PySide.QtNetwork.QSslSocket class provides an SSL encrypted socket for both clients and servers.
PySide.QtNetwork.QSslSocket establishes a secure, encrypted TCP connection you can use for transmitting encrypted data. It can operate in both client and server mode, and it supports modern SSL protocols, including SSLv3 and TLSv1. By default, PySide.QtNetwork.QSslSocket uses TLSv1, but you can change the SSL protocol by calling PySide.QtNetwork.QSslSocket.setProtocol() as long as you do it before the handshake has started.
SSL 加密运转在现有 TCP 流之上,但套接字要先进入 ConnectedState . There are two simple ways to establish a secure connection using PySide.QtNetwork.QSslSocket : With an immediate SSL handshake, or with a delayed SSL handshake occurring after the connection has been established in unencrypted mode.
The most common way to use PySide.QtNetwork.QSslSocket is to construct an object and start a secure connection by calling PySide.QtNetwork.QSslSocket.connectToHostEncrypted() . This method starts an immediate SSL handshake once the connection has been established.
socket = QSslSocket(self)
QObject.connect(socket, SIGNAL("encrypted()"), self, SLOT("ready()"))
socket.connectToHostEncrypted("imap.example.com", 993)
就像纯 PySide.QtNetwork.QTcpSocket , PySide.QtNetwork.QSslSocket enters the HostLookupState , ConnectingState ,及最终 ConnectedState ,若连接成功。然后握手自动开始,且若它成功, PySide.QtNetwork.QSslSocket.encrypted() signal is emitted to indicate the socket has entered the encrypted state and is ready for use.
注意:之后可以立即把数据写入套接字,当返回自 PySide.QtNetwork.QSslSocket.connectToHostEncrypted() (i.e., before the PySide.QtNetwork.QSslSocket.encrypted() signal is emitted). The data is queued in PySide.QtNetwork.QSslSocket until after the PySide.QtNetwork.QSslSocket.encrypted() 信号被发射。
An example of using the delayed SSL handshake to secure an existing connection is the case where an SSL server secures an incoming connection. Suppose you create an SSL server class as a subclass of PySide.QtNetwork.QTcpServer . You would override QTcpServer.incomingConnection() with something like the example below, which first constructs an instance of PySide.QtNetwork.QSslSocket and then calls PySide.QtNetwork.QSslSocket.setSocketDescriptor() to set the new socket's descriptor to the existing one passed in. It then initiates the SSL handshake by calling PySide.QtNetwork.QSslSocket.startServerEncryption() .
def incomingConnection(socketDescriptor):
serverSocket = QSslSocket()
if serverSocket.setSocketDescriptor(socketDescriptor):
QObject.connect(serverSocket, SIGNAL("encrypted()"), self, SLOT("ready()"))
serverSocket.startServerEncryption()
若发生错误, PySide.QtNetwork.QSslSocket 发射 PySide.QtNetwork.QSslSocket.sslErrors() signal. In this case, if no action is taken to ignore the error(s), the connection is dropped. To continue, despite the occurrence of an error, you can call PySide.QtNetwork.QSslSocket.ignoreSslErrors() , either from within this slot after the error occurs, or any time after construction of the PySide.QtNetwork.QSslSocket and before the connection is attempted. This will allow PySide.QtNetwork.QSslSocket to ignore the errors it encounters when establishing the identity of the peer. Ignoring errors during an SSL handshake should be used with caution, since a fundamental characteristic of secure connections is that they should be established with a successful handshake.
Once encrypted, you use PySide.QtNetwork.QSslSocket as a regular PySide.QtNetwork.QTcpSocket 。当 PySide.QtCore.QIODevice.readyRead() is emitted, you can call PySide.QtCore.QIODevice.read() , PySide.QtNetwork.QSslSocket.canReadLine() and PySide.QtCore.QIODevice.readLine() ,或 PySide.QtCore.QIODevice.getChar() to read decrypted data from PySide.QtNetwork.QSslSocket ‘s internal buffer, and you can call PySide.QtCore.QIODevice.write() or PySide.QtCore.QIODevice.putChar() to write data back to the peer. PySide.QtNetwork.QSslSocket will automatically encrypt the written data for you, and emit PySide.QtNetwork.QSslSocket.encryptedBytesWritten() once the data has been written to the peer.
