ssl.po

# Copyright (C) 2001 Python Software Foundation
# This file is distributed under the same license as the Python package.
#
# Translators:
msgid ""
msgstr ""
"Project-Id-Version: Python 3.14\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2025-11-10 16:45+0000\n"
"PO-Revision-Date: 2024-08-28 00:43+0800\n"
"Last-Translator: Adrian Liaw <adrianliaw2000@gmail.com>\n"
"Language-Team: Chinese - TAIWAN (https://github.com/python/python-docs-zh-"
"tw)\n"
"Language: zh_TW\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=1; plural=0;\n"
"X-Generator: Poedit 3.4.4\n"

#: ../../library/ssl.rst:2
msgid ":mod:`!ssl` --- TLS/SSL wrapper for socket objects"
msgstr ":mod:`!ssl` --- socket 物件的 TLS/SSL 包裝器"

#: ../../library/ssl.rst:10
msgid "**Source code:** :source:`Lib/ssl.py`"
msgstr "**原始碼：**\\ :source:`Lib/ssl.py`"

#: ../../library/ssl.rst:18
msgid ""
"This module provides access to Transport Layer Security (often known as "
"\"Secure Sockets Layer\") encryption and peer authentication facilities for "
"network sockets, both client-side and server-side.  This module uses the "
"OpenSSL library."
msgstr ""
"這個模組向用戶端及伺服器端提供了對於網路 socket 的傳輸層安全性協定（或稱為"
"「安全通訊協定 (Secure Sockets Layer)」）加密及身分驗證功能。這個模組使用 "
"OpenSSL 套件。"

#: ../../includes/optional-module.rst:1
msgid ""
"This is an :term:`optional module`. If it is missing from your copy of "
"CPython, look for documentation from your distributor (that is, whoever "
"provided Python to you). If you are the distributor, see :ref:`optional-"
"module-requirements`."
msgstr ""

#: ../../library/ssl.rst:27
msgid ""
"Some behavior may be platform dependent, since calls are made to the "
"operating system socket APIs.  The installed version of OpenSSL may also "
"cause variations in behavior. For example, TLSv1.3 comes with OpenSSL "
"version 1.1.1."
msgstr ""
"由於呼叫了作業系統的 socket APIs，有些行為會根據平台而有所不同。OpenSSL 的安"
"裝版本也會對模組的運作產生影響。例如，OpenSSL 版本 1.1.1 附帶 TLSv1.3。"

#: ../../library/ssl.rst:33
msgid ""
"Don't use this module without reading the :ref:`ssl-security`.  Doing so may "
"lead to a false sense of security, as the default settings of the ssl module "
"are not necessarily appropriate for your application."
msgstr ""
"在使用此模組之前，請閱讀 :ref:`ssl-security`。如果不這樣做，可能會產生錯誤的"
"安全性認知，因為 ssl 模組的預設設定未必適合你的應用程式。"

#: ../../library/ssl.rst:456 ../../library/ssl.rst:471
#: ../../includes/wasm-notavail.rst:3
msgid "Availability"
msgstr "可用性"

#: ../../includes/wasm-notavail.rst:5
msgid ""
"This module does not work or is not available on WebAssembly. See :ref:`wasm-"
"availability` for more information."
msgstr ""
"此模組在 WebAssembly 平台上不起作用或無法使用。更多資訊請參閱 :ref:`wasm-"
"availability`。"

#: ../../library/ssl.rst:39
msgid ""
"This section documents the objects and functions in the ``ssl`` module; for "
"more general information about TLS, SSL, and certificates, the reader is "
"referred to the documents in the \"See Also\" section at the bottom."
msgstr ""
"這個章節記錄了 ``ssl`` 模組的物件及函式；關於 TSL、SSL、以及憑證的更多資訊，"
"可以去參考此章節底部的「詳情」部分。"

#: ../../library/ssl.rst:43
msgid ""
"This module provides a class, :class:`ssl.SSLSocket`, which is derived from "
"the :class:`socket.socket` type, and provides a socket-like wrapper that "
"also encrypts and decrypts the data going over the socket with SSL.  It "
"supports additional methods such as :meth:`getpeercert`, which retrieves the "
"certificate of the other side of the connection, :meth:`cipher`, which "
"retrieves the cipher being used for the secure connection or :meth:"
"`get_verified_chain`, :meth:`get_unverified_chain` which retrieves "
"certificate chain."
msgstr ""
"此模組提供了一個 :class:`ssl.SSLSocket` 類別，它是從 :class:`socket.socket` "
"衍生出來的，並且提供類似 socket 的包裝器，讓使用 SSL 進行資料傳輸時，可以進行"
"資料的加密及解密。它也提供了一些額外的方法，如 :meth:`getpeercert`，用於取得"
"連結另一端的憑證；以及 :meth:`cipher`，用於搜尋用於安全連接的加密方法 "
"(cipher)；和 :meth:`get_verified_chain`、:meth:`get_unverified_chain` 能用於"
"取得憑證鏈。"

#: ../../library/ssl.rst:52
msgid ""
"For more sophisticated applications, the :class:`ssl.SSLContext` class helps "
"manage settings and certificates, which can then be inherited by SSL sockets "
"created through the :meth:`SSLContext.wrap_socket` method."
msgstr ""
"對於更複雜的應用程式，:class:`ssl.SSLContext` 類別有助於管理設定及認證，然後"
"可以透過 :meth:`SSLContext.wrap_socket` 方法建立的 SSL socket 繼承這些設定和"
"認證。"

#: ../../library/ssl.rst:56
msgid "Updated to support linking with OpenSSL 1.1.0"
msgstr "更新以支援與 OpenSSL 1.1.0 進行連結"

#: ../../library/ssl.rst:61
msgid ""
"OpenSSL 0.9.8, 1.0.0 and 1.0.1 are deprecated and no longer supported. In "
"the future the ssl module will require at least OpenSSL 1.0.2 or 1.1.0."
msgstr ""
"OpenSSL 0.9.8, 1.0.0 及 1.0.1 版本已被棄用且不再支援。在未來 ssl 模組將需要至"
"少 OpenSSL 1.0.2 版本或 1.1.0 版本。"

#: ../../library/ssl.rst:67
msgid ""
":pep:`644` has been implemented. The ssl module requires OpenSSL 1.1.1 or "
"newer."
msgstr ":pep:`644` 已經被實作。ssl 模組需要 OpenSSL 1.1.1 以上的版本才能使用。"

#: ../../library/ssl.rst:70
msgid ""
"Use of deprecated constants and functions result in deprecation warnings."
msgstr "使用已經被棄用的常數或函式將會導致棄用警示。"

