TLS with Python Clients
Configuring Python Clients to Use TLS with InterSystems IRIS
You can configure a Python client application to use TLS when it communicates with InterSystems IRIS® data platform. To establish a Python connection using TLS:
-
Configure the superserver to use TLS as described in Configuring the InterSystems IRIS Superserver to Use TLS.
-
Ensure that you have installed any relevant CA certificates for verifying the server certificate.
-
Configure the Python client based on your version. Note that version 4 uses the SSLDefs.ini file for the SSL configuration. For more information on how to configure this file, see Connecting from a Windows Client Using a Settings File.
import ssl import iris context = ssl.SSLContext(ssl.PROTOCOL_TLS) context.verify_mode = ssl.CERT_REQUIRED cafile = "path/to/CACert.pem" context.load_verify_locations(cafile) context.load_cert_chain("path/to/Cert.pem", "path/to/Key.pem", "apasswordifany") connection = iris.createConnection("127.0.0.1", 1972, "user", "_SYSTEM", "SYS", 10000, sslcontext=context) ... connection.close()
import iris # On Windows lookup is based on address-port pair in SSLDefs.ini. -- GDConfig will be used connection = iris.createConnection("127.0.0.1", 1972, "user", "_SYSTEM", "SYS", 10000, sslconfig=True) # On Unix lookup is based on a provided configuration name instead of address-port pair. -- GDConfig2 will be used # connection = iris.createConnection("127.0.0.1", 1972, "user", "_SYSTEM", "SYS", 10000, sslconfig="GDConfig2") ... connection.close()
Below is an example of the SSLDefs.ini file for a Python client configuration as used in the V4 code above:
[IRIS]
Address=127.0.0.1
Port=1972
SSLConfig=GDConfig
[GDConfig]
TLSMinVersion=16
TLSMaxVersion=32
KeyType=2
VerifyPeer=0
CipherList=ALL:!aNULL:!eNULL:!EXP:!SSLv2
Ciphersuites=TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
Password=apasswordifany
CertFile=path/to/Cert.pem
KeyFile=path/to/Key.pem
CAfile=path/to/CACert.pem
[GDConfig2]
TLSMinVersion=16
TLSMaxVersion=32
KeyType=2
VerifyPeer=0
CipherList=ALL:!aNULL:!eNULL:!EXP:!SSLv2
Ciphersuites=TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
Password=apasswordifany
CertFile=path/to/AnotherCert.pem
KeyFile=path/to/AnotherKey.pem
CAfile=path/to/AnotherCACert.pem
As of this writing, you cannot change the Python TLSv1.3 ciphers. For TLSv1.3, only Ciphersuites is used and its value must be exactly this list (order may vary):
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
For versions earlier than TLSv1.3, only CipherList is used.