Fix some documentation bugs.

2007-09-11 02:42:07 +00:00 · 2007-09-11 02:42:07 +00:00 · 93bf9ce9b7
parent e3f1d7d059
commit 93bf9ce9b7
1 changed files with 54 additions and 34 deletions
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@ -34,15 +34,27 @@ for more general information about TLS, SSL, and certificates, the
 reader is referred to the documents in the "See Also" section at
 the bottom.

-This module defines a class, :class:`ssl.SSLSocket`, which is
-derived from the :class:`socket.socket` type, and supports additional
+This module provides a class, :class:`ssl.SSLSocket`, which is
+derived from the :class:`socket.socket` type, and provides
+a socket-like wrapper that also encrypts and decrypts the data
+going over the socket with SSL.  It supports additional
 :meth:`read` and :meth:`write` methods, along with a method, :meth:`getpeercert`,
-to retrieve the certificate of the other side of the connection.
+to retrieve the certificate of the other side of the connection, and
+a method, :meth:`cipher`, to retrieve the cipher being used for the
+secure connection.

-This module defines the following functions, exceptions, and constants:
+Functions, Constants, and Exceptions
+------------------------------------

-.. function:: wrap_socket (sock [, keyfile=None, certfile=None, server_side=False,
-   cert_reqs=CERT_NONE, ssl_version={see docs}, ca_certs=None])
+.. exception:: SSLError
+
+   Raised to signal an error from the underlying SSL implementation.  This 
+   signifies some problem in the higher-level
+   encryption and authentication layer that's superimposed on the underlying
+   network connection.  This error is a subtype of :exc:`socket.error`, which
+   in turn is a subtype of :exc:`IOError`.
+
+.. function:: wrap_socket (sock [, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, ssl_version={see docs}, ca_certs=None])

   Takes an instance ``sock`` of :class:`socket.socket`, and returns an instance of :class:`ssl.SSLSocket`, a subtype
   of :class:`socket.socket`, which wraps the underlying socket in an SSL context.
@ -50,7 +62,8 @@ This module defines the following functions, exceptions, and constants:
   connected yet, the context construction will be performed after :meth:`connect` is called
   on the socket.  For server-side sockets, if the socket has no remote peer, it is assumed
   to be a listening socket, and the server-side SSL wrapping is automatically performed
-   on client connections accepted via the :meth:`accept` method.
+   on client connections accepted via the :meth:`accept` method.  :func:`wrap_socket` may
+   raise :exc:`SSLError`.

   The ``keyfile`` and ``certfile`` parameters specify optional files which contain a certificate
   to be used to identify the local side of the connection.  See the discussion of :ref:`ssl-certificates`
@ -124,7 +137,7 @@ This module defines the following functions, exceptions, and constants:
   necessary on systems without better sources of randomness.

   See http://egd.sourceforge.net/ or http://prngd.sourceforge.net/ for
-   sources of EGDs.
+   sources of entropy-gathering daemons.

 .. function:: RAND_add(bytes, entropy)

@ -149,13 +162,6 @@ This module defines the following functions, exceptions, and constants:
     'Wed May  9 00:00:00 2007'
     >>> 

-.. exception:: SSLError
-
-   Raised to signal an error from the underlying SSL implementation.  This 
-   signifies some problem in the higher-level
-   encryption and authentication layer that's superimposed on the underlying
-   network connection.
-
 .. data:: CERT_NONE

   Value to pass to the ``cert_reqs`` parameter to :func:`sslobject`
@ -185,13 +191,16 @@ This module defines the following functions, exceptions, and constants:

 .. data:: PROTOCOL_SSLv23

-   Selects SSL version 2 or 3 as the channel encryption protocol.  This is a setting to use for maximum compatibility
-   with the other end of an SSL connection, but it may cause the specific ciphers chosen for the encryption to be
-   of fairly low quality.
+   Selects SSL version 2 or 3 as the channel encryption protocol.
+   This is a setting to use with servers for maximum compatibility
+   with the other end of an SSL connection, but it may cause the
+   specific ciphers chosen for the encryption to be of fairly low
+   quality.

 .. data:: PROTOCOL_SSLv3

   Selects SSL version 3 as the channel encryption protocol.
+   For clients, this is the maximally compatible SSL variant.

 .. data:: PROTOCOL_TLSv1

@ -200,8 +209,6 @@ This module defines the following functions, exceptions, and constants:
   protection, if both sides can speak it.


-.. _ssl-certificates:
-
 SSLSocket Objects
 -----------------

@ -211,23 +218,30 @@ SSLSocket Objects

 .. method:: SSLSocket.write(data)

-   Writes the ``data`` to the other side of the connection, using the SSL channel to encrypt.  Returns the number
-   of bytes written.
+   Writes the ``data`` to the other side of the connection, using the
+   SSL channel to encrypt.  Returns the number of bytes written.

-.. method:: SSLSocket.getpeercert()
+.. method:: SSLSocket.getpeercert(binary_form=False)

-   If there is no certificate for the peer on the other end of the connection, returns ``None``.
-   If a certificate was received from the peer, but not validated, returns an empty ``dict`` instance.
-   If a certificate was received and validated, returns a ``dict`` instance with the fields
-   ``subject`` (the principal for which the certificate was issued),
-   and ``notAfter`` (the time after which the certificate should not be trusted) filled in.
-   The certificate was already validated, so the ``notBefore`` and ``issuer`` fields are not
-   returned.  If a certificate contains an instance of the *subjectAltName* extension,
-   there will also be a ``subjectAltName`` field in the dictionary.
+   If there is no certificate for the peer on the other end of the
+   connection, returns ``None``.

-   The "subject" field is a tuple containing the sequence
-   of relative distinguished names (RDNs) given in the certificate's data structure
-   for the principal, and each RDN is a sequence of name-value pairs::
+   If the the parameter ``binary_form`` is :const:`False`, and a
+   certificate was received from the peer, this method returns a
+   :class:`dict` instance.  If the certificate was not validated, the
+   dict is empty.  If the certificate was validated, it returns a dict
+   with the keys ``subject`` (the principal for which the certificate
+   was issued), and ``notAfter`` (the time after which the certificate
+   should not be trusted).  The certificate was already validated, so
+   the ``notBefore`` and ``issuer`` fields are not returned.  If a
+   certificate contains an instance of the *Subject Alternative Name*
+   extension (see :rfc:`3280`), there will also be a
+   ``subjectAltName`` key in the dictionary.
+
+   The "subject" field is a tuple containing the sequence of relative
+   distinguished names (RDNs) given in the certificate's data
+   structure for the principal, and each RDN is a sequence of
+   name-value pairs::

      {'notAfter': 'Feb 16 16:54:50 2013 GMT',
       'subject': ((('countryName', u'US'),),
@ -237,6 +251,10 @@ SSLSocket Objects
                   (('organizationalUnitName', u'SSL'),),
                   (('commonName', u'somemachine.python.org'),))}

+   If the ``binary_form`` parameter is :const:`True`, and a
+   certificate was provided, this method returns the DER-encoded form
+   of the entire certificate as a sequence of bytes.  Note that this
+   binary certificate may not be valid.

 .. method:: SSLSocket.cipher()

@ -256,6 +274,8 @@ SSLSocket Objects

 .. index:: single: X509 certificate

+.. _ssl-certificates:
+
 Certificates
 ------------