bc @sPdZddlZddlZddlZddlZddlmZddlmZddl Z ddl m Z m Z m Z ddl m Z ddl mZmZmZmZmZmZddl mZmZmZdd l mZmZdd l mZmZydd l mZWnek r+nXd Zed ededededddl m Z m!Z!m"Z"m#Z#m$Z$ddl m%Z%de&j'DZ(e)Z*y e+Z,Wne-k re.Z,nXddl/m/Z/m0Z0m1Z1m2Z3ej4dkr,ddl m5Z5m6Z6nddl/m/Z/m7Z7m8Z8m9Z9ddl/m:Z:m;Z;ddl<Z<ddl=Z=ddl>Z>e j?rdgZ@ngZ@dZAdZBdeCfdYZDdd ZEd!ZFed"d#ZGd$ZHd%ed%d&fd'YZId(eIfd)YZJeJd*eJ_KeJd+eJ_Ld,e fd-YZMeJjKe.e.e.d.ZNe)e.eOeJjKe.e.e.e.e.d/ ZPePZQd0ZRd1ZSeSaTeUd2ZVd3e/fd4YZWe.e.eOee)e.eUeUe.d5 ZXd6ZYd7ZZd8Z[d9Z\d:Z]e)e.d;Z^d<Z_e.e.d=Z`dS(>s This module provides some more Pythonic support for SSL. Object types: SSLSocket -- subtype of socket.socket which does SSL over the socket Exceptions: SSLError -- exception raised for I/O errors Functions: cert_time_to_seconds -- convert time string used for certificate notBefore and notAfter functions to integer seconds past the Epoch (the time values returned from time.time()) fetch_server_certificate (HOST, PORT) -- fetch the certificate provided by the server running on HOST at port PORT. No validation of the certificate is performed. Integer constants: SSL_ERROR_ZERO_RETURN SSL_ERROR_WANT_READ SSL_ERROR_WANT_WRITE SSL_ERROR_WANT_X509_LOOKUP SSL_ERROR_SYSCALL SSL_ERROR_SSL SSL_ERROR_WANT_CONNECT SSL_ERROR_EOF SSL_ERROR_INVALID_ERROR_CODE The following group define certificate requirements that one side is allowing/requiring from the other side: CERT_NONE - no certificates from the other side are required (or will be looked at if provided) CERT_OPTIONAL - certificates are not required, but if provided will be validated, and if validation fails, the connection will also fail CERT_REQUIRED - certificates are required, and will be validated, and if validation fails, the connection will also fail The following constants identify various SSL protocol variants: PROTOCOL_SSLv2 PROTOCOL_SSLv3 PROTOCOL_SSLv23 PROTOCOL_TLS PROTOCOL_TLSv1 PROTOCOL_TLSv1_1 PROTOCOL_TLSv1_2 The following constants identify various SSL alert message descriptions as per http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6 ALERT_DESCRIPTION_CLOSE_NOTIFY ALERT_DESCRIPTION_UNEXPECTED_MESSAGE ALERT_DESCRIPTION_BAD_RECORD_MAC ALERT_DESCRIPTION_RECORD_OVERFLOW ALERT_DESCRIPTION_DECOMPRESSION_FAILURE ALERT_DESCRIPTION_HANDSHAKE_FAILURE ALERT_DESCRIPTION_BAD_CERTIFICATE ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE ALERT_DESCRIPTION_CERTIFICATE_REVOKED ALERT_DESCRIPTION_CERTIFICATE_EXPIRED ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN ALERT_DESCRIPTION_ILLEGAL_PARAMETER ALERT_DESCRIPTION_UNKNOWN_CA ALERT_DESCRIPTION_ACCESS_DENIED ALERT_DESCRIPTION_DECODE_ERROR ALERT_DESCRIPTION_DECRYPT_ERROR ALERT_DESCRIPTION_PROTOCOL_VERSION ALERT_DESCRIPTION_INSUFFICIENT_SECURITY ALERT_DESCRIPTION_INTERNAL_ERROR ALERT_DESCRIPTION_USER_CANCELLED ALERT_DESCRIPTION_NO_RENEGOTIATION ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE ALERT_DESCRIPTION_UNRECOGNIZED_NAME ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY iN(t namedtuple(tclosing(tOPENSSL_VERSION_NUMBERtOPENSSL_VERSION_INFOtOPENSSL_VERSION(t _SSLContext(tSSLErrortSSLZeroReturnErrortSSLWantReadErrortSSLWantWriteErrortSSLSyscallErrort SSLEOFError(t CERT_NONEt CERT_OPTIONALt CERT_REQUIRED(ttxt2objtnid2obj(t RAND_statustRAND_add(tRAND_egdcCsCx<ttD].