如何更改TLS上下文选项 [英] How to change a TLS context option

问题描述

在python中，我们可以指定一些TLS上下文选项.例如，以下文档此处中的代码:

In python, we can specify some TLS context options. For example, this code from the documentation here:

client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
client_context.options |= ssl.OP_NO_TLSv1
client_context.options |= ssl.OP_NO_TLSv1_1

我没有得到这个符号|=.我读了什么意思，但不明白为什么我们要在这里使用它?为什么不使用=呢?我应该使用|=设置任何选项吗?奇怪的是，我在文档使用&=时发现了一些示例:

I do not get this symbol |=. I read what it means but don't get why we use it here? why don't we use = ? Should I use |= to set any option? strangely, I find some examples also int he documentation use &=:

ctx = ssl.create_default_context(Purpose.CLIENT_AUTH)
ctx.options &= ~ssl.OP_NO_SSLv3

我需要指定另一个选项.我需要禁用来自此选项的会话票证:

I need to specify another option. I jsut need to disable session ticket which is from this option:

ssl.OP_NO_TICKET

如果我有上下文ctx，如何设置ssl.OP_NO_TICKET?我应该使用=还是|=或&=?请解释.

If I have context ctx, how to set ssl.OP_NO_TICKET? Should I use = or |= or &=? please explain.

推荐答案

实际上，每个选项都是许多可能标记中的一个标志，因此您需要使用按位AND(&)和按位OR(|)操作.这样做是因为这些选项不会相互排斥，所以您需要通过选择组合在一起的各种选项来组成最终值.因此，每个值的幂为2，这意味着在某个特定位置它的位为1，然后对每个特定的单独标志是打开还是关闭，最终值进行编码.

Each option is, in fact, a flag among many possible ones, so you need to compose them using bitwise AND (&) and bitwise OR (|) operations. It is done like that because these options are not mutually excluding each other, you need to compose a final value by picking various options that you combine together. So each one has a value being a power of 2, which means it is a bit being 1 at some specific position, and the final value then encodes if each specific separate flag is either on or off.

因此，您需要按位运算符来管理它们并构造所需的最终值.

So you need bitwise operators to manage them and construct the final value you want.

请参阅:

In [8]: print ssl.OP_NO_TLSv1, bin(ssl.OP_NO_TLSv1)
67108864 0b100000000000000000000000000

In [9]: print ssl.OP_NO_TLSv1_1, bin(ssl.OP_NO_TLSv1_1)
268435456 0b10000000000000000000000000000

In [13]: print ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1, bin(ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1)
335544320 0b10100000000000000000000000000

In [14]: print ssl.OP_NO_TLSv1 & ssl.OP_NO_TLSv1_1, bin(ssl.OP_NO_TLSv1 & ssl.OP_NO_TLSv1_1)
0 0b0

您会看到，如果要同时使用这两个选项，则需要将两个位都翻转为1，因此需要一个OR(|)，否则需要使用AND(&)，因为每个值都只设置了一位设置为1，在每次不同的位置上，保证结果总是为0，这意味着根本没有功能，因此肯定不是您需要的.

You see that if you want both of these options, you need to flip both bits to 1, and hence need an OR (|) otherwise with an AND (&) since each value has only one bit set to 1, at a different position each time, you are guaranteed to always get 0 as a result, which means no feature at all, so certainly not what you need.

简而言之，在诸如此类的情况下，您将永远不会使用AND(&).

In short, in cases like that to compose values, you will never use AND (&).

现在，大约&= ~:~是按位取反，因此在保留某些已设置的其他选项的同时删除某些选项很有用.

Now, about &= ~: ~ is the bitwise negation, so it is useful to remove some options while keeping other options that are already set.

ctx.options& =〜ssl.OP_NO_SSLv3

ctx.options &= ~ssl.OP_NO_SSLv3

此构造使您可以将最终值中与ssl.OP_NO_SSLv3相关的位翻转为0.

This construct makes you flip to 0 the bit related to ssl.OP_NO_SSLv3 in the final value.

请参阅:

In [34]: ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

In [37]: print ctx.options, bin(ctx.options)
2197816319 0b10000011000000000000001111111111

In [38]: print bin(ssl.OP_NO_SSLv3)
0b10000000000000000000000000

In [40]: print ctx.options & ~ssl.OP_NO_SSLv3
2164261887

In [41]: print ctx.options & ~ssl.OP_NO_SSLv3, bin(ctx.options & ~ssl.OP_NO_SSLv3)
2164261887 0b10000001000000000000001111111111

如果将ctx.options和ctx.options & ~ssl.OP_NO_SSLv3进行比较，您会发现从1到0的一位已经翻转，因为实际上您已删除了功能OP_NO_SSLv3.

If you compare ctx.options and ctx.options & ~ssl.OP_NO_SSLv3 you will see that one bit has flipped from 1 to 0, because you in fact removed feature OP_NO_SSLv3.

如果我有上下文ctx，如何设置ssl.OP_NO_TICKET?我应该使用=或| =或& =吗?请解释.

If I have context ctx, how to set ssl.OP_NO_TICKET? Should I use = or |= or &=? please explain.

这是一个您想添加到已经拥有的所有其他选项中的选项，因此您不想丢失它们.因此，您需要按位或(|).

This is an option you want to add to all other ones you already have, so you do not want to loose them. Hence you need a bitwise OR (|).

• 如果仅执行=，则可以设置此选项，但是会丢失所有当前已设置的其他选项，因此不是您需要的.
• 如果您执行|=，则将与所需选项相关的位翻转为1，而您不触摸其他位；这就是你想要的！
• 如果执行&=，则仅将同时位于新值和现有位中的那些位翻转为1，这意味着如果尚未设置该值，则此处的结果只能为0，或者如果该值完全相同，则结果为0已设置:

• if you do just = you set this option but lose all current other ones that have been set, so not what you need.
• if you do |= you flip to 1 the bit related to the option you want, and you do not touch the other bits; this is what you want!
• if you do &= you flip to 1 only those bits being both in your new value and the existing one, which means the result here can only be 0 if the value was not set already or the same exact value if it has been set:

(我的示例是用另一个值OP_NO_TICKET完成的，因为我在那里没有，但是行为与任何一个都一样，因为每个OP_值都是2 ⁿ ，即一位为1，所有其他位为0)

(my example is done with another value that OP_NO_TICKET because I do not have it there, but the behaviour will be the same with any one, as each OP_ value is 2ⁿ, that is one bit to one and all others to 0)

In [16]: ctx = ssl.OP_NO_TLSv1

In [17]: print ctx, bin(ctx)
67108864 0b100000000000000000000000000

In [19]: ctx = ssl.OP_NO_TLSv1_1

In [20]: print ctx, bin(ctx)
268435456 0b10000000000000000000000000000

In [21]: ctx = ssl.OP_NO_TLSv1

In [22]: ctx |= ssl.OP_NO_TLSv1_1

In [23]: print ctx, bin(ctx)
335544320 0b10100000000000000000000000000

In [24]: ctx = ssl.OP_NO_TLSv1

In [25]: ctx &= ssl.OP_NO_TLSv1_1

In [26]: print ctx, bin(ctx)
0 0b0

请注意，在|的情况下，如何将两个位都翻转到1.

Note how both bits are flipped to 1 in the case of |.

这篇关于如何更改TLS上下文选项的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！