#: ../../library/ssl.rst:74
msgid "Functions, Constants, and Exceptions"
msgstr "函式、常數與例外"

#: ../../library/ssl.rst:78
msgid "Socket creation"
msgstr "Socket 建立"

#: ../../library/ssl.rst:80
msgid ""
"Instances of :class:`SSLSocket` must be created using the :meth:`SSLContext."
"wrap_socket` method. The helper function :func:`create_default_context` "
"returns a new context with secure default settings."
msgstr ""
":class:`SSLSocket` 實例必須使用 :meth:`SSLContext.wrap_socket` 方法來建立。輔"
"助函式 :func:`create_default_context` 會回傳有安全預設設定的新語境 "
"(context)。"

#: ../../library/ssl.rst:85
msgid "Client socket example with default context and IPv4/IPv6 dual stack::"
msgstr "使用預設語境及 IPv4/IPv6 雙協定堆疊的用戶端 socket 範例： ::"

#: ../../library/ssl.rst:87
msgid ""
"import socket\n"
"import ssl\n"
"\n"
"hostname = 'www.python.org'\n"
"context = ssl.create_default_context()\n"
"\n"
"with socket.create_connection((hostname, 443)) as sock:\n"
"    with context.wrap_socket(sock, server_hostname=hostname) as ssock:\n"
"        print(ssock.version())"
msgstr ""
"import socket\n"
"import ssl\n"
"\n"
"hostname = 'www.python.org'\n"
"context = ssl.create_default_context()\n"
"\n"
"with socket.create_connection((hostname, 443)) as sock:\n"
"    with context.wrap_socket(sock, server_hostname=hostname) as ssock:\n"
"        print(ssock.version())"

#: ../../library/ssl.rst:98
msgid "Client socket example with custom context and IPv4::"
msgstr "使用自訂語境及 IPv4 的用戶端 socket範例： ::"

#: ../../library/ssl.rst:100
msgid ""
"hostname = 'www.python.org'\n"
"# PROTOCOL_TLS_CLIENT requires valid cert chain and hostname\n"
"context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)\n"
"context.load_verify_locations('path/to/cabundle.pem')\n"
"\n"
"with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock:\n"
"    with context.wrap_socket(sock, server_hostname=hostname) as ssock:\n"
"        print(ssock.version())"
msgstr ""

#: ../../library/ssl.rst:110
msgid "Server socket example listening on localhost IPv4::"
msgstr "在本地 IPv4 上監聽伺服器 socket 的範例： ::"

#: ../../library/ssl.rst:112
msgid ""
"context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)\n"
"context.load_cert_chain('/path/to/certchain.pem', '/path/to/private.key')\n"
"\n"
"with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock:\n"
"    sock.bind(('127.0.0.1', 8443))\n"
"    sock.listen(5)\n"
"    with context.wrap_socket(sock, server_side=True) as ssock:\n"
"        conn, addr = ssock.accept()\n"
"        ..."
msgstr ""
"context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)\n"
"context.load_cert_chain('/path/to/certchain.pem', '/path/to/private.key')\n"
"\n"
"with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock:\n"
"    sock.bind(('127.0.0.1', 8443))\n"
"    sock.listen(5)\n"
"    with context.wrap_socket(sock, server_side=True) as ssock:\n"
"        conn, addr = ssock.accept()\n"
"        ..."

#: ../../library/ssl.rst:124
msgid "Context creation"
msgstr "語境建立"

#: ../../library/ssl.rst:126
msgid ""
"A convenience function helps create :class:`SSLContext` objects for common "
"purposes."
msgstr "一個可以幫忙建立出 :class:`SSLContext` 物件以用於一般目的的方便函式。"

#: ../../library/ssl.rst:132
msgid ""
"Return a new :class:`SSLContext` object with default settings for the given "
"*purpose*.  The settings are chosen by the :mod:`ssl` module, and usually "
"represent a higher security level than when calling the :class:`SSLContext` "
"constructor directly."
msgstr ""
"回傳一個新的 :class:`SSLContext` 物件，使用給定 *purpose* 的預設值。這些設定"
"是由 :mod:`ssl` 選擇，通常比直接呼叫 :class:`SSLContext` 有更高的安全性。"

#: ../../library/ssl.rst:137
msgid ""
"*cafile*, *capath*, *cadata* represent optional CA certificates to trust for "
"certificate verification, as in :meth:`SSLContext.load_verify_locations`.  "
"If all three are :const:`None`, this function can choose to trust the "
"system's default CA certificates instead."
msgstr ""
"*cafile*, *capath*, *cadata* 是用來選擇用於憑證認證的 CA 憑證，就像 :meth:"
"`SSLContext.load_verify_locations` 一樣。如果三個值都是 :const:`None`，此函式"
"會自動選擇系統預設的 CA 憑證。"

# Skylull: `high encryption cipher` 可能是指 https://superuser.com/questions/1751902/how-to-check-which-ciphers-are-included-in-high-ciphers-constant
# 其文中表示可能是指 128bit 以上 key length 的加密算法，需要其他來源佐證。
# 或是 https://help.fortinet.com/fweb/582/Content/FortiWeb/fortiweb-admin/supported_cipher_suites.htm#ssl_414712646_1189301
#: ../../library/ssl.rst:143
msgid ""
"The settings are: :data:`PROTOCOL_TLS_CLIENT` or :data:"
"`PROTOCOL_TLS_SERVER`, :data:`OP_NO_SSLv2`, and :data:`OP_NO_SSLv3` with "
"high encryption cipher suites without RC4 and without unauthenticated cipher "
"suites. Passing :const:`~Purpose.SERVER_AUTH` as *purpose* sets :data:"
"`~SSLContext.verify_mode` to :data:`CERT_REQUIRED` and either loads CA "
"certificates (when at least one of *cafile*, *capath* or *cadata* is given) "
"or uses :meth:`SSLContext.load_default_certs` to load default CA "
"certificates."
msgstr ""
"這些設定包含：:data:`PROTOCOL_TLS_CLIENT` 或 :data:`PROTOCOL_TLS_SERVER`、:"
"data:`OP_NO_SSLv2`、以及 :data:`OP_NO_SSLv3`，使用高等加密套件但不包含 RC4 和"
"未經身份驗證的加密套件。如果將 *purpose* 設定為 :const:`~Purpose."
"SERVER_AUTH`，則會把 :data:`~SSLContext.verify_mode` 設為 :data:"
"`CERT_REQUIRED` 並使用設定的 CA 憑證(當 *cafile*、*capath* 或 *cadata* 其中一"
"個值有被設定時) 或使用預設的 CA 憑證  :meth:`SSLContext."
"load_default_certs` 。"

