERSION, HAS_ALPN as HAS_ALPN, HAS_ECDH as HAS_ECDH, HAS_NPN as HAS_NPN, HAS_SNI as HAS_SNI, OPENSSL_VERSION as OPENSSL_VERSION, OPENSSL_VERSION_INFO as OPENSSL_VERSION_INFO, OPENSSL_VERSION_NUMBER as OPENSSL_VERSION_NUMBER, HAS_SSLv2 as HAS_SSLv2, HAS_SSLv3 as HAS_SSLv3, HAS_TLSv1 as HAS_TLSv1, HAS_TLSv1_1 as HAS_TLSv1_1, HAS_TLSv1_2 as HAS_TLSv1_2, HAS_TLSv1_3 as HAS_TLSv1_3, MemoryBIO as MemoryBIO, RAND_add as RAND_add, RAND_bytes as RAND_bytes, RAND_status as RAND_status, SSLSession as SSLSession, _PasswordType as _PasswordType, # typeshed only, but re-export for other type stubs to use _SSLContext, ) from _typeshed import Incomplete, ReadableBuffer, StrOrBytesPath, WriteableBuffer from collections.abc import Callable, Iterable from typing import Any, Literal, NamedTuple, TypedDict, overload from typing_extensions import Awaitable, TypeVar, Never, Self, TypeAlias from _mpy_shed import StrOrBytesPath, mp_available from tls import * if sys.version_info >= (3, 13): from _ssl import HAS_PSK as HAS_PSK if True: from _ssl import RAND_pseudo_bytes as RAND_pseudo_bytes if sys.version_info < (3, 10): from _ssl import RAND_egd as RAND_egd if sys.platform == "win32": from _ssl import enum_certificates as enum_certificates, enum_crls as enum_crls _PCTRTT: TypeAlias = tuple[tuple[str, str], ...] _PCTRTTT: TypeAlias = tuple[_PCTRTT, ...] _PeerCertRetDictType: TypeAlias = dict[str, str | _PCTRTTT | _PCTRTT] _PeerCertRetType: TypeAlias = _PeerCertRetDictType | bytes | None _SrvnmeCbType: TypeAlias = Callable[[SSLSocket | SSLObject, str | None, SSLSocket], int | None] # socket_error = OSError class _Cipher(TypedDict): aead: bool alg_bits: int auth: str description: str digest: str | None id: int kea: str name: str protocol: str strength_bits: int symmetric: str class SSLError(OSError): library: str reason: str class SSLZeroReturnError(SSLError): ... class SSLWantReadError(SSLError): ... class SSLWantWriteError(SSLError): ... class SSLSyscallError(SSLError): ... class SSLEOFError(SSLError): ... class SSLCertVerificationError(SSLError, ValueError): verify_code: int verify_message: str # CertificateError = SSLCertVerificationError if True: # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- # End duplicated section # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- @mp_available() # force merge def wrap_socket( sock: socket.socket, *, server_side: bool = False, key: Incomplete = None, cert: Incomplete = None, cert_reqs: int = 0, cadata: bytes | None = None, server_hostname: str | None = None, do_handshake: bool = True, ) -> SSLSocket: """ Wrap the given *sock* and return a new wrapped-socket object. The implementation of this function is to first create an `SSLContext` and then call the `SSLContext.wrap_socket` method on that context object. The arguments *sock*, *server_side* and *server_hostname* are passed through unchanged to the method call. The argument *do_handshake* is passed through as *do_handshake_on_connect*. The remaining arguments have the following behaviour: - *cert_reqs* determines whether the peer (server or client) must present a valid certificate. Note that for mbedtls based ports, ``ssl.CERT_NONE`` and ``ssl.CERT_OPTIONAL`` will not validate any certificate, only ``ssl.CERT_REQUIRED`` will. - *cadata* is a bytes object containing the CA certificate chain (in DER format) that will validate the peer's certificate. Currently only a single DER-encoded certificate is supported. Depending on the underlying module implementation in a particular :term:`MicroPython port`, some or all keyword arguments above may be not supported. """ ... def __mpy_has_no_create_default_context( purpose: Purpose = ..., *, cafile: StrOrBytesPath | None = None, capath: StrOrBytesPath | None = None, cadata: str | ReadableBuffer | None = None, ) -> SSLContext: ... if sys.version_info >= (3, 10): def _create_unverified_context( protocol: int | None = None, *, cert_reqs: int = ..., check_hostname: bool = False, purpose: Purpose = ..., certfile: StrOrBytesPath | None = None, keyfile: StrOrBytesPath | None = None, cafile: StrOrBytesPath | None = None, capath: StrOrBytesPath | None = None, cadata: str | ReadableBuffer | None = None, ) -> SSLContext: ... else: def _create_unverified_context( protocol: int = ..., *, cert_reqs: int = ..., check_hostname: bool = False, purpose: Purpose = ..., certfile: StrOrBytesPath | None = None, keyfile: StrOrBytesPath | None = None, cafile: StrOrBytesPath | None = None, capath: StrOrBytesPath | None = None, cadata: str | ReadableBuffer | None = None, ) -> SSLContext: ... _create_default_https_context: Callable[..., SSLContext] if True: def match_hostname(cert: _PeerCertRetDictType, hostname: str) -> None: ... def cert_time_to_seconds(cert_time: str) -> int: ... if sys.version_info >= (3, 10): def get_server_certificate(addr: tuple[str, int], ssl_version: int = ..., ca_certs: str | None = None, timeout: float = ...) -> str: ... else: def get_server_certificate(addr: tuple[str, int], ssl_version: int = ..., ca_certs: str | None = None) -> str: ... def DER_cert_to_PEM_cert(der_cert_bytes: ReadableBuffer) -> str: ... def PEM_cert_to_DER_cert(pem_cert_string: str) -> bytes: ... class DefaultVerifyPaths(NamedTuple): cafile: str capath: str openssl_cafile_env: str openssl_cafile: str openssl_capath_env: str openssl_capath: str def get_default_verify_paths() -> DefaultVerifyPaths: ... class VerifyMode(enum.IntEnum): CERT_NONE = 0 CERT_OPTIONAL = 1 CERT_REQUIRED = 2 CERT_NONE: VerifyMode CERT_OPTIONAL: VerifyMode CERT_REQUIRED: VerifyMode class VerifyFlags(enum.IntFlag): VERIFY_DEFAULT = 0 VERIFY_CRL_CHECK_LEAF = 4 VERIFY_CRL_CHECK_CHAIN = 12 VERIFY_X509_STRICT = 32 VERIFY_X509_TRUSTED_FIRST = 32768 if sys.version_info >= (3, 10): VERIFY_ALLOW_PROXY_CERTS = 64 VERIFY_X509_PARTIAL_CHAIN = 524288 # VERIFY_DEFAULT: VerifyFlags # VERIFY_CRL_CHECK_LEAF: VerifyFlags # VERIFY_CRL_CHECK_CHAIN: VerifyFlags # VERIFY_X509_STRICT: VerifyFlags # VERIFY_X509_TRUSTED_FIRST: VerifyFlags if sys.version_info >= (3, 10): VERIFY_ALLOW_PROXY_CERTS: VerifyFlags VERIFY_X509_PARTIAL_CHAIN: VerifyFlags class _SSLMethod(enum.IntEnum): PROTOCOL_SSLv23 = 2 PROTOCOL_SSLv2 = ... PROTOCOL_SSLv3 = ... PROTOCOL_TLSv1 = 3 PROTOCOL_TLSv1_1 = 4 PROTOCOL_TLSv1_2 = 5 PROTOCOL_TLS = 2 PROTOCOL_TLS_CLIENT = 16 PROTOCOL_TLS_SERVER = 17 # PROTOCOL_SSLv23: _SSLMethod # PROTOCOL_SSLv2: _SSLMethod # PROTOCOL_SSLv3: _SSLMethod # PROTOCOL_TLSv1: _SSLMethod # PROTOCOL_TLSv1_1: _SSLMethod # PROTOCOL_TLSv1_2: _SSLMethod # PROTOCOL_TLS: _SSLMethod PROTOCOL_TLS_CLIENT: _SSLMethod PROTOCOL_TLS_SERVER: _SSLMethod class Options(enum.IntFlag): OP_ALL = 2147483728 OP_NO_SSLv2 = 0 OP_NO_SSLv3 = 33554432 OP_NO_TLSv1 = 67108864 OP_NO_TLSv1_1 = 268435456 OP_NO_TLSv1_2 = 134217728 OP_NO_TLSv1_3 = 536870912 OP_CIPHER_SERVER_PREFERENCE = 4194304 OP_SINGLE_DH_USE = 0 OP_SINGLE_ECDH_USE = 0 OP_NO_COMPRESSION = 131072 OP_NO_TICKET = 16384 OP_NO_RENEGOTIATION = 1073741824 OP_ENABLE_MIDDLEBOX_COMPAT = 1048576 if sys.version_info >= (3, 12): OP_LEGACY_SERVER_CONNECT = 4 OP_ENABLE_KTLS = 8 if sys.version_info >= (3, 11) or sys.platform == "linux": OP_IGNORE_UNEXPECTED_EOF = 128 # OP_ALL: Options # OP_NO_SSLv2: Options # OP_NO_SSLv3: Options # OP_NO_TLSv1: Options # OP_NO_TLSv1_1: Options # OP_NO_TLSv1_2: Options # OP_NO_TLSv1_3: Options # OP_CIPHER_SERVER_PREFERENCE: Options # OP_SINGLE_DH_USE: Options # OP_SINGLE_ECDH_USE: Options # OP_NO_COMPRESSION: Options # OP_NO_TICKET: Options # OP_NO_RENEGOTIATION: Options # OP_ENABLE_MIDDLEBOX_COMPAT: Options if sys.version_info >= (3, 12): OP_LEGACY_SERVER_CONNECT: Options OP_ENABLE_KTLS: Options if sys.version_info >= (3, 11) or sys.platform == "linux": OP_IGNORE_UNEXPECTED_EOF: Options # HAS_NEVER_CHECK_COMMON_NAME: bool # CHANNEL_BINDING_TYPES: list[str] class AlertDescription(enum.IntEnum): ALERT_DESCRIPTION_ACCESS_DENIED = 49 ALERT_DESCRIPTION_BAD_CERTIFICATE = 42 ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE = 114 ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE = 113 ALERT_DESCRIPTION_BAD_RECORD_MAC = 20 ALERT_DESCRIPTION_CERTIFICATE_EXPIRED = 45 ALERT_DESCRIPTION_CERTIFICATE_REVOKED = 44 ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN = 46 ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE = 111 ALERT_DESCRIPTION_CLOSE_NOTIFY = 0 ALERT_DESCRIPTION_DECODE_ERROR = 50 ALERT_DESCRIPTION_DECOMPRESSION_FAILURE = 30 ALERT_DESCRIPTION_DECRYPT_ERROR = 51 ALERT_DESCRIPTION_HANDSHAKE_FAILURE = 40 ALERT_DESCRIPTION_ILLEGAL_PARAMETER = 47 ALERT_DESCRIPTION_INSUFFICIENT_SECURITY = 71 ALERT_DESCRIPTION_INTERNAL_ERROR = 80 ALERT_DESCRIPTION_NO_RENEGOTIATION = 100 ALERT_DESCRIPTION_PROTOCOL_VERSION = 70 ALERT_DESCRIPTION_RECORD_OVERFLOW = 22 ALERT_DESCRIPTION_UNEXPECTED_MESSAGE = 10 ALERT_DESCRIPTION_UNKNOWN_CA = 48 ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY = 115 ALERT_DESCRIPTION_UNRECOGNIZED_NAME = 112 ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE = 43 ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION = 110 ALERT_DESCRIPTION_USER_CANCELLED = 90 # ALERT_DESCRIPTION_HANDSHAKE_FAILURE: AlertDescription # ALERT_DESCRIPTION_INTERNAL_ERROR: AlertDescription # ALERT_DESCRIPTION_ACCESS_DENIED: AlertDescription # ALERT_DESCRIPTION_BAD_CERTIFICATE: AlertDescription # ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE: AlertDescription # ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE: AlertDescription # ALERT_DESCRIPTION_BAD_RECORD_MAC: AlertDescription # ALERT_DESCRIPTION_CERTIFICATE_EXPIRED: AlertDescription # ALERT_DESCRIPTION_CERTIFICATE_REVOKED: AlertDescription # ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN: AlertDescription # ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE: AlertDescription # ALERT_DESCRIPTION_CLOSE_NOTIFY: AlertDescription # ALERT_DESCRIPTION_DECODE_ERROR: AlertDescription # ALERT_DESCRIPTION_DECOMPRESSION_FAILURE: AlertDescription # ALERT_DESCRIPTION_DECRYPT_ERROR: AlertDescription # ALERT_DESCRIPTION_ILLEGAL_PARAMETER: AlertDescription # ALERT_DESCRIPTION_INSUFFICIENT_SECURITY: AlertDescription # ALERT_DESCRIPTION_NO_RENEGOTIATION: AlertDescription # ALERT_DESCRIPTION_PROTOCOL_VERSION: AlertDescription # ALERT_DESCRIPTION_RECORD_OVERFLOW: AlertDescription # ALERT_DESCRIPTION_UNEXPECTED_MESSAGE: AlertDescription # ALERT_DESCRIPTION_UNKNOWN_CA: AlertDescription # ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY: AlertDescription # ALERT_DESCRIPTION_UNRECOGNIZED_NAME: AlertDescription # ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE: AlertDescription # ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION: AlertDescription # ALERT_DESCRIPTION_USER_CANCELLED: AlertDescription class _ASN1ObjectBase(NamedTuple): nid: int shortname: str longname: str oid: str class _ASN1Object(_ASN1ObjectBase): def __new__(cls, oid: str) -> Self: ... @classmethod def fromnid(cls, nid: int) -> Self: ... @classmethod def fromname(cls, name: str) -> Self: ... class Purpose(_ASN1Object, enum.Enum): SERVER_AUTH = (129, "serverAuth", "TLS Web Server Authentication", "1.3.6.1.5.5.7.3.2") # pyright: ignore[reportCallIssue] CLIENT_AUTH = (130, "clientAuth", "TLS