}|j|r tt|t|s (tsockett _fileobjectt_delegate_methodsterrortwin32(tenum_certificatest enum_crls(R+tAF_INETt SOCK_STREAMtcreate_connection(t SOL_SOCKETtSO_TYPEs tls-uniquesTLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DESsTLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!DSS:!RC4:!3DEStCertificateErrorcBseZRS((t__name__t __module__(((s/usr/lib/python2.7/ssl.pyR7sic CsRg}|stS|jd}|d}|d}|jd}||krgtdt|n|s|j|jkS|dkr|jdnY|jds|jdr|jtj |n"|jtj |j dd x$|D]}|jtj |qWtj d d j |d tj } | j|S( shMatching according to RFC 6125, section 6.4.3 http://tools.ietf.org/html/rfc6125#section-6.4.3 t.iit*s,too many wildcards in certificate DNS name: s[^.]+sxn--s\*s[^.]*s\As\.s\Z(tFalsetsplittcountR7treprtlowertappendRtretescapetreplacetcompiletjoint IGNORECASEtmatch( tdnthostnamet max_wildcardstpatstpiecestleftmostt remaindert wildcardstfragtpat((s/usr/lib/python2.7/ssl.pyt_dnsname_matchs*    " &cCs[|stdng}|jdd }xC|D];\}}|dkr4t||r_dS|j|q4q4W|sxc|jddD]L}xC|D];\}}|dkrt||rdS|j|qqWqWnt|dkrtd|d jtt|fn;t|dkrKtd ||d fn td dS(s)Verify that *cert* (in decoded format as returned by SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 rules are followed, but IP addresses are not accepted for *hostname*. CertificateError is raised on failure. On success, the function returns nothing. stempty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIREDtsubjectAltNametDNSNtsubjectt commonNameis&hostname %r doesn't match either of %ss, shostname %r doesn't match %ris=no appropriate commonName or subjectAltName fields were found((( t ValueErrortgetRSRAtlenR7RFtmapR?(tcertRJtdnsnamestsantkeyR*tsub((s/usr/lib/python2.7/ssl.pytmatch_hostnames.  %tDefaultVerifyPathssQcafile capath openssl_cafile_env openssl_cafile openssl_capath_env openssl_capathcCstj}tjj|d|d}tjj|d|d}ttjj|ra|ndtjj |r||nd|S(s/Return paths to default cafile and capath. iiiiN( Rtget_default_verify_pathstostenvironRYRbtpathtisfiletNonetisdir(tpartstcafiletcapath((s/usr/lib/python2.7/ssl.pyRc.s  t _ASN1Objectsnid shortname longname oidcBs;eZdZdZdZedZedZRS(s#ASN.1 object identifier lookup cCs%tt|j|t|dtS(NR)(tsuperRmt__new__t_txt2objR<(tclstoid((s/usr/lib/python2.7/ssl.pyRoAscCstt|j|t|S(s3Create _ASN1Object from OpenSSL numeric ID (RnRmRot_nid2obj(Rqtnid((s/usr/lib/python2.7/ssl.pytfromnidDscCs%tt|j|t|dtS(s=Create _ASN1Object from short name, long name or OID R)(RnRmRoRptTrue(RqR)((s/usr/lib/python2.7/ssl.pytfromnameJs((R8R9t__doc__t __slots__Rot classmethodRuRw(((s/usr/lib/python2.7/ssl.pyRm<s  tPurposecBseZdZRS(sDSSLContext purpose flags with X509v3 Extended Key Usage objects (R8R9Rx(((s/usr/lib/python2.7/ssl.pyR{Qss1.3.6.1.5.5.7.3.1s1.3.6.1.5.5.7.3.2t SSLContextcBskeZdZd Zd ZdZdZeeeddZ dZ d Z d Z ejd ZRS(s|An SSLContext holds various SSL-related configuration options and data, such as certificates and possibly a private key.tprotocolt __weakref__tCAtROOTcOs2tj||}|tkr.