Skip to main content

TLS with Python Clients

Configuring Python Clients to Use TLS with InterSystems IRIS

You can configure a Python client application to use TLS when it communicates with InterSystems IRIS® data platform. To establish a Python connection using TLS:

  1. Configure the superserver to use TLS as described in Configuring the InterSystems IRIS Superserver to Use TLS.

  2. Ensure that you have installed any relevant CA certificates for verifying the server certificate.

  3. Configure the Python client based on your version. Note that version 4 uses the SSLDefs.ini file for the SSL configuration. For more information on how to configure this file, see Connecting from a Windows Client Using a Settings File.

    import ssl
    import iris
    
    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
    context.verify_mode = ssl.CERT_REQUIRED
    cafile = "path/to/CACert.pem"
    context.load_verify_locations(cafile)
    context.load_cert_chain("path/to/Cert.pem", "path/to/Key.pem", "apasswordifany")
    
    connection =  iris.createConnection("127.0.0.1", 1972, "user", "_SYSTEM", "SYS", 10000, sslcontext=context)
    ...
    connection.close()
    
    import iris
    # On Windows lookup is based on address-port pair in SSLDefs.ini. -- GDConfig will be used
    connection =  iris.createConnection("127.0.0.1", 1972, "user", "_SYSTEM", "SYS", 10000, sslconfig=True)
    
    # On Unix lookup is based on a provided configuration name instead of address-port pair. -- GDConfig2 will be used
    # connection =  iris.createConnection("127.0.0.1", 1972, "user", "_SYSTEM", "SYS", 10000, sslconfig="GDConfig2")
    ...
    connection.close()
    

Below is an example of the SSLDefs.ini file for a Python client configuration as used in the V4 code above:

[IRIS]
Address=127.0.0.1
Port=1972
SSLConfig=GDConfig
 
[GDConfig]
TLSMinVersion=16
TLSMaxVersion=32
KeyType=2
VerifyPeer=0
CipherList=ALL:!aNULL:!eNULL:!EXP:!SSLv2
Ciphersuites=TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
Password=apasswordifany
CertFile=path/to/Cert.pem
KeyFile=path/to/Key.pem
CAfile=path/to/CACert.pem
 
[GDConfig2]
TLSMinVersion=16
TLSMaxVersion=32
KeyType=2
VerifyPeer=0
CipherList=ALL:!aNULL:!eNULL:!EXP:!SSLv2
Ciphersuites=TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
Password=apasswordifany
CertFile=path/to/AnotherCert.pem
KeyFile=path/to/AnotherKey.pem
CAfile=path/to/AnotherCACert.pem
Note:

As of this writing, you cannot change the Python TLSv1.3 ciphers. For TLSv1.3, only Ciphersuites is used and its value must be exactly this list (order may vary):

TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

For versions earlier than TLSv1.3, only CipherList is used.

FeedbackOpens in a new tab