Web Client Authentication", "1.3.6.1.5.5.7.3.1") # pyright: ignore[reportCallIssue] class SSLSocket: context: SSLContext server_side: bool server_hostname: str | None session: SSLSession | None @property def session_reused(self) -> bool | None: ... def __init__(self, *args: Any, **kwargs: Any) -> None: ... def connect(self, addr: socket._Address) -> None: ... def connect_ex(self, addr: socket._Address) -> int: ... # ifdef MBEDTLS_SSL_PROTO_DTLS @mp_available(macro="MBEDTLS_SSL_PROTO_DTLS") # force merge def recv(self, *argv, **kwargs) -> Incomplete: ... @mp_available(macro="MBEDTLS_SSL_PROTO_DTLS") # force merge def recv_into(self, *argv, **kwargs) -> Incomplete: ... def recvfrom(self, buflen: int = 1024, flags: int = 0) -> tuple[bytes, socket._RetAddress]: ... def recvfrom_into(self, buffer: WriteableBuffer, nbytes: int | None = None, flags: int = 0) -> tuple[int, socket._RetAddress]: ... @mp_available(macro="MBEDTLS_SSL_PROTO_DTLS") # force merge def send(self, *argv, **kwargs) -> Incomplete: ... @mp_available(macro="MBEDTLS_SSL_PROTO_DTLS") # force merge def sendall(self, *argv, **kwargs) -> Incomplete: ... @overload def sendto(self, data: ReadableBuffer, flags_or_addr: socket._Address, addr: None = None) -> int: ... @overload def sendto(self, data: ReadableBuffer, flags_or_addr: int, addr: socket._Address) -> int: ... def shutdown(self, how: int) -> None: ... # TODO : SSLSocket is undocumented # ref: micropython\extmod\modtls_axtls.c ( read ... close) # repos\micropython\extmod\modtls_mbedtls.c @mp_available() # force merge def read(self, *argv, **kwargs) -> Incomplete: ... @mp_available() # force merge def write(self, *argv, **kwargs) -> Incomplete: ... def do_handshake(self, block: bool = False) -> None: ... # block is undocumented @overload def getpeercert(self, binary_form: Literal[False] = False) -> _PeerCertRetDictType | None: ... @overload def getpeercert(self, binary_form: Literal[True]) -> bytes | None: ... @overload def getpeercert(self, binary_form: bool) -> _PeerCertRetType: ... # endif # ifdef (MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) @mp_available(macro="MBEDTLS_SSL_KEEP_PEER_CERTIFICATE") # force merge def getpeercert(self, *argv, **kwargs) -> Incomplete: ... # endif @mp_available() # force merge def cipher(self, *argv, **kwargs) -> Incomplete: ... def shared_ciphers(self) -> list[tuple[str, str, int]] | None: ... def compression(self) -> str | None: ... def get_channel_binding(self, cb_type: str = "tls-unique") -> bytes | None: ... def selected_alpn_protocol(self) -> str | None: ... def selected_npn_protocol(self) -> str | None: ... def accept(self) -> tuple[SSLSocket, socket._RetAddress]: ... def unwrap(self) -> socket.socket: ... def version(self) -> str | None: ... def pending(self) -> int: ... def verify_client_post_handshake(self) -> None: ... # These methods always raise `NotImplementedError`: def recvmsg(self, *args: Never, **kwargs: Never) -> Never: ... # type: ignore[override] def recvmsg_into(self, *args: Never, **kwargs: Never) -> Never: ... # type: ignore[override] def sendmsg(self, *args: Never, **kwargs: Never) -> Never: ... # type: ignore[override] if sys.version_info >= (3, 13): def get_verified_chain(self) -> list[bytes]: ... def get_unverified_chain(self) -> list[bytes]: ... @mp_available() # force merge def readinto(self, *argv, **kwargs) -> Incomplete: ... @mp_available() # force merge def readline(self, *argv, **kwargs) -> Incomplete: ... @mp_available() # force merge def setblocking(self, *argv, **kwargs) -> Incomplete: ... @mp_available() # force merge def close(self, *argv, **kwargs) -> Incomplete: ... # if MICROPY_PY_SSL_FINALISER @mp_available(macro="MICROPY_PY_SSL_FINALISER") # force