|jtn|S(N(RRot_SSLv2_IF_EXISTSt set_cipherst_DEFAULT_CIPHERS(RqR}targstkwargstself((s/usr/lib/python2.7/ssl.pyRo`s cCs ||_dS(N(R}(RR}((s/usr/lib/python2.7/ssl.pyt__init__fsc Cs+td|d|d|d|d|d|S(Ntsockt server_sidetdo_handshake_on_connecttsuppress_ragged_eofstserver_hostnamet_context(t SSLSocket(RRRRRR((s/usr/lib/python2.7/ssl.pyt wrap_socketis cCst}xp|D]h}|jd}t|dksIt|dkrXtdn|jt||j|qW|j|dS(Ntasciiiis(NPN protocols must be 1 to 255 in length(t bytearraytencodeRZRRAtextendt_set_npn_protocols(Rt npn_protocolstprotosR}tb((s/usr/lib/python2.7/ssl.pytset_npn_protocolsss  $cCst}xp|D]h}|jd}t|dksIt|dkrXtdn|jt||j|qW|j|dS(NRiis)ALPN protocols must be 1 to 255 in length(RRRZRRARt_set_alpn_protocols(Rtalpn_protocolsRR}R((s/usr/lib/python2.7/ssl.pytset_alpn_protocols~s  $cCst}y^xWt|D]I\}}}|dkr|tksO|j|krb|j|qbqqWWntk rtjdnX|r|jd|n|S(Ntx509_asns-unable to enumerate Windows certificate storetcadata( RR0RvRrRtOSErrortwarningstwarntload_verify_locations(Rt storenametpurposetcertsR\tencodingttrust((s/usr/lib/python2.7/ssl.pyt_load_windows_store_certss   cCsbt|tst|ntjdkrTx$|jD]}|j||q7Wn|jdS(NR/(t isinstanceRmt TypeErrortsystplatformt_windows_cert_storesRtset_default_verify_paths(RRR((s/usr/lib/python2.7/ssl.pytload_default_certss (R}R~(RRN(R8R9RxRyRRoRR<RvRhRRRRR{t SERVER_AUTHR(((s/usr/lib/python2.7/ssl.pyR|Ys    cCst|tst|ntt}|tjkrNt|_t |_ n|tj krm|j t n|s|s|r|j|||n|jtkr|j|n|S(sCreate a SSLContext object with default settings. NOTE: The protocol and settings may change anytime without prior deprecation. The values represent a fair balance between maximum compatibility and security. (RRmRR|t PROTOCOL_TLSR{RRt verify_modeRvtcheck_hostnamet CLIENT_AUTHRt_RESTRICTED_SERVER_CIPHERSRR R(RRkRlRtcontext((s/usr/lib/python2.7/ssl.pytcreate_default_contexts   c Cst|tst|nt|} |dk rB|| _n|| _|rg| rgtdn|ss|r| j||n|s|s|r| j |||n| jt kr| j |n| S(s/Create a SSLContext object for Python stdlib modules All Python stdlib modules shall use this function to create SSLContext objects in order to keep common settings in one place. The configuration is less restrict than create_default_context()'s to increase backward compatibility. scertfile must be specifiedN( RRmRR|RhRRRXtload_cert_chainRR R( R}t cert_reqsRRtcertfiletkeyfileRkRlRR((s/usr/lib/python2.7/ssl.pyt_create_unverified_contexts       tPYTHONHTTPSVERIFYcCs5tjjs1tjjt}|dkr1tSntS(Nt0( Rtflagstignore_environmentRdReRYt_https_verify_envvarRR(tconfig_setting((s/usr/lib/python2.7/ssl.pyt_get_https_context_factorys   cCs|rtantadS(s,Verify server HTTPS certificates by default?N(Rt_create_default_https_contextR(tenable((s/usr/lib/python2.7/ssl.pyt_https_verify_certificatess