As a convenience, PySide.QtNetwork.QSslSocket supports PySide.QtNetwork.QTcpSocket ‘s blocking functions PySide.QtNetwork.QSslSocket.waitForConnected() , PySide.QtNetwork.QSslSocket.waitForReadyRead() , PySide.QtNetwork.QSslSocket.waitForBytesWritten() ,和 PySide.QtNetwork.QSslSocket.waitForDisconnected() . It also provides PySide.QtNetwork.QSslSocket.waitForEncrypted() , which will block the calling thread until an encrypted connection has been established.
socket = QSslSocket()
socket.connectToHostEncrypted("http.example.com", 443)
if not socket.waitForEncrypted():
print socket.errorString()
return false
socket.write("GET / HTTP/1.0\r\n\r\n")
while socket.waitForReadyRead():
print socket.readAll().data()
PySide.QtNetwork.QSslSocket provides an extensive, easy-to-use API for handling cryptographic ciphers, private keys, and local, peer, and Certification Authority (CA) certificates. It also provides an API for handling errors that occur during the handshake phase.
The following features can also be customized:
注意
If available, root certificates on Unix (excluding Mac OS X) will be loaded on demand from the standard certificate directories. If you do not want to load root certificates on demand, you need to call either the static function PySide.QtNetwork.QSslSocket.setDefaultCaCertificates() before the first SSL handshake is made in your application, (e.g. via “QSslSocket::setDefaultCaCertificates( QSslSocket.systemCaCertificates() );”), or call PySide.QtNetwork.QSslSocket.setCaCertificates() on your PySide.QtNetwork.QSslSocket instance prior to the SSL handshake.
For more information about ciphers and certificates, refer to PySide.QtNetwork.QSslCipher and PySide.QtNetwork.QSslCertificate .
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/ ).
注意
Be aware of the difference between the PySide.QtCore.QIODevice.bytesWritten() signal and the PySide.QtNetwork.QSslSocket.encryptedBytesWritten() signal. For a PySide.QtNetwork.QTcpSocket , PySide.QtCore.QIODevice.bytesWritten() will get emitted as soon as data has been written to the TCP socket. For a PySide.QtNetwork.QSslSocket , PySide.QtCore.QIODevice.bytesWritten() will get emitted when the data is being encrypted and PySide.QtNetwork.QSslSocket.encryptedBytesWritten() will get emitted as soon as data has been written to the TCP socket.
On Symbian, processes which use this class must have the NetworkServices platform security capability. If the client process lacks this capability, operations will fail.
Platform security capabilities are added via the TARGET.CAPABILITY qmake variable.
| 参数: | parent – PySide.QtCore.QObject |
|---|
构造 PySide.QtNetwork.QSslSocket 对象。 parent 会被传递给 PySide.QtCore.QObject ‘s constructor. The new socket's cipher suite is set to the one returned by the static method PySide.QtNetwork.QSslSocket.defaultCiphers() .
描述可用连接模式为 PySide.QtNetwork.QSslSocket .
| 常量 | 描述 |
|---|---|
| QSslSocket.UnencryptedMode | The socket is unencrypted. Its behavior is identical to PySide.QtNetwork.QTcpSocket . |
| QSslSocket.SslClientMode | The socket is a client-side SSL socket. It is either alreayd encrypted, or it is in the SSL handshake phase (see QSslSocket.isEncrypted() ). |
| QSslSocket.SslServerMode | The socket is a server-side SSL socket. It is either already encrypted, or it is in the SSL handshake phase (see QSslSocket.isEncrypted() ). |
描述对等验证模式为 PySide.QtNetwork.QSslSocket . The default mode is AutoVerifyPeer , which selects an appropriate mode depending on the socket's QSocket::SslMode.