#: ../../library/ssl.rst:152
msgid ""
"When :attr:`~SSLContext.keylog_filename` is supported and the environment "
"variable :envvar:`SSLKEYLOGFILE` is set, :func:`create_default_context` "
"enables key logging."
msgstr ""
"當系統有支援 :attr:`~SSLContext.keylog_filename` 並且有設定環境變數 :envvar:"
"`SSLKEYLOGFILE` 時 :func:`create_default_context` 會啟用密鑰日誌記錄 "
"(logging)。"

#: ../../library/ssl.rst:156
msgid ""
"The default settings for this context include :data:"
"`VERIFY_X509_PARTIAL_CHAIN` and :data:`VERIFY_X509_STRICT`. These make the "
"underlying OpenSSL implementation behave more like a conforming "
"implementation of :rfc:`5280`, in exchange for a small amount of "
"incompatibility with older X.509 certificates."
msgstr ""

#: ../../library/ssl.rst:163
msgid ""
"The protocol, options, cipher and other settings may change to more "
"restrictive values anytime without prior deprecation.  The values represent "
"a fair balance between compatibility and security."
msgstr ""
"協定、選項、加密方式和其它設定可以在不捨棄舊值的情況下直接更改成新的值，這些"
"值代表了在相容性和安全性之間取得的合理平衡。"

#: ../../library/ssl.rst:167
msgid ""
"If your application needs specific settings, you should create a :class:"
"`SSLContext` and apply the settings yourself."
msgstr ""
"如果你的應用程式需要特殊的設定，你應該要自行建立一個 :class:`SSLContext` 並自"
"行調整設定。"

#: ../../library/ssl.rst:171
msgid ""
"If you find that when certain older clients or servers attempt to connect "
"with a :class:`SSLContext` created by this function that they get an error "
"stating \"Protocol or cipher suite mismatch\", it may be that they only "
"support SSL3.0 which this function excludes using the :data:`OP_NO_SSLv3`. "
"SSL3.0 is widely considered to be `completely broken <https://en.wikipedia."
"org/wiki/POODLE>`_. If you still wish to continue to use this function but "
"still allow SSL 3.0 connections you can re-enable them using::"
msgstr ""
"如果你發現某些舊的用戶端或伺服器常適用此函式建立的 :class:`SSLContext` 連線"
"時，收到 \"Protocol or cipher suite mismatch\" 錯誤，這可能是因為他們的系統僅"
"支援 SSL3.0，然而 SSL3.0 已被此函式用 :data:`OP_NO_SSLv3` 排除。目前廣泛認為 "
"SSL3.0 已經\\ `被完全破解 <https://en.wikipedia.org/wiki/POODLE>`_。如果你仍"
"然希望在允許 SSL3.0 連線的情況下使用此函式，可以使用下面的方法： ::"

#: ../../library/ssl.rst:180
msgid ""
"ctx = ssl.create_default_context(Purpose.CLIENT_AUTH)\n"
"ctx.options &= ~ssl.OP_NO_SSLv3"
msgstr ""
"ctx = ssl.create_default_context(Purpose.CLIENT_AUTH)\n"
"ctx.options &= ~ssl.OP_NO_SSLv3"

#: ../../library/ssl.rst:184
msgid ""
"This context enables :data:`VERIFY_X509_STRICT` by default, which may reject "
"pre-:rfc:`5280` or malformed certificates that the underlying OpenSSL "
"implementation otherwise would accept. While disabling this is not "
"recommended, you can do so using::"
msgstr ""

#: ../../library/ssl.rst:189
msgid ""
"ctx = ssl.create_default_context()\n"
"ctx.verify_flags &= ~ssl.VERIFY_X509_STRICT"
msgstr ""
"ctx = ssl.create_default_context()\n"
"ctx.verify_flags &= ~ssl.VERIFY_X509_STRICT"

#: ../../library/ssl.rst:196
msgid "RC4 was dropped from the default cipher string."
msgstr "把 RC4 從預設加密方法字串中捨棄。"

#: ../../library/ssl.rst:200
msgid "ChaCha20/Poly1305 was added to the default cipher string."
msgstr "把 ChaCha20/Poly1305 加入預設加密方法字串。"

#: ../../library/ssl.rst:202
msgid "3DES was dropped from the default cipher string."
msgstr "把 3DES 從預設加密方法字串中捨棄。"

#: ../../library/ssl.rst:206
msgid "Support for key logging to :envvar:`SSLKEYLOGFILE` was added."
msgstr "增加了 :envvar:`SSLKEYLOGFILE` 對密鑰日誌記錄 (logging) 的支援。"

#: ../../library/ssl.rst:210
msgid ""
"The context now uses :data:`PROTOCOL_TLS_CLIENT` or :data:"
"`PROTOCOL_TLS_SERVER` protocol instead of generic :data:`PROTOCOL_TLS`."
msgstr ""
"目前語境使用 :data:`PROTOCOL_TLS_CLIENT` 協定或 :data:`PROTOCOL_TLS_SERVER` "
"協定而非通用的 :data:`PROTOCOL_TLS`。"

#: ../../library/ssl.rst:216
msgid ""
"The context now uses :data:`VERIFY_X509_PARTIAL_CHAIN` and :data:"
"`VERIFY_X509_STRICT` in its default verify flags."
msgstr ""

#: ../../library/ssl.rst:221
msgid "Exceptions"
msgstr "例外"

#: ../../library/ssl.rst:225
msgid ""
"Raised to signal an error from the underlying SSL implementation (currently "
"provided by the OpenSSL library).  This signifies some problem in the higher-"
"level encryption and authentication layer that's superimposed on the "
"underlying network connection.  This error is a subtype of :exc:`OSError`.  "
"The error code and message of :exc:`SSLError` instances are provided by the "
"OpenSSL library."
msgstr ""
"引發由底層 SSL 實作（目前由 OpenSSL 函式庫提供）所引發的錯誤訊息。這表示在覆"
"蓋底層網路連線的高階加密和身份驗證層中存在一些問題。這項錯誤是 :exc:"
"`OSError` 的一個子型別。:exc:`SSLError` 實例的錯誤程式代碼和訊息是由 OpenSSL "
"函式庫提供。"

#: ../../library/ssl.rst:232
msgid ":exc:`SSLError` used to be a subtype of :exc:`socket.error`."
msgstr ":exc:`SSLError` 曾經是 :exc:`socket.error` 的一個子型別。"