RcBseZdZd'd'd'eeed'eee dd'ed'd'd'd'dZ e dZ e j dZ dZd'dZdZdd'd Zd Zed Zd Zd ZdZdZddZd'dZddZdddZd'ddZdddZd'ddZdZdZ dZ!dZ"dZ#edZ$dZ%dZ&dZ'd Z(d!d"d#Z)d$d%Z*d&Z+RS((sThis class implements a subtype of socket.socket that wraps the underlying OS socket in an SSL context when necessary, and provides read and write methods over that channel.icCsd|_|r||_n|r7| r7tdn|rS| rStdn|ri| ri|}nt||_||j_|r|jj|n|r|jj||n|r|jj|n|r|jj|n||_ ||_ ||_ ||_ ||_ ||_|jtttkrHtdntj|d|jx3tD]+}yt||Wqetk rqeXqeW|r|rtdn|jjr| rtdn||_||_||_| |_y|jWn1t k r6}|j!t!j"kr-nt#}nXt$}t#|_%d|_'||_(|ryb|jj)|j||d||_'|r|j*}|d krtd n|j+nWqt,tfk r|j-qXndS( Nis5certfile must be specified for server-side operationsscertfile must be specifieds!only stream sockets are supportedt_socks4server_hostname can only be specified in client modes'check_hostname requires server_hostnametssl_sockgsHdo_handshake_on_connect should not be specified for non-blocking sockets(.t_makefile_refsRRXR|RRRRRRRRt ssl_versiontca_certstcipherst getsockoptR5R6R3tNotImplementedErrorR+RRR-tdelattrtAttributeErrorRRRRRt getpeernamet socket_errorterrnotENOTCONNR<Rvt_closedRht_sslobjt _connectedt _wrap_sockett gettimeoutt do_handshakeRtclose(RRRRRRRRRtfamilyttypetprototfilenoRRRRRtattrtet connectedttimeout((s/usr/lib/python2.7/ssl.pyRs~                           cCs|jS(N(R(R((s/usr/lib/python2.7/ssl.pyR]scCs||_||j_dS(N(RRR(Rtctx((s/usr/lib/python2.7/ssl.pyRas cCstd|jjdS(NsCan't dup() %s instances(Rt __class__R8(R((s/usr/lib/python2.7/ssl.pytdupfscCsdS(N((Rtmsg((s/usr/lib/python2.7/ssl.pyt _checkClosedjscCs|js|jndS(N(RR(R((s/usr/lib/python2.7/ssl.pyt_check_connectedns icCs|j|js"tdny>|dk rI|jj||}n|jj|}|SWnItk r}|jdtkr|jr|dk rdSdSqnXdS(sORead up to LEN bytes and return them. Return zero-length string on EOF.s'Read on closed or unwrapped SSL socket.itN( RRRXRhtreadRRt SSL_ERROR_EOFR(RRZtbuffertvtx((s/usr/lib/python2.7/ssl.pyRvs    cCs2|j|js"tdn|jj|S(shWrite DATA to the underlying SSL channel. Returns number of bytes of DATA actually transmitted.s(Write on closed or unwrapped SSL socket.(RRRXtwrite(Rtdata((s/usr/lib/python2.7/ssl.pyRs  cCs$|j|j|jj|S(sReturns a formatted version of the data in the certificate provided by the other end of the SSL channel. Return None if no certificate was provided, {} if a certificate was provided, but not validated.(RRRtpeer_certificate(Rt binary_form((s/usr/lib/python2.7/ssl.pyt getpeercerts  cCs3|j|j stj r"dS|jjSdS(N(RRRR#Rhtselected_npn_protocol(R((s/usr/lib/python2.7/ssl.pyRs cCs3|j|j stj r"dS|jjSdS(N(RRRR$Rhtselected_alpn_protocol(R((s/usr/lib/python2.7/ssl.pyRs cCs(|j|jsdS|jjSdS(N(RRRhtcipher(R((s/usr/lib/python2.7/ssl.pyRs  cCs(|j|jsdS|jjSdS(N(RRRht compression(R((s/usr/lib/python2.7/ssl.pyRs  cCs|j|jr|dkr5td|jny|jj|}WnDtk r}|jdtkrtdS|jdtkrdSqX|Sn|j j ||SdS(Nis3non-zero flags not allowed in calls to send() on %s( RRRXRRRRtSSL_ERROR_WANT_READtSSL_ERROR_WANT_WRITERtsend(RRRRR((s/usr/lib/python2.7/ssl.pyRs    