| 常量 | 描述 |
|---|---|
| QSslSocket.VerifyNone | PySide.QtNetwork.QSslSocket will not request a certificate from the peer. You can set this mode if you are not interested in the identity of the other side of the connection. The connection will still be encrypted, and your socket will still send its local certificate to the peer if it's requested. |
| QSslSocket.QueryPeer | PySide.QtNetwork.QSslSocket will request a certificate from the peer, but does not require this certificate to be valid. This is useful when you want to display peer certificate details to the user without affecting the actual SSL handshake. This mode is the default for servers. |
| QSslSocket.VerifyPeer | PySide.QtNetwork.QSslSocket will request a certificate from the peer during the SSL handshake phase, and requires that this certificate is valid. On failure, PySide.QtNetwork.QSslSocket 将发射 QSslSocket.sslErrors() signal. This mode is the default for clients. |
| QSslSocket.AutoVerifyPeer | PySide.QtNetwork.QSslSocket will automatically use QueryPeer for server sockets and VerifyPeer for client sockets. |
| 参数: | certificate – PySide.QtNetwork.QSslCertificate |
|---|
添加 certificate to this socket's CA certificate database. The CA certificate database is used by the socket during the handshake phase to validate the peer's certificate.
To add multiple certificates, use PySide.QtNetwork.QSslSocket.addCaCertificates() .
| 参数: |
|
|---|---|
| 返回类型: |
PySide.QtCore.bool |
| 参数: | certificates – |
|---|
| 参数: | certificate – PySide.QtNetwork.QSslCertificate |
|---|
添加 certificate to the default CA certificate database. Each SSL socket's CA certificate database is initialized to the default CA certificate database.
| 参数: |
|
|---|---|
| 返回类型: |
PySide.QtCore.bool |
| 参数: | certificates – |
|---|
| 返回类型: |
|---|
Returns this socket's CA certificate database. The CA certificate database is used by the socket during the handshake phase to validate the peer's certificate. It can be moodified prior to the handshake with PySide.QtNetwork.QSslSocket.addCaCertificate() , PySide.QtNetwork.QSslSocket.addCaCertificates() ,和 PySide.QtNetwork.QSslSocket.setCaCertificates() .
注意
On Unix, this method may return an empty list if the root certificates are loaded on demand.
| 返回类型: |
|---|
Returns this socket's current cryptographic cipher suite. This list is used during the socket's handshake phase for choosing a session cipher. The returned list of ciphers is ordered by descending preference. (i.e., the first cipher in the list is the most preferred cipher). The session cipher will be the first one in the list that is also supported by the peer.
By default, the handshake phase can choose any of the ciphers supported by this system's SSL libraries, which may vary from system to system. The list of ciphers supported by this system's SSL libraries is returned by PySide.QtNetwork.QSslSocket.supportedCiphers() . You can restrict the list of ciphers used for choosing the session cipher for this socket by calling PySide.QtNetwork.QSslSocket.setCiphers() with a subset of the supported ciphers. You can revert to using the entire set by calling PySide.QtNetwork.QSslSocket.setCiphers() with the list returned by PySide.QtNetwork.QSslSocket.supportedCiphers() .
You can restrict the list of ciphers used for choosing the session cipher for all sockets by calling PySide.QtNetwork.QSslSocket.setDefaultCiphers() with a subset of the supported ciphers. You can revert to using the entire set by calling PySide.QtNetwork.QSslSocket.setCiphers() with the list returned by PySide.QtNetwork.QSslSocket.supportedCiphers() .
| 参数: |
|
|---|
| 参数: |
|
|---|
| 返回类型: |
|---|
Returns the current default CA certificate database. This database is originally set to your system's default CA certificate database. If no system default database is found, an empty database will be returned. You can override the default CA certificate database with your own CA certificate database using PySide.QtNetwork.QSslSocket.setDefaultCaCertificates() .
Each SSL socket's CA certificate database is initialized to the default CA certificate database.
注意
On Unix, this method may return an empty list if the root certificates are loaded on demand.
| 返回类型: |
|---|
Returns the default cryptographic cipher suite for all sockets in this application. This list is used during the socket's handshake phase when negotiating with the peer to choose a session cipher. The list is ordered by preference (i.e., the first cipher in the list is the most preferred cipher).
