,bc @sJdZddlZddlZddlZddlZddlmZddlmZddl Z ddl m Z m Z m Z ddl m Z ddl mZmZmZmZmZmZddl mZmZmZdd l mZmZdd l mZmZydd l mZWnek r+nXd Zed ededededddl m Z m!Z!m"Z"m#Z#ddl m$Z$de%j&DZ'e(Z)y e*Z+Wne,k re-Z+nXddl.m.Z.m/Z/m0Z0m1Z2ej3dkr&ddl m4Z4m5Z5nddl.m.Z.m6Z6m7Z7m8Z8ddl.m9Z9m:Z:ddl;Z;ddl<Z<ddl=Z=e j>rdgZ?ngZ?dZ@dZAdeBfdYZCdd ZDd!ZEed"d#ZFd$ZGd%ed%d&fd'YZHd(eHfd)YZIeId*eI_JeId+eI_Kd,e fd-YZLeIjJe-e-e-d.ZMe(e-eNeIjJe-e-e-e-e-d/ ZOeOZPd0ZQd1ZReRaSeTd2ZUd3e.fd4YZVe-e-eNee(e-eTeTe-d5 ZWd6ZXd7ZYd8ZZd9Z[d:Z\e(e-d;Z]d<Z^e-e-d=Z_dS(>s This module provides some more Pythonic support for SSL. Object types: SSLSocket -- subtype of socket.socket which does SSL over the socket Exceptions: SSLError -- exception raised for I/O errors Functions: cert_time_to_seconds -- convert time string used for certificate notBefore and notAfter functions to integer seconds past the Epoch (the time values returned from time.time()) fetch_server_certificate (HOST, PORT) -- fetch the certificate provided by the server running on HOST at port PORT. No validation of the certificate is performed. Integer constants: SSL_ERROR_ZERO_RETURN SSL_ERROR_WANT_READ SSL_ERROR_WANT_WRITE SSL_ERROR_WANT_X509_LOOKUP SSL_ERROR_SYSCALL SSL_ERROR_SSL SSL_ERROR_WANT_CONNECT SSL_ERROR_EOF SSL_ERROR_INVALID_ERROR_CODE The following group define certificate requirements that one side is allowing/requiring from the other side: CERT_NONE - no certificates from the other side are required (or will be looked at if provided) CERT_OPTIONAL - certificates are not required, but if provided will be validated, and if validation fails, the connection will also fail CERT_REQUIRED - certificates are required, and will be validated, and if validation fails, the connection will also fail The following constants identify various SSL protocol variants: PROTOCOL_SSLv2 PROTOCOL_SSLv3 PROTOCOL_SSLv23 PROTOCOL_TLS PROTOCOL_TLSv1 PROTOCOL_TLSv1_1 PROTOCOL_TLSv1_2 The following constants identify various SSL alert message descriptions as per http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6 ALERT_DESCRIPTION_CLOSE_NOTIFY ALERT_DESCRIPTION_UNEXPECTED_MESSAGE ALERT_DESCRIPTION_BAD_RECORD_MAC ALERT_DESCRIPTION_RECORD_OVERFLOW ALERT_DESCRIPTION_DECOMPRESSION_FAILURE ALERT_DESCRIPTION_HANDSHAKE_FAILURE ALERT_DESCRIPTION_BAD_CERTIFICATE ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE ALERT_DESCRIPTION_CERTIFICATE_REVOKED ALERT_DESCRIPTION_CERTIFICATE_EXPIRED ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN ALERT_DESCRIPTION_ILLEGAL_PARAMETER ALERT_DESCRIPTION_UNKNOWN_CA ALERT_DESCRIPTION_ACCESS_DENIED ALERT_DESCRIPTION_DECODE_ERROR ALERT_DESCRIPTION_DECRYPT_ERROR ALERT_DESCRIPTION_PROTOCOL_VERSION ALERT_DESCRIPTION_INSUFFICIENT_SECURITY ALERT_DESCRIPTION_INTERNAL_ERROR ALERT_DESCRIPTION_USER_CANCELLED ALERT_DESCRIPTION_NO_RENEGOTIATION ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE ALERT_DESCRIPTION_UNRECOGNIZED_NAME ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY iN(t namedtuple(tclosing(tOPENSSL_VERSION_NUMBERtOPENSSL_VERSION_INFOtOPENSSL_VERSION(t _SSLContext(tSSLErrortSSLZeroReturnErrortSSLWantReadErrortSSLWantWriteErrortSSLSyscallErrort SSLEOFError(t CERT_NONEt CERT_OPTIONALt CERT_REQUIRED(ttxt2objtnid2obj(t RAND_statustRAND_add(tRAND_egdcCsCx<ttD].