cCsb|j|jr)td|jn5|dkrH|jj||S|jj|||SdS(Ns%sendto not allowed on instances of %s(RRRXRRhRtsendto(RRt flags_or_addrtaddr((s/usr/lib/python2.7/ssl.pyRs   cCs|j|jr{|dkr5td|jnt|}d}x-||krv|j||}||7}qJW|Stj|||SdS(Nis6non-zero flags not allowed in calls to sendall() on %s(RRRXRRZRR+tsendall(RRRtamountR>R((s/usr/lib/python2.7/ssl.pyRs    cCsY|j|jrB|dkr5td|jn|j|S|jj||SdS(Nis3non-zero flags not allowed in calls to recv() on %s(RRRXRRRtrecv(RtbuflenR((s/usr/lib/python2.7/ssl.pyRs    cCs|j|r+|dkr+t|}n|dkr@d}n|jr{|dkrktd|jn|j||S|jj|||SdS(Niis8non-zero flags not allowed in calls to recv_into() on %s( RRhRZRRXRRRt recv_into(RRtnbytesR((s/usr/lib/python2.7/ssl.pyRs     cCs@|j|jr)td|jn|jj||SdS(Ns'recvfrom not allowed on instances of %s(RRRXRRtrecvfrom(RRR((s/usr/lib/python2.7/ssl.pyRs   cCsC|j|jr)td|jn|jj|||SdS(Ns,recvfrom_into not allowed on instances of %s(RRRXRRt recvfrom_into(RRRR((s/usr/lib/python2.7/ssl.pyR s   cCs(|j|jr |jjSdSdS(Ni(RRtpending(R((s/usr/lib/python2.7/ssl.pyRs   cCs'|jd|_tj||dS(N(RRhRR+tshutdown(Rthow((s/usr/lib/python2.7/ssl.pyRs  cCs;|jdkr(d|_tj|n|jd8_dS(Ni(RRhRR+R(R((s/usr/lib/python2.7/ssl.pyR"s cCs?|jr%|jj}d|_|Stdt|dS(NsNo SSL wrapper around (RRRhRXtstr(Rts((s/usr/lib/python2.7/ssl.pytunwrap)s   cCsd|_tj|dS(N(RhRR+t _real_close(R((s/usr/lib/python2.7/ssl.pyR 1s cCs|j|j}z3|dkr;|r;|jdn|jjWd|j|X|jjr|js~t dnt |j |jndS(sPerform a TLS/SSL handshake.gNs-check_hostname needs server_hostname argument( RRt settimeoutRhRRRRRRXRaR(RtblockR((s/usr/lib/python2.7/ssl.pyR5s    cCs|jrtdn|jr0tdn|jj|jt|jd||_ya|rut j ||}nd}t j |||st |_|jr|jqn|SWn#ttfk rd|_nXdS(Ns!can't connect in server-side modes/attempt to connect already-connected SSLSocket!R(RRXRRRRR<RRR+t connect_exRhtconnectRvRRR(RRRtrc((s/usr/lib/python2.7/ssl.pyt _real_connectFs$  '   cCs|j|tdS(sQConnects to remote ADDR, and then wraps the connection in an SSL channel.N(RR<(RR((s/usr/lib/python2.7/ssl.pyR]scCs|j|tS(sQConnects to remote ADDR, and then wraps the connection in an SSL channel.(RRv(RR((s/usr/lib/python2.7/ssl.pyRbscCsItj|\}}|jj|d|jd|jdt}||fS(sAccepts a new connection from a remote client, and returns a tuple containing that new connection wrapped with a server-side SSL channel, and the address of the remote client.RRR(R+tacceptRRRRRv(RtnewsockR((s/usr/lib/python2.7/ssl.pyRgs    tricCs%|jd7_t|||dtS(sMake and return a file-like object that works with the SSL connection. Just use the code from the socket module.iR(RR,Rv(Rtmodetbufsize((s/usr/lib/python2.7/ssl.pytmakefilesss tls-uniquecCs_|tkrtdn|dkr?tdj|n|jdkrRdS|jjS(sGet channel binding data for current connection. Raise ValueError if the requested `cb_type` is not supported. Return bytes of the data or None if the data is not available (e.g. before the handshake). s Unsupported channel binding types tls-uniques({0} channel binding type not implementedN(tCHANNEL_BINDING_TYPESRXRtformatRRht tls_unique_cb(Rtcb_type((s/usr/lib/python2.7/ssl.pytget_channel_binding~s  