By default, the handshake phase can choose any of the ciphers supported by this system's SSL libraries, which may vary from system to system. The list of ciphers supported by this system's SSL libraries is returned by PySide.QtNetwork.QSslSocket.supportedCiphers() .
| 返回类型: | PySide.QtCore.qint64 |
|---|
Returns the number of encrypted bytes that are awaiting decryption. Normally, this function will return 0 because PySide.QtNetwork.QSslSocket decrypts its incoming data as soon as it can.
| 返回类型: | PySide.QtCore.qint64 |
|---|
Returns the number of encrypted bytes that are waiting to be written to the network.
| 参数: | totalBytes – PySide.QtCore.qint64 |
|---|
| 参数: | errors – |
|---|
此槽告诉 PySide.QtNetwork.QSslSocket 去忽略错误在 PySide.QtNetwork.QSslSocket ‘s handshake phase and continue connecting. If you want to continue with the connection even if errors occur during the handshake phase, then you must call this slot, either from a slot connected to PySide.QtNetwork.QSslSocket.sslErrors() , or before the handshake phase. If you don't call this slot, either in response to errors or before the handshake, the connection will be dropped after the PySide.QtNetwork.QSslSocket.sslErrors() 信号已被发射。
If there are no errors during the SSL handshake phase (i.e., the identity of the peer is established with no problems), PySide.QtNetwork.QSslSocket will not emit the PySide.QtNetwork.QSslSocket.sslErrors() signal, and it is unnecessary to call this function.
警告
确保始终让用户审查报告的错误通过 PySide.QtNetwork.QSslSocket.sslErrors() signal, and only call this method upon confirmation from the user that proceeding is ok. If there are unexpected errors, the connection should be aborted. Calling this method without inspecting the actual errors will most likely pose a security risk for your application. Use it with great care!
| 返回类型: | PySide.QtCore.bool |
|---|
Returns true if the socket is encrypted; otherwise, false is returned.
An encrypted socket encrypts all data that is written by calling PySide.QtCore.QIODevice.write() or PySide.QtCore.QIODevice.putChar() before the data is written to the network, and decrypts all incoming data as the data is received from the network, before you call PySide.QtCore.QIODevice.read() , PySide.QtCore.QIODevice.readLine() or PySide.QtCore.QIODevice.getChar() .
PySide.QtNetwork.QSslSocket 发射 PySide.QtNetwork.QSslSocket.encrypted() when it enters encrypted mode.
可以调用 PySide.QtNetwork.QSslSocket.sessionCipher() to find which cryptographic cipher is used to encrypt and decrypt your data.
| 返回类型: | PySide.QtNetwork.QSslCertificate |
|---|
返回套接字的本地 certificate , or an empty certificate if no local certificate has been assigned.
| 返回类型: | PySide.QtNetwork.QSslSocket.SslMode |
|---|
Returns the current mode for the socket; either UnencryptedMode ,其中 PySide.QtNetwork.QSslSocket behaves identially to PySide.QtNetwork.QTcpSocket , or one of SslClientMode or SslServerMode , where the client is either negotiating or in encrypted mode.
当模式改变时, PySide.QtNetwork.QSslSocket 发射 PySide.QtNetwork.QSslSocket.modeChanged()
另请参阅
QSslSocket.SslMode
| 参数: | newMode – PySide.QtNetwork.QSslSocket.SslMode |
|---|
| 返回类型: | PySide.QtNetwork.QSslCertificate |
|---|
Returns the peer's digital certificate (i.e., the immediate certificate of the host you are connected to), or a null certificate, if the peer has not assigned a certificate.
The peer certificate is checked automatically during the handshake phase, so this function is normally used to fetch the certificate for display or for connection diagnostic purposes. It contains information about the peer, including its host name, the certificate issuer, and the peer's public key.
Because the peer certificate is set during the handshake phase, it is safe to access the peer certificate from a slot connected to the PySide.QtNetwork.QSslSocket.sslErrors() signal or the PySide.QtNetwork.QSslSocket.encrypted() 信号。
If a null certificate is returned, it can mean the SSL handshake failed, or it can mean the host you are connected to doesn't have a certificate, or it can mean there is no connection.
If you want to check the peer's complete chain of certificates, use PySide.QtNetwork.QSslSocket.peerCertificateChain() to get them all at once.
| 返回类型: |
|---|
Returns the peer's chain of digital certificates, or an empty list of certificates.
Peer certificates are checked automatically during the handshake phase. This function is normally used to fetch certificates for display, or for performing connection diagnostics. Certificates contain information about the peer and the certificate issuers, including host name, issuer names, and issuer public keys.