}|j|r tt|t|s (tsockett _fileobjectt_delegate_methodsterrortwin32(tenum_certificatest enum_crls(R*tAF_INETt SOCK_STREAMtcreate_connection(t SOL_SOCKETtSO_TYPEs tls-uniquesECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DESsECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!DSS:!RC4:!3DEStCertificateErrorcBseZRS((t__name__t __module__(((s/usr/lib/python2.7/ssl.pyR6sic CsRg}|stS|jd}|d}|d}|jd}||krgtdt|n|s|j|jkS|dkr|jdnY|jds|jdr|jtj |n"|jtj |j dd x$|D]}|jtj |qWtj d d j |d tj } | j|S( shMatching according to RFC 6125, section 6.4.3 http://tools.ietf.org/html/rfc6125#section-6.4.3 t.iit*s,too many wildcards in certificate DNS name: s[^.]+sxn--s\*s[^.]*s\As\.s\Z(tFalsetsplittcountR6treprtlowertappendRtretescapetreplacetcompiletjoint IGNORECASEtmatch( tdnthostnamet max_wildcardstpatstpiecestleftmostt remaindert wildcardstfragtpat((s/usr/lib/python2.7/ssl.pyt_dnsname_matchs*    " &cCs[|stdng}|jdd }xC|D];\}}|dkr4t||r_dS|j|q4q4W|sxc|jddD]L}xC|D];\}}|dkrt||rdS|j|qqWqWnt|dkrtd|d jtt|fn;t|dkrKtd ||d fn td dS(s)Verify that *cert* (in decoded format as returned by SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 rules are followed, but IP addresses are not accepted for *hostname*. CertificateError is raised on failure. On success, the function returns nothing. stempty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIREDtsubjectAltNametDNSNtsubjectt commonNameis&hostname %r doesn't match either of %ss, shostname %r doesn't match %ris=no appropriate commonName or subjectAltName fields were found((( t ValueErrortgetRRR@tlenR6REtmapR>(tcertRItdnsnamestsantkeyR)tsub((s/usr/lib/python2.7/ssl.pytmatch_hostnames.  %tDefaultVerifyPathssQcafile capath openssl_cafile_env openssl_cafile openssl_capath_env openssl_capathcCstj}tjj|d|d}tjj|d|d}ttjj|ra|ndtjj |r||nd|S(s/Return paths to default cafile and capath. iiiiN( Rtget_default_verify_pathstostenvironRXRatpathtisfiletNonetisdir(tpartstcafiletcapath((s/usr/lib/python2.7/ssl.pyRb(s  t _ASN1Objectsnid shortname longname oidcBs;eZdZdZdZedZedZRS(s#ASN.1 object identifier lookup cCs%tt|j|t|dtS(NR((tsuperRlt__new__t_txt2objR;(tclstoid((s/usr/lib/python2.7/ssl.pyRn;scCstt|j|t|S(s3Create _ASN1Object from OpenSSL numeric ID (RmRlRnt_nid2obj(Rptnid((s/usr/lib/python2.7/ssl.pytfromnid>scCs%tt|j|t|dtS(s=Create _ASN1Object from short name, long name or OID R((RmRlRnRotTrue(RpR(((s/usr/lib/python2.7/ssl.pytfromnameDs((R7R8t__doc__t __slots__Rnt classmethodRtRv(((s/usr/lib/python2.7/ssl.pyRl6s  tPurposecBseZdZRS(sDSSLContext purpose flags with X509v3 Extended Key Usage objects (R7R8Rw(((s/usr/lib/python2.7/ssl.pyRzKss1.3.6.1.5.5.7.3.1s1.3.6.1.5.5.7.3.2t SSLContextcBskeZdZd Zd ZdZdZeeeddZ dZ d Z d Z ejd ZRS(s|An SSLContext holds various SSL-related configuration options and data, such as certificates and possibly a private key.tprotocolt __weakref__tCAtROOTcOs2tj||}|tkr.