merge def __del__(self, *argv, **kwargs) -> Incomplete: ... # endif # ifdef MICROPY_UNIX_COVERAGE @mp_available(macro="MICROPY_UNIX_COVERAGE") # force merge def ioctl(self, *argv, **kwargs) -> Incomplete: ... class TLSVersion(enum.IntEnum): MINIMUM_SUPPORTED = -2 MAXIMUM_SUPPORTED = -1 SSLv3 = 768 TLSv1 = 769 TLSv1_1 = 770 TLSv1_2 = 771 TLSv1_3 = 772 class SSLContext: """ Create a new SSLContext instance. The *protocol* argument must be one of the ``PROTOCOL_*`` constants. """ options: Options verify_flags: VerifyFlags verify_mode: VerifyMode @property def protocol(self) -> _SSLMethod: ... # type: ignore[override] hostname_checks_common_name: bool maximum_version: TLSVersion minimum_version: TLSVersion # The following two attributes have class-level defaults. # However, the docs explicitly state that it's OK to override these attributes on instances, # so making these ClassVars wouldn't be appropriate sslobject_class: type[SSLObject] sslsocket_class: type[SSLSocket] keylog_filename: str post_handshake_auth: bool if sys.version_info >= (3, 10): security_level: int if sys.version_info >= (3, 10): # Using the default (None) for the `protocol` parameter is deprecated, # but there isn't a good way of marking that in the stub unless/until PEP 702 is accepted def __new__(cls, protocol: int | None = None, *args: Any, **kwargs: Any) -> Self: ... else: def __new__(cls, protocol: int = ..., *args: Any, **kwargs: Any) -> Self: ... def load_default_certs(self, purpose: Purpose = ...) -> None: ... def load_verify_locations(self, cafile=None, cadata: bytes | None = None) -> None: """ Load the CA certificate chain that will validate the peer's certificate. *cafile* is the file path of the CA certificates. *cadata* is a bytes object containing the CA certificates. Only one of these arguments should be provided. """ ... @overload def get_ca_certs(self, binary_form: Literal[False] = False) -> list[_PeerCertRetDictType]: ... @overload def get_ca_certs(self, binary_form: Literal[True]) -> list[bytes]: ... @overload def get_ca_certs(self, binary_form: bool = False) -> Any: ... def get_ciphers(self) -> list[_Cipher]: """ Get a list of enabled ciphers, returned as a list of strings. """ ... def set_default_verify_paths(self) -> None: ... def set_ciphers(self, ciphers) -> None: """ Set the available ciphers for sockets created with this context. *ciphers* should be a list of strings in the `IANA cipher suite format `_ . """ ... def set_alpn_protocols(self, alpn_protocols: Iterable[str]) -> None: ... def set_npn_protocols(self, npn_protocols: Iterable[str]) -> None: ... def set_servername_callback(self, server_name_callback: _SrvnmeCbType | None) -> None: ... def load_dh_params(self, path: str, /) -> None: ... def set_ecdh_curve(self, name: str, /) -> None: ... def wrap_socket( self, sock: socket.socket, *, server_side: bool = False, do_handshake_on_connect: bool = True, server_hostname: str | None = None, ) -> SSLSocket: """ Takes a `stream` *sock* (usually socket.socket instance of ``SOCK_STREAM`` type), and returns an instance of ssl.SSLSocket, wrapping the underlying stream. The returned object has the usual `stream` interface methods like ``read()``, ``write()``, etc. - *server_side* selects whether the wrapped socket is on the server or client side. A server-side SSL socket should be created from a normal socket returned from :meth:`~socket.socket.accept()` on a non-SSL listening server socket. - *do_handshake_on_connect* determines whether the handshake is done as part of the ``wrap_socket`` or whether it is deferred to be done as part of the initial reads or writes For blocking sockets doing the handshake immediately is standard. For non-blocking