#: ../../library/ssl.rst:237
msgid ""
"A string mnemonic designating the OpenSSL submodule in which the error "
"occurred, such as ``SSL``, ``PEM`` or ``X509``.  The range of possible "
"values depends on the OpenSSL version."
msgstr ""
"一個字串符號 (string mnemonic)，用來指定發生錯誤的 OpenSSL 子模組，如："
"``SSL``、``PEM`` 或 ``X509``。可能值的範圍取決於 OpenSSL 的版本。"

#: ../../library/ssl.rst:245
msgid ""
"A string mnemonic designating the reason this error occurred, for example "
"``CERTIFICATE_VERIFY_FAILED``.  The range of possible values depends on the "
"OpenSSL version."
msgstr ""
"一個字串符號，用來指定發生錯誤的原因，如：``CERTIFICATE_VERIFY_FAILED``。可能"
"值的範圍取決於 OpenSSL 的版本。"

#: ../../library/ssl.rst:253
msgid ""
"A subclass of :exc:`SSLError` raised when trying to read or write and the "
"SSL connection has been closed cleanly.  Note that this doesn't mean that "
"the underlying transport (read TCP) has been closed."
msgstr ""
"一個 :exc:`SSLError` 的子類別，當嘗試去讀寫已經被完全關閉的 SSL 連線時會被引"
"發。請注意，這並不表示底層傳輸（例如 TCP）已經被關閉。"

#: ../../library/ssl.rst:261
msgid ""
"A subclass of :exc:`SSLError` raised by a :ref:`non-blocking SSL socket <ssl-"
"nonblocking>` when trying to read or write data, but more data needs to be "
"received on the underlying TCP transport before the request can be fulfilled."
msgstr ""
"一個 :exc:`SSLError` 的子類別，當嘗試去讀寫資料前，底層 TCP 傳輸需要先接收更"
"多資料時會由\\ :ref:`非阻塞的 SSL socket <ssl-nonblocking>` 引發該錯誤。"

#: ../../library/ssl.rst:270
msgid ""
"A subclass of :exc:`SSLError` raised by a :ref:`non-blocking SSL socket <ssl-"
"nonblocking>` when trying to read or write data, but more data needs to be "
"sent on the underlying TCP transport before the request can be fulfilled."
msgstr ""
"一個 :exc:`SSLError` 的子類別，當嘗試去讀寫資料前，底層 TCP 傳輸需要先發送更"
"多資料時會由\\ :ref:`非阻塞的 SSL socket <ssl-nonblocking>` 引發該錯誤。"

#: ../../library/ssl.rst:279
msgid ""
"A subclass of :exc:`SSLError` raised when a system error was encountered "
"while trying to fulfill an operation on a SSL socket.  Unfortunately, there "
"is no easy way to inspect the original errno number."
msgstr ""
"一個 :exc:`SSLError` 的子類別，當嘗試去操作 SSL socket 時有系統錯誤產生會引發"
"此錯誤。不幸的是，目前沒有任何簡單的方法可以去檢查原本的的 errno 編號。"

#: ../../library/ssl.rst:287
msgid ""
"A subclass of :exc:`SSLError` raised when the SSL connection has been "
"terminated abruptly.  Generally, you shouldn't try to reuse the underlying "
"transport when this error is encountered."
msgstr ""
"一個 :exc:`SSLError` 的子類別，當 SSL 連線被突然終止時會引發此錯誤。通常，當"
"此錯誤發生時，你不該再去重新使用底層傳輸。"

#: ../../library/ssl.rst:295
msgid ""
"A subclass of :exc:`SSLError` raised when certificate validation has failed."
msgstr "當憑證驗證失敗時會引發的一個 :exc:`SSLError` 子類別。"

#: ../../library/ssl.rst:302
msgid "A numeric error number that denotes the verification error."
msgstr "一個表示驗證錯誤的錯誤數值編號。"

#: ../../library/ssl.rst:306
msgid "A human readable string of the verification error."
msgstr "一個人類可讀的驗證錯誤字串。"

#: ../../library/ssl.rst:310
msgid "An alias for :exc:`SSLCertVerificationError`."
msgstr ":exc:`SSLCertVerificationError` 的別名。"

#: ../../library/ssl.rst:312
msgid "The exception is now an alias for :exc:`SSLCertVerificationError`."
msgstr "此例外現在是 :exc:`SSLCertVerificationError` 的別名。"

#: ../../library/ssl.rst:317
msgid "Random generation"
msgstr "隨機產生"

#: ../../library/ssl.rst:321
msgid ""
"Return *num* cryptographically strong pseudo-random bytes. Raises an :class:"
"`SSLError` if the PRNG has not been seeded with enough data or if the "
"operation is not supported by the current RAND method. :func:`RAND_status` "
"can be used to check the status of the PRNG and :func:`RAND_add` can be used "
"to seed the PRNG."
msgstr ""
"回傳 *num* 個加密性強的偽隨機位元組。如果 PRNG 未使用足夠的資料做為隨機種子 "
"(seed) 或是目前的 RAND 方法不支持該操作則會導致 :class:`SSLError` 錯誤。:"
"func:`RAND_status` 函式可以用來檢查 PRNG 函式，而 :func:`RAND_add` 則可以用來"
"為 PRNG 設定隨機種子。"

#: ../../library/ssl.rst:327
msgid "For almost all applications :func:`os.urandom` is preferable."
msgstr "在幾乎所有的應用程式中，:func:`os.urandom` 會是較好的選擇。"

#: ../../library/ssl.rst:329
msgid ""
"Read the Wikipedia article, `Cryptographically secure pseudorandom number "
"generator (CSPRNG) <https://en.wikipedia.org/wiki/"
"Cryptographically_secure_pseudorandom_number_generator>`_, to get the "
"requirements of a cryptographically strong generator."
msgstr ""
"請閱讀維基百科的\\ `密碼學安全偽隨機數產生器 (CSPRNG) <https://en.wikipedia."
"org/wiki/Cryptographically_secure_pseudorandom_number_generator>`_\\ 文章來了"
"解密碼學安全偽隨機數產生器的需求。"

#: ../../library/ssl.rst:338
msgid ""
"Return ``True`` if the SSL pseudo-random number generator has been seeded "
"with 'enough' randomness, and ``False`` otherwise.  You can use :func:`ssl."
"RAND_egd` and :func:`ssl.RAND_add` to increase the randomness of the pseudo-"
"random number generator."
msgstr ""
"如果 SSL 偽隨機數產生器已經使用「足夠的」隨機性進行隨機種子生成，則回傳 "
"``True`` ，否則回傳 ``False``。你可以使用 :func:`ssl.RAND_egd` 函式和 :func:"
"`ssl.RAND_add` 函式來增加偽隨機數產生器的隨機性。"