|jtn|S(N(RRnt_SSLv2_IF_EXISTSt set_cipherst_DEFAULT_CIPHERS(RpR|targstkwargstself((s/usr/lib/python2.7/ssl.pyRnZs cCs ||_dS(N(R|(RR|((s/usr/lib/python2.7/ssl.pyt__init__`sc Cs+td|d|d|d|d|d|S(Ntsockt server_sidetdo_handshake_on_connecttsuppress_ragged_eofstserver_hostnamet_context(t SSLSocket(RRRRRR((s/usr/lib/python2.7/ssl.pyt wrap_socketcs cCst}xp|D]h}|jd}t|dksIt|dkrXtdn|jt||j|qW|j|dS(Ntasciiiis(NPN protocols must be 1 to 255 in length(t bytearraytencodeRYRR@textendt_set_npn_protocols(Rt npn_protocolstprotosR|tb((s/usr/lib/python2.7/ssl.pytset_npn_protocolsms  $cCst}xp|D]h}|jd}t|dksIt|dkrXtdn|jt||j|qW|j|dS(NRiis)ALPN protocols must be 1 to 255 in length(RRRYRR@Rt_set_alpn_protocols(Rtalpn_protocolsRR|R((s/usr/lib/python2.7/ssl.pytset_alpn_protocolsxs  $cCst}y^xWt|D]I\}}}|dkr|tksO|j|krb|j|qbqqWWntk rtjdnX|r|jd|n|S(Ntx509_asns-unable to enumerate Windows certificate storetcadata( RR/RuRqRtOSErrortwarningstwarntload_verify_locations(Rt storenametpurposetcertsR[tencodingttrust((s/usr/lib/python2.7/ssl.pyt_load_windows_store_certss   cCsbt|tst|ntjdkrTx$|jD]}|j||q7Wn|jdS(NR.(t isinstanceRlt TypeErrortsystplatformt_windows_cert_storesRtset_default_verify_paths(RRR((s/usr/lib/python2.7/ssl.pytload_default_certss (R|R}(R~RN(R7R8RwRxRRnRR;RuRgRRRRRzt SERVER_AUTHR(((s/usr/lib/python2.7/ssl.pyR{Ss    cCsBt|tst|ntt}|jtO_|jtO_|jtt ddO_|t j krt |_ t|_np|t jkr|jtt ddO_|jtt ddO_|jtt ddO_|jtn|s |s |r|j|||n|j tkr>|j|n|S(sCreate a SSLContext object with default settings. NOTE: The protocol and settings may change anytime without prior deprecation. The values represent a fair balance between maximum compatibility and security. tOP_NO_COMPRESSIONitOP_CIPHER_SERVER_PREFERENCEtOP_SINGLE_DH_USEtOP_SINGLE_ECDH_USE(RRlRR{t PROTOCOL_TLStoptionst OP_NO_SSLv2t OP_NO_SSLv3RRRzRRt verify_modeRutcheck_hostnamet CLIENT_AUTHRt_RESTRICTED_SERVER_CIPHERSRR R(RRjRkRtcontext((s/usr/lib/python2.7/ssl.pytcreate_default_contexts&   c Cst|tst|nt|} | jtO_| jtO_|dk r`|| _n|| _ |r| rt dn|s|r| j ||n|s|s|r| j |||n| jt kr| j|n| S(s/Create a SSLContext object for Python stdlib modules All Python stdlib modules shall use this function to create SSLContext objects in order to keep common settings in one place. The configuration is less restrict than create_default_context()'s to increase backward compatibility. scertfile must be specifiedN(RRlRR{RRRRgRRRWtload_cert_chainRR R( R|t cert_reqsRRtcertfiletkeyfileRjRkRR((s/usr/lib/python2.7/ssl.pyt_create_unverified_contexts"       tPYTHONHTTPSVERIFYcCs5tjjs1tjjt}|dkr1tSntS(Nt0( Rtflagstignore_environmentRcRdRXt_https_verify_envvarRR(tconfig_setting((s/usr/lib/python2.7/ssl.pyt_get_https_context_factorys   cCs|rtantadS(s,Verify server HTTPS certificates by