232 The HTTPSConnection class accepts all three keyword arguments. The HTTPS class will recognize only ssl_context , silently ignoring the others. The code to connect to the local host on the default HTTPS port 443 using SSLv3 might look like this: from M2Crypto import SSL, httpslib context = SSL.Contextsslv3 https = httpslib.HTTPSConnection127.0.0.1:443, ssl_context = context Its important to realize that these functions do not perform any real certificate verification, so the only real protection theyre providing is against passive eavesdropping attacks.

9.2.3.2 Extensions to urllib: m2urllib

To use the urllib extensions, youll need to import the M2Crypto.m2urllib module: from M2Crypto import m2urllib You dont need to import urllib itself as well. The m2urllib module re-exports all of urllib along with its own extensions. Unlike httplib , the interface for urllib is the same for all currently supported versions of Python. The only addition is an open_https method added to the urllib.URLopener class. It works just the same as the existing open method does, taking the same arguments and returning the same values. The open_https function does not take any additional arguments; it is responsible for creating the SSL context to be used, and you cant set up certificate or private key information either. The default protocol version that the SSL context is created with is controlled by the DEFAULT_PROTOCOL variable. By default, it is set to sslv3 , but you can change it to any of the other supported values for creating an SSL context. For example, if you wanted either v2 or v3 to work, you might do the following: from M2Crypto import m2urllib m2urllib.DEFAULT_PROTOCOL = sslv23 connection = m2urllib.URLopener.open_httpshttps:www.somesite.com

9.2.3.3 Extensions to xmlrpclib: m2xmlrpclib

The xmlrpclib module is new in Python 2.2. If youre using an older version of Python, you can find this module from a third party. To use the xmlrpclib extensions, youll need to import the M2Crypto.m2xmlrpclib module: from M2Crypto import m2xmlrpclib You dont need to import xmlrpclib as well. The m2xmlrpclib module re-exports all of xmlrpclib along with its own extensions. The only addition that the m2xmlrpclib module makes is a class named SSL_Transport . The classs constructor accepts a single optional argument that is an SSL context object. If you dont specify, one will be created that uses the sslv23 protocol. 233

9.3 OpenSSL Support in PHP

PHP is a scripting language that is used primarily, if not exclusively, on the Web. It is normally HTML-embedded, although it is also capable of running as a CGI script. It boasts an extensive library of functions that provide interfaces to a wide variety of common external libraries and services, such as LDAP and MySQL. PHP-4.04pl1 introduced experimental support for OpenSSL. At the time of this writing, the current version of PHP is 4.1.1, and OpenSSL support is still considered experimental. Current versions of PHP require OpenSSL Version 0.9.5 or later. Since PHPs support for OpenSSL is considered experimental, anything relating to the implementation could still change, including the function names, parameters, and return values. The support for OpenSSL in PHP is more limited than Perl or Pythons support, but sufficient functionality does exist to make it moderately useful. Support for encryption, signing, SMIME, key generation, and X.509 certificate manipulation is included. PHPs OpenSSL functions are high-level abstractions from the OpenSSL API. Unlike Perl or Python, none of the low-level OpenSSL API is exposed directly. While this simplifies the usage of OpenSSL greatly, it also restricts its capabilities. As newer versions of PHP have been released, new OpenSSL functionality has been introduced. We recommend that you use the latest version of PHP available to you if you wish to make use of its OpenSSL functionality.

9.3.1 General Functions

The PHP OpenSSL extension provides four functions required for the more specific functionality offered by the extension. These functions provide a mechanism for error reporting as well as private and public key management. In particular, many of the more specific functions require a public or private key, which are often supplied as a key resource. Key resources can be obtained from any one of the sources listed below, but in all cases the key data obtained from an external source must be PEM-encoded because PHP provides no support for reading DER-encoded data: • The resource retreived from a prior call to either openssl_get_publickey or openssl_get_privatekey • An X.509 resource for public keys • A string that specifies a filename to read the key from • A string that contains the key data • An array that contains the key as a string representing a filename or containing the key data and the passphrase required to decrypt the key In Version 4.0.5 or later of PHP, any of the inputs to openssl_get_privatekey , openssl_get_publickey , or openssl_x509_read , which return key or certificate resources, can be used as the key or certificate resource to the function requiring the key or certificate resource. The earlier versions of the OpenSSL extension required the use of the three aforementioned functions, but versions that are more recent do not. If youll be using the same key or certificate more than once, it is generally a good idea to use the functions to obtain a resource rather than obtaining it each time you need to use it. mixed openssl_error_stringvoid This function pops the most recent error from OpenSSLs error stack and returns a string representation of the error. If the stack is empty, the return from this function will be false. The string returned will be an English representation of the error as returned from the OpenSSL function ERR_error_string . Note that OpenSSL pushes errors onto a stack, and that this function pops only one error from that stack. Call this function repeatedly until it returns false in order to get all of the available error information when an error occurs.