#: ../../library/ssl.rst:345
msgid ""
"Mix the given *bytes* into the SSL pseudo-random number generator.  The "
"parameter *entropy* (a float) is a lower bound on the entropy contained in "
"string (so you can always use ``0.0``).  See :rfc:`1750` for more "
"information on sources of entropy."
msgstr ""
"將給定的 *bytes* 混進 SSL 隨機偽隨機數產生器中。 *entropy* 參數（float 值）是"
"指字串中包含熵值的下限（因此你可以將其設為 ``0.0``\\ ）。請參閱 :rfc:`1750` "
"了解有關熵源的更多資訊。"

#: ../../library/ssl.rst:350
msgid "Writable :term:`bytes-like object` is now accepted."
msgstr "可寫入的\\ :term:`類位元組物件 <bytes-like object>`\\ 現在可被接受。"

#: ../../library/ssl.rst:354
msgid "Certificate handling"
msgstr "認證處理"

#: ../../library/ssl.rst:362
msgid ""
"Return the time in seconds since the Epoch, given the ``cert_time`` string "
"representing the \"notBefore\" or \"notAfter\" date from a certificate in "
"``\"%b %d %H:%M:%S %Y %Z\"`` strptime format (C locale)."
msgstr ""
"回傳自紀元以來的秒數，給定的 ``cert_time`` 字串表示憑證的 \"notBefore\" 或 "
"\"notAfter\" 日期，字串採用 ``\"%b %d %H:%M:%S %Y %Z\"`` 格式（C 語言區域設"
"定）。"

#: ../../library/ssl.rst:367
msgid "Here's an example:"
msgstr "以下是一個範例："

#: ../../library/ssl.rst:369
msgid ""
">>> import ssl\n"
">>> timestamp = ssl.cert_time_to_seconds(\"Jan  5 09:34:43 2018 GMT\")\n"
">>> timestamp\n"
"1515144883\n"
">>> from datetime import datetime\n"
">>> print(datetime.utcfromtimestamp(timestamp))\n"
"2018-01-05 09:34:43"
msgstr ""
">>> import ssl\n"
">>> timestamp = ssl.cert_time_to_seconds(\"Jan  5 09:34:43 2018 GMT\")\n"
">>> timestamp\n"
"1515144883\n"
">>> from datetime import datetime\n"
">>> print(datetime.utcfromtimestamp(timestamp))\n"
"2018-01-05 09:34:43"

#: ../../library/ssl.rst:379
msgid "\"notBefore\" or \"notAfter\" dates must use GMT (:rfc:`5280`)."
msgstr "\"notBefore\" 或 \"notAfter\" 日期必須使用 GMT (:rfc:`5280`)。"

#: ../../library/ssl.rst:381
msgid ""
"Interpret the input time as a time in UTC as specified by 'GMT' timezone in "
"the input string. Local timezone was used previously. Return an integer (no "
"fractions of a second in the input format)"
msgstr ""
"將輸入的時間直譯為 UTC 時間，如輸入字串中指定的 'GMT' 時區。在之前是使用本地"
"的時區。回傳一個整數（在輸入格式中不包括秒的小數部分）。"

#: ../../library/ssl.rst:390
msgid ""
"Given the address ``addr`` of an SSL-protected server, as a (*hostname*, "
"*port-number*) pair, fetches the server's certificate, and returns it as a "
"PEM-encoded string.  If ``ssl_version`` is specified, uses that version of "
"the SSL protocol to attempt to connect to the server.  If *ca_certs* is "
"specified, it should be a file containing a list of root certificates, the "
"same format as used for the *cafile* parameter in :meth:`SSLContext."
"load_verify_locations`.  The call will attempt to validate the server "
"certificate against that set of root certificates, and will fail if the "
"validation attempt fails.  A timeout can be specified with the ``timeout`` "
"parameter."
msgstr ""
"輸入使用 SSL 保護的伺服器的地址 ``addr``，輸入形式為一個 pair (*hostname*, "
"*port-number*)，取得該伺服器的憑證，並以 PEM 編碼字串的形式回傳。如果指定了 "
"``ssl_version``，則使用指定的 SSL 協定來嘗試與伺服器連線。如果指定 "
"*ca_certs*，則它應該是一個包含根憑證列表的檔案，並與 :meth:`SSLContext."
"load_verify_locations` 中的參數 *cafile* 所使用的格式相同。此呼叫將嘗試使用該"
"組根憑證對伺服器憑證進行驗證，如果驗證失敗，呼叫將失敗。可以使用 ``timeout`` "
"參數指定超時時間。"

#: ../../library/ssl.rst:401
msgid "This function is now IPv6-compatible."
msgstr "此函式現在是與 IPv6 相容的。"

#: ../../library/ssl.rst:404
msgid ""
"The default *ssl_version* is changed from :data:`PROTOCOL_SSLv3` to :data:"
"`PROTOCOL_TLS` for maximum compatibility with modern servers."
msgstr ""
"預設的 *ssl_version* 已經從 :data:`PROTOCOL_SSLv3` 改為 :data:"
"`PROTOCOL_TLS`，已確保與現今的伺服器有最大的相容性。"

#: ../../library/ssl.rst:408
msgid "The *timeout* parameter was added."
msgstr "新增 *timeout* 參數。"

#: ../../library/ssl.rst:413
msgid ""
"Given a certificate as a DER-encoded blob of bytes, returns a PEM-encoded "
"string version of the same certificate."
msgstr ""
"給定一個以 DER 編碼的位元組 blob 作為憑證，回傳以 PEM 編碼字串版本的相同憑"
"證。"

#: ../../library/ssl.rst:418
msgid ""
"Given a certificate as an ASCII PEM string, returns a DER-encoded sequence "
"of bytes for that same certificate."
msgstr ""
"給定一個以 ASCII PEM 的字串作為憑證，回傳以 DER 編碼的位元組序列的相同憑證。"

#: ../../library/ssl.rst:423
msgid ""
"Returns a named tuple with paths to OpenSSL's default cafile and capath. The "
"paths are the same as used by :meth:`SSLContext.set_default_verify_paths`. "
"The return value is a :term:`named tuple` ``DefaultVerifyPaths``:"
msgstr ""
"回傳一個具有 OpenSSL 的預設 cafile 和 capath 路徑的附名元組。這些路徑與 :"
"meth:`SSLContext.set_default_verify_paths` 使用的相同。回傳值是一個 :term:"
"`named tuple` ``DefaultVerifyPaths``："

#: ../../library/ssl.rst:428
msgid ""
":attr:`cafile` - resolved path to cafile or ``None`` if the file doesn't "
"exist,"
msgstr ":attr:`cafile` - 解析後的 cafile 路徑，如果檔案不存在則為 ``None``，"