default?N(Rt_create_default_https_contextR(tenable((s/usr/lib/python2.7/ssl.pyt_https_verify_certificatess RcBseZdZd'd'd'eeed'eee dd'ed'd'd'd'dZ e dZ e j dZ dZd'dZdZdd'd Zd Zed Zd Zd ZdZdZddZd'dZddZdddZd'ddZdddZd'ddZdZdZ dZ!dZ"dZ#edZ$dZ%dZ&dZ'd Z(d!d"d#Z)d$d%Z*d&Z+RS((sThis class implements a subtype of socket.socket that wraps the underlying OS socket in an SSL context when necessary, and provides read and write methods over that channel.icCsd|_|r||_n|r7| r7tdn|rS| rStdn|ri| ri|}nt||_||j_|r|jj|n|r|jj||n|r|jj|n|r|jj|n||_ ||_ ||_ ||_ ||_ ||_|jtttkrHtdntj|d|jx3tD]+}yt||Wqetk rqeXqeW|r|rtdn|jjr| rtdn||_||_||_| |_y|jWn1t k r6}|j!t!j"kr-nt#}nXt$}t#|_%d|_'||_(|ryb|jj)|j||d||_'|r|j*}|d krtd n|j+nWqt,tfk r|j-qXndS( Nis5certfile must be specified for server-side operationsscertfile must be specifieds!only stream sockets are supportedt_socks4server_hostname can only be specified in client modes'check_hostname requires server_hostnametssl_sockgsHdo_handshake_on_connect should not be specified for non-blocking sockets(.t_makefile_refsRRWR{RRRRRRRRt ssl_versiontca_certstcipherst getsockoptR4R5R2tNotImplementedErrorR*RRR,tdelattrtAttributeErrorRRRRRt getpeernamet socket_errorterrnotENOTCONNR;Rut_closedRgt_sslobjt _connectedt _wrap_sockett gettimeoutt do_handshakeRtclose(RRRRRRRRRtfamilyttypetprototfilenoRRRRRtattrtet connectedttimeout((s/usr/lib/python2.7/ssl.pyRs~                           cCs|jS(N(R(R((s/usr/lib/python2.7/ssl.pyRiscCs||_||j_dS(N(RRR(Rtctx((s/usr/lib/python2.7/ssl.pyRms cCstd|jjdS(NsCan't dup() %s instances(tNotImplementedt __class__R7(R((s/usr/lib/python2.7/ssl.pytduprscCsdS(N((Rtmsg((s/usr/lib/python2.7/ssl.pyt _checkClosedvscCs|js|jndS(N(RR(R((s/usr/lib/python2.7/ssl.pyt_check_connectedzs icCs|j|js"tdny>|dk rI|jj||}n|jj|}|SWnItk r}|jdtkr|jr|dk rdSdSqnXdS(sORead up to LEN bytes and return them. Return zero-length string on EOF.s'Read on closed or unwrapped SSL socket.itN( RRRWRgtreadRRt SSL_ERROR_EOFR(RRYtbuffertvtx((s/usr/lib/python2.7/ssl.pyRs    cCs2|j|js"tdn|jj|S(shWrite DATA to the underlying SSL channel. Returns number of bytes of DATA actually transmitted.s(Write on closed or unwrapped SSL socket.(RRRWtwrite(Rtdata((s/usr/lib/python2.7/ssl.pyRs  cCs$|j|j|jj|S(sReturns a formatted version of the data in the certificate provided by the other end of the SSL channel. Return None if no certificate was provided, {} if a certificate was provided, but not validated.(RRRtpeer_certificate(Rt binary_form((s/usr/lib/python2.7/ssl.pyt getpeercerts  cCs3|j|j stj r"dS|jjSdS(N(RRRR#Rgtselected_npn_protocol(R((s/usr/lib/python2.7/ssl.pyRs cCs3|j|j stj r"dS|jjSdS(N(RRRR$Rgtselected_alpn_protocol(R((s/usr/lib/python2.7/ssl.pyRs cCs(|j|jsdS|jjSdS(N(RRRgtcipher(R((s/usr/lib/python2.7/ssl.pyRs  cCs(|j|jsdS|jjSdS(N(RRRgt compression(R((s/usr/lib/python2.7/ssl.pyRs  cCs|j|jr|dkr5td|jny|jj|}WnDtk r}|jdtkrtdS|jdtkrdSqX|Sn|j j ||SdS(Nis3non-zero flags not allowed in calls to send() on %s( RRRWRRRRtSSL_ERROR_WANT_READtSSL_ERROR_WANT_WRITERtsend(RRRRR((s/usr/lib/python2.7/ssl.pyRs    cCsb|j|jr)td|jn5|dkrH|jj||S|jj|||SdS(Ns%sendto not allowed on instances of %s(RRRWRRgRtsendto(RRt flags_or_addrtaddr((s/usr/lib/python2.7/ssl.pyRs   cCs|j|jr{|dkr5td|jnt|}d}x-||krv|j||}||7}qJW|Stj|||SdS(Nis6non-zero flags not allowed in calls to sendall() on %s(RRRWRRYRR*tsendall(RRRtamountR=R((s/usr/lib/python2.7/ssl.pyRs    cCsY|j|jrB|dkr5td|jn|j|S|jj||SdS(Nis3non-zero flags not allowed in calls to recv() on %s(RRRWRRRtrecv(RtbuflenR((s/usr/lib/python2.7/ssl.pyRs    cCs|j|r+|dkr+t|}n|dkr@d}n|jr{|dkrktd|jn|j||S|jj|||SdS(Niis8non-zero flags not allowed in calls to recv_into() on %s( RRgRYRRWRRRt recv_into(RRtnbytesR((s/usr/lib/python2.7/ssl.pyR s     cCs@|j|jr)td|jn|jj||SdS(Ns'recvfrom not allowed on instances of %s(RRRWRRtrecvfrom(RRR((s/usr/lib/python2.7/ssl.pyR s   cCsC|j|jr)td|jn|jj|||SdS(Ns,recvfrom_into not allowed on instances of %s(RRRWRRt recvfrom_into(RRR R((s/usr/lib/python2.7/ssl.pyR s   cCs(|j|jr |jjSdSdS(Ni(RRtpending(R((s/usr/lib/python2.7/ssl.pyR "s   cCs'|jd|_tj||dS(N(RRgRR*tshutdown(Rthow((s/usr/lib/python2.7/ssl.pyR)s  cCs;|jdkr(d|_tj|n|jd8_dS(Ni(RRgRR*R(R((s/usr/lib/python2.7/ssl.pyR.s cCs?|jr%|jj}d|_|Stdt|dS(NsNo SSL wrapper around (RRRgRWtstr(Rts((s/usr/lib/python2.7/ssl.pytunwrap5s   cCsd|_tj|dS(N(RgRR*t _real_close(R((s/usr/lib/python2.7/ssl.pyR=s cCs|j|j}z3|dkr;|r;|jdn|jjWd|j|X|jjr|js~t dnt |j |jndS(sPerform a TLS/SSL handshake.gNs-check_hostname needs server_hostname argument( RRt settimeoutRgRRRRRRWR`R(RtblockR((s/usr/lib/python2.7/ssl.pyRAs    cCs|jrtdn|jr0tdn|jj|jt|jd||_ya|rut j ||}nd}t j |||st |_|jr|jqn|SWn#ttfk rd|_nXdS(Ns!can't connect in server-side modes/attempt to connect already-connected SSLSocket!R(RRWRRRRR;RRR*t connect_exRgtconnectRuRRR(RRRtrc((s/usr/lib/python2.7/ssl.pyt _real_connectRs$  '   cCs|j|tdS(sQConnects to remote ADDR, and then wraps the connection in an SSL channel.N(RR;(RR((s/usr/lib/python2.7/ssl.pyRiscCs|j|tS(sQConnects to remote ADDR, and then wraps the connection in an SSL channel.(RRu(RR((s/usr/lib/python2.7/ssl.pyRnscCsItj|\}}|jj|d|jd|jdt}||fS(sAccepts a new connection from a remote client, and returns a tuple containing that new connection wrapped with a server-side SSL channel, and the address of the remote client.RRR(R*tacceptRRRRRu(RtnewsockR((s/usr/lib/python2.7/ssl.pyRss    tricCs%|jd7_t|||dtS(sMake and return a file-like object that works with the SSL connection. Just use the code from the socket module.iR(RR+Ru(Rtmodetbufsize((s/usr/lib/python2.7/ssl.pytmakefiless tls-uniquecCs_|tkrtdn|dkr?tdj|n|jdkrRdS|jjS(sGet channel binding data for current connection. Raise ValueError if the requested `cb_type` is not supported. Return bytes of the data or None if the data is not available (e.g. before the handshake). s Unsupported channel binding types tls-uniques({0} channel binding type not implementedN(tCHANNEL_BINDING_TYPESRWRtformatRRgt