The peer certificates are set in PySide.QtNetwork.QSslSocket during the handshake phase, so it is safe to call this function from a slot connected to the PySide.QtNetwork.QSslSocket.sslErrors() signal or the PySide.QtNetwork.QSslSocket.encrypted() 信号。
If an empty list is returned, it can mean the SSL handshake failed, or it can mean the host you are connected to doesn't have a certificate, or it can mean there is no connection.
If you want to get only the peer's immediate certificate, use PySide.QtNetwork.QSslSocket.peerCertificate() .
| 返回类型: | PySide.QtCore.int |
|---|
Returns the maximum number of certificates in the peer's certificate chain to be checked during the SSL handshake phase, or 0 (the default) if no maximum depth has been set, indicating that the whole certificate chain should be checked.
The certificates are checked in issuing order, starting with the peer's own certificate, then its issuer's certificate, and so on.
| 参数: | error – PySide.QtNetwork.QSslError |
|---|
| 返回类型: | PySide.QtNetwork.QSslSocket.PeerVerifyMode |
|---|
Returns the socket's verify mode. This mode mode decides whether PySide.QtNetwork.QSslSocket should request a certificate from the peer (i.e., the client requests a certificate from the server, or a server requesting a certificate from the client), and whether it should require that this certificate is valid.
默认模式为 AutoVerifyPeer , which tells PySide.QtNetwork.QSslSocket 到使用 VerifyPeer for clients and QueryPeer for servers.
| 返回类型: | unicode |
|---|
Returns the different hostname for the certificate validation, as set by setPeerVerifyName or by connectToHostEncrypted.
| 返回类型: | PySide.QtNetwork.QSslKey |
|---|
返回此套接字的私钥。
| 返回类型: | PySide.QtNetwork.QSsl.SslProtocol |
|---|
返回套接字的 SSL 协议。默认情况下, QSsl.SecureProtocols 被使用。
| 返回类型: | PySide.QtNetwork.QSslCipher |
|---|
返回套接字的加密 cipher , or a null cipher if the connection isn't encrypted. The socket's cipher for the session is set during the handshake phase. The cipher is used to encrypt and decrypt data transmitted through the socket.
PySide.QtNetwork.QSslSocket also provides functions for setting the ordered list of ciphers from which the handshake phase will eventually select the session cipher. This ordered list must be in place before the handshake phase begins.
| 参数: | certificates – |
|---|
| 参数: | ciphers – |
|---|
| 参数: | ciphers – unicode |
|---|
Sets the cryptographic cipher suite for this socket to ciphers , which is a colon-separated list of cipher suite names. The ciphers are listed in order of preference, starting with the most preferred cipher. For example:
socket = QSslSocket()
socket.setCiphers("DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA")
Each cipher name in ciphers must be the name of a cipher in the list returned by PySide.QtNetwork.QSslSocket.supportedCiphers() . Restricting the cipher suite must be done before the handshake phase, where the session cipher is chosen.
| 参数: | certificates – |
|---|
| 参数: | ciphers – |
|---|
| 参数: | certificate – PySide.QtNetwork.QSslCertificate |
|---|
Sets the socket's local certificate to certificate . The local certificate is necessary if you need to confirm your identity to the peer. It is used together with the private key; if you set the local certificate, you must also set the private key.
The local certificate and private key are always necessary for server sockets, but are also rarely used by client sockets if the server requires the client to authenticate.
| 参数: |
|
|---|
| 参数: | depth – PySide.QtCore.int |
|---|
Sets the maximum number of certificates in the peer's certificate chain to be checked during the SSL handshake phase, to depth . Setting a depth of 0 means that no maximum depth is set, indicating that the whole certificate chain should be checked.
The certificates are checked in issuing order, starting with the peer's own certificate, then its issuer's certificate, and so on.
| 参数: | mode – PySide.QtNetwork.QSslSocket.PeerVerifyMode |
|---|
| 参数: | hostName – unicode |
|---|
Sets a different host name, given by hostName , for the certificate validation instead of the one used for the TCP connection.
| 参数: |
|
|---|
| 参数: | key – PySide.QtNetwork.QSslKey |
|---|
Sets the socket's private key to key . The private key and the local certificate are used by clients and servers that must prove their identity to SSL peers.