#: ../../library/ssl.rst:429
msgid ""
":attr:`capath` - resolved path to capath or ``None`` if the directory "
"doesn't exist,"
msgstr ":attr:`capath` - 解析後的 capath 路徑，如果目錄不存在則為 ``None``，"

#: ../../library/ssl.rst:430
msgid ""
":attr:`openssl_cafile_env` - OpenSSL's environment key that points to a "
"cafile,"
msgstr ":attr:`openssl_cafile_env` - 指向 cafile 的 OpenSSL 環境密鑰，"

#: ../../library/ssl.rst:431
msgid ":attr:`openssl_cafile` - hard coded path to a cafile,"
msgstr ":attr:`openssl_cafile` - hard coded 的 cafile 路徑，"

#: ../../library/ssl.rst:432
msgid ""
":attr:`openssl_capath_env` - OpenSSL's environment key that points to a "
"capath,"
msgstr ":attr:`openssl_capath_env` - 指向 capath 的 OpenSSL 環境密鑰，"

#: ../../library/ssl.rst:433
msgid ":attr:`openssl_capath` - hard coded path to a capath directory"
msgstr ":attr:`openssl_capath` - hard coded 的 capath 目錄路徑"

#: ../../library/ssl.rst:439
msgid ""
"Retrieve certificates from Windows' system cert store. *store_name* may be "
"one of ``CA``, ``ROOT`` or ``MY``. Windows may provide additional cert "
"stores, too."
msgstr ""
"從 Windows 的系統憑證儲存庫中搜尋憑證。*store_name* 可以是 ``CA``、``ROOT`` "
"或 ``MY`` 的其中一個。Windows 也可能會提供額外的憑證儲存庫。"

#: ../../library/ssl.rst:443
msgid ""
"The function returns a list of (cert_bytes, encoding_type, trust) tuples. "
"The encoding_type specifies the encoding of cert_bytes. It is either :const:"
"`x509_asn` for X.509 ASN.1 data or :const:`pkcs_7_asn` for PKCS#7 ASN.1 "
"data. Trust specifies the purpose of the certificate as a set of OIDS or "
"exactly ``True`` if the certificate is trustworthy for all purposes."
msgstr ""
"此函式會回傳一個元組 (cert_bytes, encoding_type, trust) 串列。encoding_type "
"指定了 cert_bytes 的編碼格式。它可以是用來表示 X.509 ASN.1 資料的 :const:"
"`x509_asn` 或是用來表示 PKCS#7 ASN.1 資料的 :const:`pkcs_7_asn`。Trust 通過一"
"組 OIDS 來指定憑證的用途，或是如果憑證對所有用途都可以使用則回傳 ``True``。"

#: ../../library/ssl.rst:450 ../../library/ssl.rst:1610
#: ../../library/ssl.rst:1910
msgid "Example::"
msgstr "範例： ::"

#: ../../library/ssl.rst:452
msgid ""
">>> ssl.enum_certificates(\"CA\")\n"
"[(b'data...', 'x509_asn', {'1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2'}),\n"
" (b'data...', 'x509_asn', True)]"
msgstr ""
">>> ssl.enum_certificates(\"CA\")\n"
"[(b'data...', 'x509_asn', {'1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2'}),\n"
" (b'data...', 'x509_asn', True)]"

#: ../../library/ssl.rst:462
msgid ""
"Retrieve CRLs from Windows' system cert store. *store_name* may be one of "
"``CA``, ``ROOT`` or ``MY``. Windows may provide additional cert stores, too."
msgstr ""
"從 Windows 的系統憑證儲存庫中搜尋 CRLs。*store_name* 可以是 ``CA``、``ROOT`` "
"或 ``MY`` 的其中一個。Windows 也可能會提供額外的憑證儲存庫。"

#: ../../library/ssl.rst:466
msgid ""
"The function returns a list of (cert_bytes, encoding_type, trust) tuples. "
"The encoding_type specifies the encoding of cert_bytes. It is either :const:"
"`x509_asn` for X.509 ASN.1 data or :const:`pkcs_7_asn` for PKCS#7 ASN.1 data."
msgstr ""
"此函式會回傳一個元組 (cert_bytes, encoding_type, trust) 串列。encoding_type "
"指定了 cert_bytes 的編碼格式。它可以是用來表示 X.509 ASN.1 資料的 :const:"
"`x509_asn` 或是用來表示 PKCS#7 ASN.1 資料的 :const:`pkcs_7_asn`。"

#: ../../library/ssl.rst:477
msgid "Constants"
msgstr "常數"

#: ../../library/ssl.rst:479
msgid ""
"All constants are now :class:`enum.IntEnum` or :class:`enum.IntFlag` "
"collections."
msgstr ""
"所有的常數現在都是 :class:`enum.IntEnum` 或 :class:`enum.IntFlag` 的集合。"

#: ../../library/ssl.rst:485
msgid ""
"Possible value for :attr:`SSLContext.verify_mode`. Except for :const:"
"`PROTOCOL_TLS_CLIENT`, it is the default mode.  With client-side sockets, "
"just about any cert is accepted.  Validation errors, such as untrusted or "
"expired cert, are ignored and do not abort the TLS/SSL handshake."
msgstr ""
":attr:`SSLContext.verify_mode` 可能的值。除了 :attr:`SSLContext.verify_mode` "
"外，這是預設的模式。對於用戶端的 sockets，幾乎任何憑證都能被允許。驗證錯誤，"
"像是不被信任或是過期的憑證，會被忽略並不會中止 TLS/SSL 握手。"

#: ../../library/ssl.rst:491
msgid ""
"In server mode, no certificate is requested from the client, so the client "
"does not send any for client cert authentication."
msgstr ""
"在伺服器模式下，不會從用戶端請求任何憑證，所以用戶端不用發送任何用於用戶端憑"
"證身分驗證的憑證。"

#: ../../library/ssl.rst:494 ../../library/ssl.rst:2412
msgid "See the discussion of :ref:`ssl-security` below."
msgstr "參閱下方 :ref:`ssl-security` 的討論。"

#: ../../library/ssl.rst:498
msgid ""
"Possible value for :attr:`SSLContext.verify_mode`. In client mode, :const:"
"`CERT_OPTIONAL` has the same meaning as :const:`CERT_REQUIRED`. It is "
"recommended to use :const:`CERT_REQUIRED` for client-side sockets instead."
msgstr ""
":attr:`SSLContext.verify_mode` 可能的值。在用戶端模式下，:const:"
"`CERT_OPTIONAL` 具有與 :const:`CERT_REQUIRED` 相同的含意。對於客戶端 sockets "
"推薦改用  :const:`CERT_REQUIRED`。"