sockets (i.e. when the *sock* passed into ``wrap_socket`` is in non-blocking mode) the handshake should generally be deferred because otherwise ``wrap_socket`` blocks until it completes. Note that in AXTLS the handshake can be deferred until the first read or write but it then blocks until completion. - *server_hostname* is for use as a client, and sets the hostname to check against the received server certificate. It also sets the name for Server Name Indication (SNI), allowing the server to present the proper certificate. - *client_id* is a MicroPython-specific extension argument used only when implementing a DTLS Server. See :ref:`dtls` for details. """ ... def wrap_bio( self, incoming: MemoryBIO, outgoing: MemoryBIO, server_side: bool = False, server_hostname: str | bytes | None = None, session: SSLSession | None = None, ) -> SSLObject: ... @mp_available() # force merge def load_cert_chain(self, certfile, keyfile) -> None: """ Load a private key and the corresponding certificate. The *certfile* is a string with the file path of the certificate. The *keyfile* is a string with the file path of the private key. Admonition:Difference to CPython :class: attention MicroPython extension: *certfile* and *keyfile* can be bytes objects instead of strings, in which case they are interpreted as the actual certificate/key data. """ ... class SSLObject: context: SSLContext @property def server_side(self) -> bool: ... @property def server_hostname(self) -> str | None: ... session: SSLSession | None @property def session_reused(self) -> bool: ... def __init__(self, *args: Any, **kwargs: Any) -> None: ... def read(self, len: int = 1024, buffer: bytearray | None = None) -> bytes: ... def write(self, data: ReadableBuffer) -> int: ... @overload def getpeercert(self, binary_form: Literal[False] = False) -> _PeerCertRetDictType | None: ... @overload def getpeercert(self, binary_form: Literal[True]) -> bytes | None: ... @overload def getpeercert(self, binary_form: bool) -> _PeerCertRetType: ... def selected_alpn_protocol(self) -> str | None: ... def selected_npn_protocol(self) -> str | None: ... def cipher(self) -> tuple[str, str, int] | None: ... def shared_ciphers(self) -> list[tuple[str, str, int]] | None: ... def compression(self) -> str | None: ... def pending(self) -> int: ... def do_handshake(self) -> None: ... def unwrap(self) -> None: ... def version(self) -> str | None: ... def get_channel_binding(self, cb_type: str = "tls-unique") -> bytes | None: ... def verify_client_post_handshake(self) -> None: ... if sys.version_info >= (3, 13): def get_verified_chain(self) -> list[bytes]: ... def get_unverified_chain(self) -> list[bytes]: ... class SSLErrorNumber(enum.IntEnum): SSL_ERROR_EOF = 8 SSL_ERROR_INVALID_ERROR_CODE = 10 SSL_ERROR_SSL = 1 SSL_ERROR_SYSCALL = 5 SSL_ERROR_WANT_CONNECT = 7 SSL_ERROR_WANT_READ = 2 SSL_ERROR_WANT_WRITE = 3 SSL_ERROR_WANT_X509_LOOKUP = 4 SSL_ERROR_ZERO_RETURN = 6 # SSL_ERROR_EOF: SSLErrorNumber # undocumented # SSL_ERROR_INVALID_ERROR_CODE: SSLErrorNumber # undocumented # SSL_ERROR_SSL: SSLErrorNumber # undocumented # SSL_ERROR_SYSCALL: SSLErrorNumber # undocumented # SSL_ERROR_WANT_CONNECT: SSLErrorNumber # undocumented # SSL_ERROR_WANT_READ: SSLErrorNumber # undocumented # SSL_ERROR_WANT_WRITE: SSLErrorNumber # undocumented # SSL_ERROR_WANT_X509_LOOKUP: SSLErrorNumber # undocumented # SSL_ERROR_ZERO_RETURN: SSLErrorNumber # undocumented def get_protocol_name(protocol_code: int) -> str: ... if sys.version_info < (3, 9): AF_INET: int # PEM_FOOTER: str # PEM_HEADER: str # SOCK_STREAM: int # SOL_SOCKET: int # SO_TYPE: int PROTOCOL_DTLS_CLIENT: Incomplete PROTOCOL_DTLS_SERVER: Incomplete MBEDTLS_VERSION: str = "Mbed TLS 3.6.0"