Both the key and the local certificate are required if you are creating an SSL server socket. If you are creating an SSL client socket, the key and local certificate are required if your client must identify itself to an SSL server.
| 参数: | protocol – PySide.QtNetwork.QSsl.SslProtocol |
|---|
| 参数: | config – PySide.QtNetwork.QSslConfiguration |
|---|
把套接字的 SSL 配置内容设为 configuration . This function sets the local certificate, the ciphers, the private key and the CA certificates to those stored in configuration .
It is not possible to set the SSL-state related fields.
| 返回类型: | PySide.QtNetwork.QSslConfiguration |
|---|
Returns the socket's SSL configuration state. The default SSL configuration of a socket is to use the default ciphers, default CA certificates, no local private key or certificate.
The SSL configuration also contains fields that can change with time without notice.
另请参阅
PySide.QtNetwork.QSslSocket.setSslConfiguration() PySide.QtNetwork.QSslSocket.localCertificate() PySide.QtNetwork.QSslSocket.peerCertificate() PySide.QtNetwork.QSslSocket.peerCertificateChain() PySide.QtNetwork.QSslSocket.sessionCipher() PySide.QtNetwork.QSslSocket.privateKey() PySide.QtNetwork.QSslSocket.ciphers() PySide.QtNetwork.QSslSocket.caCertificates()
| 返回类型: |
|---|
Returns a list of the last SSL errors that occurred. This is the same list as PySide.QtNetwork.QSslSocket passes via the PySide.QtNetwork.QSslSocket.sslErrors() signal. If the connection has been encrypted with no errors, this function will return an empty list.
| 参数: | errors – |
|---|
Starts a delayed SSL handshake for a client connection. This function can be called when the socket is in the ConnectedState but still in the UnencryptedMode . If it is not yet connected, or if it is already encrypted, this function has no effect.
Clients that implement STARTTLS functionality often make use of delayed SSL handshakes. Most other clients can avoid calling this function directly by using PySide.QtNetwork.QSslSocket.connectToHostEncrypted() instead, which automatically performs the handshake.
Starts a delayed SSL handshake for a server connection. This function can be called when the socket is in the ConnectedState but still in UnencryptedMode . If it is not connected or it is already encrypted, the function has no effect.
For server sockets, calling this function is the only way to initiate the SSL handshake. Most servers will call this function immediately upon receiving a connection, or as a result of having received a protocol-specific command to enter SSL mode (e.g, the server may respond to receiving the string “STARTTLSrn” by calling this function).
The most common way to implement an SSL server is to create a subclass of PySide.QtNetwork.QTcpServer and reimplement QTcpServer.incomingConnection() . The returned socket descriptor is then passed to QSslSocket.setSocketDescriptor() .
| 返回类型: |
|---|
Returns the list of cryptographic ciphers supported by this system. This list is set by the system's SSL libraries and may vary from system to system.
| 返回类型: | PySide.QtCore.bool |
|---|
Returns true if this platform supports SSL; otherwise, returns false. If the platform doesn't support SSL, the socket will fail in the connection phase.
| 返回类型: |
|---|
This function provides the CA certificate database provided by the operating system. The CA certificate database returned by this function is used to initialize the database returned by PySide.QtNetwork.QSslSocket.defaultCaCertificates() . You can replace that database with your own with PySide.QtNetwork.QSslSocket.setDefaultCaCertificates() .
| 参数: | msecs – PySide.QtCore.int |
|---|---|
| 返回类型: | PySide.QtCore.bool |
等待直到套接字完成 SSL 握手且有发射 PySide.QtNetwork.QSslSocket.encrypted() ,或 msecs 毫秒,以先到的为准。若 PySide.QtNetwork.QSslSocket.encrypted() has been emitted, this function returns true; otherwise (e.g., the socket is disconnected, or the SSL handshake fails), false is returned.
以下范例为加密套接字最多等待 1 秒:
socket.connectToHostEncrypted("imap", 993)
if socket.waitForEncrypted(1000):
print "Encrypted!"
若 msecs 为 -1,此函数不会超时。