tls_unique_cb(Rtcb_type((s/usr/lib/python2.7/ssl.pytget_channel_bindings  cCs |jdkrdS|jjS(s Return a string identifying the protocol version used by the current SSL channel, or None if there is no established channel. N(RRgtversion(R((s/usr/lib/python2.7/ssl.pyR%sN(,R7R8RwRgR;R RRuR1R2RtpropertyRtsetterRRRRRRRRRRRRRRR R R R RRRRRRRRRRR$R%(((s/usr/lib/python2.7/ssl.pyR sR    Q                     c CsCtd|d|d|d|d|d|d|d|d |d | S( NRRRRRRRRRR(R( RRRRRRRRRR((s/usr/lib/python2.7/ssl.pyRs   c Csddlm}ddlm}d}d}y!|j|d jd}Wn'tk rvtd||fn3X||d|}||d|f|dd!SdS(sReturn the time in seconds since the Epoch, given the timestring representing the "notBefore" or "notAfter" date from a certificate in ``"%b %d %H:%M:%S %Y %Z"`` strptime format (C locale). "notBefore" or "notAfter" dates must use UTC (RFC 5280). Month is one of: Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec UTC should be specified as GMT (see ASN1_TIME_print()) i(tstrptime(ttimegmtJantFebtMartAprtMaytJuntJultAugtSeptOcttNovtDecs %d %H:%M:%S %Y GMTiis*time data %r does not match format "%%b%s"iiiN( R*R+R,R-R.R/R0R1R2R3R4R5(ttimeR(tcalendarR)tindexttitleRW(t cert_timeR(R)tmonthst time_formatt month_numberttt((s/usr/lib/python2.7/ssl.pytcert_time_to_secondss ! s-----BEGIN CERTIFICATE-----s-----END CERTIFICATE-----cCs<tj|jd}tdtj|ddtdS(s[Takes a certificate in binary DER format and returns the PEM version of it as a string.Rs i@(tbase64tstandard_b64encodetdecodet PEM_HEADERttextwraptfillt PEM_FOOTER(tder_cert_bytestf((s/usr/lib/python2.7/ssl.pytDER_cert_to_PEM_certscCs|jts"tdtn|jjtsJtdtn|jtttt !}tj|j ddS(shTakes a certificate in ASCII PEM format and returns the DER-encoded version of it as a byte sequences(Invalid PEM encoding; must start with %ss&Invalid PEM encoding; must end with %stASCIItstrict( RRCRWtstriptendswithRFRYR@t decodestringR(tpem_cert_stringtd((s/usr/lib/python2.7/ssl.pytPEM_cert_to_DER_certs   c Cs|\}}|dk r!t}nt}t|d|d|}tt|4}t|j|}|jt} WdQXWdQXt | S(sRetrieve the certificate from the server at the specified address, and return it as a PEM-encoded string. If 'ca_certs' is specified, validate the server cert against it. If 'ssl_version' is specified, use it in the connection attempt.RRjN( RgRR t_create_stdlib_contextRR3RRRuRI( RRRthosttportRRRtsslsocktdercert((s/usr/lib/python2.7/ssl.pytget_server_certificates     cCstj|dS(Ns (t_PROTOCOL_NAMESRX(t protocol_code((s/usr/lib/python2.7/ssl.pytget_protocol_namescCst|dr|j}ntt}|s3|rF|j||n|j|dt}y|jWntk r|n X|j |S(sA replacement for the old socket.ssl function. Designed for compability with Python 2.5 and earlier. Will disappear in Python 3.0.RR( thasattrRR{R&RRR;RRR(RRRRR((s/usr/lib/python2.7/ssl.pytsslwrap_simples     (`RwRDRARRct collectionsRt contextlibRRRRRRRRRR R R R R RRRoRRrRRRt ImportErrorRR!R"R#R$R%RtitemsRXRR&tPROTOCOL_SSLv2Rt NameErrorRgR*R+R,R-RRR/R0R1R2R3R4R5R@RRtHAS_TLS_UNIQUER RRRWR6RRR`RaRbRlRzRRR{RR;RRRRRRRuRRRR?RCRFRIRQRWRZR\(((s/usr/lib/python2.7/ssl.pytYs     .       "   ""      3 +  G / '