cCs |jdkrdS|jjS(s Return a string identifying the protocol version used by the current SSL channel, or None if there is no established channel. N(RRhtversion(R((s/usr/lib/python2.7/ssl.pyRsN(,R8R9RxRhR<R RRvR2R3RtpropertyRtsetterRRRRRRRRRRRRRRRRRRRRR R RRRRRRRR(((s/usr/lib/python2.7/ssl.pyRsR    Q                     c CsCtd|d|d|d|d|d|d|d|d |d | S( NRRRRRRRRRR(R( RRRRRRRRRR((s/usr/lib/python2.7/ssl.pyRs   c Csddlm}ddlm}d}d}y!|j|d jd}Wn'tk rvtd||fn3X||d|}||d|f|dd!SdS(sReturn the time in seconds since the Epoch, given the timestring representing the "notBefore" or "notAfter" date from a certificate in ``"%b %d %H:%M:%S %Y %Z"`` strptime format (C locale). "notBefore" or "notAfter" dates must use UTC (RFC 5280). Month is one of: Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec UTC should be specified as GMT (see ASN1_TIME_print()) i(tstrptime(ttimegmtJantFebtMartAprtMaytJuntJultAugtSeptOcttNovtDecs %d %H:%M:%S %Y GMTiis*time data %r does not match format "%%b%s"iiiN( R#R$R%R&R'R(R)R*R+R,R-R.(ttimeR!tcalendarR"tindexttitleRX(t cert_timeR!R"tmonthst time_formatt month_numberttt((s/usr/lib/python2.7/ssl.pytcert_time_to_secondss ! s-----BEGIN CERTIFICATE-----s-----END CERTIFICATE-----cCs<tj|jd}tdtj|ddtdS(s[Takes a certificate in binary DER format and returns the PEM version of it as a string.Rs i@(tbase64tstandard_b64encodetdecodet PEM_HEADERttextwraptfillt PEM_FOOTER(tder_cert_bytestf((s/usr/lib/python2.7/ssl.pytDER_cert_to_PEM_certscCs|jts"tdtn|jjtsJtdtn|jtttt !}tj|j ddS(shTakes a certificate in ASCII PEM format and returns the DER-encoded version of it as a byte sequences(Invalid PEM encoding; must start with %ss&Invalid PEM encoding; must end with %stASCIItstrict( RR<RXtstriptendswithR?RZR9t decodestringR(tpem_cert_stringtd((s/usr/lib/python2.7/ssl.pytPEM_cert_to_DER_certs   c Cs|\}}|dk r!t}nt}t|d|d|}tt|4}t|j|}|jt} WdQXWdQXt | S(sRetrieve the certificate from the server at the specified address, and return it as a PEM-encoded string. If 'ca_certs' is specified, validate the server cert against it. If 'ssl_version' is specified, use it in the connection attempt.RRkN( RhRR t_create_stdlib_contextRR4RRRvRB( RRRthosttportRRRtsslsocktdercert((s/usr/lib/python2.7/ssl.pytget_server_certificates     cCstj|dS(Ns (t_PROTOCOL_NAMESRY(t protocol_code((s/usr/lib/python2.7/ssl.pytget_protocol_namescCst|dr|j}ntt}|s3|rF|j||n|j|dt}y|jWntk r|n X|j |S(sA replacement for the old socket.ssl function. Designed for compability with Python 2.5 and earlier. Will disappear in Python 3.0.RR( thasattrRR|R'RRR<RRR(RRRRR((s/usr/lib/python2.7/ssl.pytsslwrap_simples     (aRxR=RBRRdt collectionsRt contextlibRRRRRRRRRR R R R R RRRpRRsRRRt ImportErrorRR!R"R#R$R%R&RtitemsRQRR'tPROTOCOL_SSLv2Rt NameErrorRhR+R,R-R.RRR0R1R2R3R4R5R6R9RRtHAS_TLS_UNIQUERRRRXR7RSRaRbRcRmR{RRR|RR<RRKRRRRvRRRR8R<R?RBRJRPRSRU(((s/usr/lib/python2.7/ssl.pytYs     .       (   ""      3 +  G  %