#: ../../library/ssl.rst:503
msgid ""
"In server mode, a client certificate request is sent to the client.  The "
"client may either ignore the request or send a certificate in order perform "
"TLS client cert authentication.  If the client chooses to send a "
"certificate, it is verified.  Any verification error immediately aborts the "
"TLS handshake."
msgstr ""
"在伺服器模式下，客戶憑證請求會被發送給用戶端。用戶端可以選擇忽略請求或是選擇"
"發送憑證來執行 TLS 用戶端憑證身分驗證。如果用戶端選擇發送憑證，則會對其進行驗"
"證。任何驗證錯誤都會立刻終止 TLS 握手。"

#: ../../library/ssl.rst:509 ../../library/ssl.rst:528
msgid ""
"Use of this setting requires a valid set of CA certificates to be passed to :"
"meth:`SSLContext.load_verify_locations`."
msgstr ""
"使用此設定需要將一組有效的 CA 憑證傳送給 :meth:`SSLContext."
"load_verify_locations`。"

#: ../../library/ssl.rst:514
msgid ""
"Possible value for :attr:`SSLContext.verify_mode`. In this mode, "
"certificates are required from the other side of the socket connection; an :"
"class:`SSLError` will be raised if no certificate is provided, or if its "
"validation fails. This mode is **not** sufficient to verify a certificate in "
"client mode as it does not match hostnames.  :attr:`~SSLContext."
"check_hostname` must be enabled as well to verify the authenticity of a "
"cert. :const:`PROTOCOL_TLS_CLIENT` uses :const:`CERT_REQUIRED` and enables :"
"attr:`~SSLContext.check_hostname` by default."
msgstr ""
":attr:`SSLContext.verify_mode` 可能的值。在這個模式下，需要從 socket 連線的另"
"一端取得憑證；如果未提供憑證或是驗證失敗，則將會導致 :class:`SSLError`。此模"
"式\\ **不能**\\ 在用戶端模式下對憑證進行驗證，因為它無法去配對主機名稱。:"
"attr:`~SSLContext.check_hostname` 也必須被開起來來驗證憑證的真實性。:const:"
"`PROTOCOL_TLS_CLIENT` 會使用  :const:`CERT_REQUIRED` 並預設開啟 :attr:"
"`~SSLContext.check_hostname`。"

#: ../../library/ssl.rst:524
msgid ""
"With server socket, this mode provides mandatory TLS client cert "
"authentication.  A client certificate request is sent to the client and the "
"client must provide a valid and trusted certificate."
msgstr ""
"對於 socket 伺服器，此模式會提供強制的 TLS 用戶端憑證驗證。用戶端憑證請求會被"
"發送給用戶端並且用戶端必須提供有效且被信任的憑證。"

#: ../../library/ssl.rst:533
msgid ":class:`enum.IntEnum` collection of CERT_* constants."
msgstr ":class:`enum.IntEnum` 為 CERT_* 常數的一個集合。"

#: ../../library/ssl.rst:539
msgid ""
"Possible value for :attr:`SSLContext.verify_flags`. In this mode, "
"certificate revocation lists (CRLs) are not checked. By default OpenSSL does "
"neither require nor verify CRLs."
msgstr ""
":attr:`SSLContext.verify_flags` 可能的值。在此模式下，不會檢查憑證吊銷列表 "
"(CRLs)。預設的 OpenSSL 並不會請求及驗證 CRLs。"

#: ../../library/ssl.rst:547
msgid ""
"Possible value for :attr:`SSLContext.verify_flags`. In this mode, only the "
"peer cert is checked but none of the intermediate CA certificates. The mode "
"requires a valid CRL that is signed by the peer cert's issuer (its direct "
"ancestor CA). If no proper CRL has been loaded with :attr:`SSLContext."
"load_verify_locations`, validation will fail."
msgstr ""
":attr:`SSLContext.verify_flags` 可能的值。在此模式下，只會檢查同等的憑證而不"
"會去檢查中間的 CA 憑證。此模式需要提供由對等憑證發行者 (它的直接上級 CA) 的有"
"效的 CRL 簽名。如果沒有用 :attr:`SSLContext.load_verify_locations` 載入適當"
"的 CRL，則會驗證失敗。"

#: ../../library/ssl.rst:557
msgid ""
"Possible value for :attr:`SSLContext.verify_flags`. In this mode, CRLs of "
"all certificates in the peer cert chain are checked."
msgstr ""
":attr:`SSLContext.verify_flags` 可能的值。在此模式下，會檢查對等憑證鍊中所有"
"憑證的 CRLs。"

#: ../../library/ssl.rst:564
msgid ""
"Possible value for :attr:`SSLContext.verify_flags` to disable workarounds "
"for broken X.509 certificates."
msgstr ""
":attr:`SSLContext.verify_flags` 可能的值，用來禁用已損壞的 X.509 憑證的解決方"
"法。"

#: ../../library/ssl.rst:571
msgid ""
"Possible value for :attr:`SSLContext.verify_flags` to enables proxy "
"certificate verification."
msgstr ":attr:`SSLContext.verify_flags` 可能的值，用來啟用憑證代理驗證。"

#: ../../library/ssl.rst:578
msgid ""
"Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to "
"prefer trusted certificates when building the trust chain to validate a "
"certificate. This flag is enabled by default."
msgstr ""
":attr:`SSLContext.verify_flags` 可能的值。它指示 OpenSSL 在構建信任鍊來驗證憑"
"證時會優先使用被信任的憑證。此旗標預設開啟。"

#: ../../library/ssl.rst:586
msgid ""
"Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to "
"accept intermediate CAs in the trust store to be treated as trust-anchors, "
"in the same way as the self-signed root CA certificates. This makes it "
"possible to trust certificates issued by an intermediate CA without having "
"to trust its ancestor root CA."
msgstr ""
":attr:`SSLContext.verify_flags` 可能的值。它指示 OpenSSL 接受信任儲存中的中"
"間 CAs 作為信任錨，就像自簽名的根 CA 憑證。這樣就能去信任中間 CA 所頒發的憑"
"證，而不一定非要去信任其祖先的根 CA。"

#: ../../library/ssl.rst:597
msgid ":class:`enum.IntFlag` collection of VERIFY_* constants."
msgstr ":class:`enum.IntFlag` 為 VERIFY_* 常數的其中一個集合。"

#: ../../library/ssl.rst:603
msgid ""
"Selects the highest protocol version that both the client and server "
"support. Despite the name, this option can select both \"SSL\" and \"TLS\" "
"protocols."
msgstr ""
"選擇用戶端及伺服器均可以支援最高協定版本。儘管名稱只有 「TLS」，但實際上"
"「SSL」和「TLS」均可以選擇。"

#: ../../library/ssl.rst:610
msgid ""
"TLS clients and servers require different default settings for secure "
"communication. The generic TLS protocol constant is deprecated in favor of :"
"data:`PROTOCOL_TLS_CLIENT` and :data:`PROTOCOL_TLS_SERVER`."
msgstr ""
"TLS 的用戶端及伺服器端需要不同的預設值來實現安全通訊。通用的 TLS 協定常數已被"
"廢除，並改用 :data:`PROTOCOL_TLS_CLIENT` 和 :data:`PROTOCOL_TLS_SERVER`。"

#: ../../library/ssl.rst:616
msgid ""
"Auto-negotiate the highest protocol version that both the client and server "
"support, and configure the context client-side connections. The protocol "
"enables :data:`CERT_REQUIRED` and :attr:`~SSLContext.check_hostname` by "
"default."
msgstr ""
"自動協商用戶端和伺服器服務器都支援的最高協定版本，並配置用戶端語境連線。該協"
"定預設啟用 :data:`CERT_REQUIRED` 和 :attr:`~SSLContext.check_hostname`。"

#: ../../library/ssl.rst:625
msgid ""
"Auto-negotiate the highest protocol version that both the client and server "
"support, and configure the context server-side connections."
msgstr "自動協商用戶端和伺服器都支援的最高協定版本，並配置用戶端語境連線。"

#: ../../library/ssl.rst:632
msgid "Alias for :data:`PROTOCOL_TLS`."
msgstr ":data:`PROTOCOL_TLS` 的別名。"

#: ../../library/ssl.rst:636
msgid "Use :data:`PROTOCOL_TLS` instead."
msgstr "請改用 :data:`PROTOCOL_TLS`。"

#: ../../library/ssl.rst:640
msgid "Selects SSL version 3 as the channel encryption protocol."
msgstr "選擇第三版的 SSL 做為通道加密協定。"

#: ../../library/ssl.rst:642
msgid ""
"This protocol is not available if OpenSSL is compiled with the ``no-ssl3`` "
"option."
msgstr "如果 OpenSSL 是用 ``no-ssl3`` 編譯的，則此項協定無法使用。"

#: ../../library/ssl.rst:647
msgid "SSL version 3 is insecure.  Its use is highly discouraged."
msgstr "第三版的 SSL 是不安全的，強烈建議不要使用。"

#: ../../library/ssl.rst:651
msgid ""
"OpenSSL has deprecated all version specific protocols. Use the default "
"protocol :data:`PROTOCOL_TLS_SERVER` or :data:`PROTOCOL_TLS_CLIENT` with :"
"attr:`SSLContext.minimum_version` and :attr:`SSLContext.maximum_version` "
"instead."
msgstr ""
"OpenSSL 已經終止了所有特定版本的協定。請改用預設的 :data:"
"`PROTOCOL_TLS_SERVER` 協定或帶有 :attr:`SSLContext.minimum_version` 和 :attr:"
"`SSLContext.maximum_version` 的 :data:`PROTOCOL_TLS_CLIENT`。"

#: ../../library/ssl.rst:659
msgid "Selects TLS version 1.0 as the channel encryption protocol."
msgstr "選擇 1.0 版的 TLS 做為通道加密協定。"

#: ../../library/ssl.rst:663 ../../library/ssl.rst:674
#: ../../library/ssl.rst:685
msgid "OpenSSL has deprecated all version specific protocols."
msgstr "OpenSSL 已經將所有版本特定的協定棄用。"

#: ../../library/ssl.rst:667
msgid ""
"Selects TLS version 1.1 as the channel encryption protocol. Available only "
"with openssl version 1.0.1+."
msgstr ""
"選擇 1.1 版的 TLS 做為通道加密協定。只有在 1.0.1 版本以上的 OpenSSL 才可以選"
"用。"

#: ../../library/ssl.rst:678
msgid ""
"Selects TLS version 1.2 as the channel encryption protocol. Available only "
"with openssl version 1.0.1+."
msgstr ""
"選擇 1.2 版的 TLS 做為通道加密協定。只有在 1.0.1 版本以上的 OpenSSL 才可以選"
"用。"

#: ../../library/ssl.rst:689
msgid ""
"Enables workarounds for various bugs present in other SSL implementations. "
"This option is set by default.  It does not necessarily set the same flags "
"as OpenSSL's ``SSL_OP_ALL`` constant."
msgstr ""
"啟用對 SSL 實作時所產生的各種錯誤的緩解措施。此選項預設被設定。它不一定設定"
"與 OpenSSL 的 ``SSL_OP_ALL`` 常數相同的旗標。"

#: ../../library/ssl.rst:697
msgid ""
"Prevents an SSLv2 connection.  This option is only applicable in conjunction "
"with :const:`PROTOCOL_TLS`.  It prevents the peers from choosing SSLv2 as "
"the protocol version."
msgstr ""
"防止 SSLv2 連線。此選項只可以跟 :const:`PROTOCOL_TLS` 一起使用。它會防止同級 "
"(peer)選用 SSLv2 做為協定版本。"

#: ../../library/ssl.rst:705
msgid "SSLv2 is deprecated"
msgstr "SSLv2 已被棄用"

#: ../../library/ssl.rst:709
msgid ""
"Prevents an SSLv3 connection.  This option is only applicable in conjunction "
"with :const:`PROTOCOL_TLS`.  It prevents the peers from choosing SSLv3 as "
"the protocol version."
msgstr ""
"防止 SSLv3 連線。此選項只可以跟 :const:`PROTOCOL_TLS` 一起使用。它會防止同級"
"選用 SSLv3 做為協定版本。"

#: ../../library/ssl.rst:717
msgid "SSLv3 is deprecated"
msgstr "SSLv3 已被棄用"

#: ../../library/ssl.rst:721
msgid ""
"Prevents a TLSv1 connection.  This option is only applicable in conjunction "
"with :const:`PROTOCOL_TLS`.  It prevents the peers from choosing TLSv1 as "
"the protocol version."
msgstr ""
"防止 TLSv1 連線。此選項只可以跟 :const:`PROTOCOL_TLS` 一起使用。它會防止同級"
"選用 TLSv1 做為協定版本。"

#: ../../library/ssl.rst:727
msgid ""
"The option is deprecated since OpenSSL 1.1.0, use the new :attr:`SSLContext."
"minimum_version` and :attr:`SSLContext.maximum_version` instead."
msgstr ""
"該選項自從 OpenSSL 1.1.0 以後已被棄用，請改用新的 :attr:`SSLContext."
"minimum_version` 及 :attr:`SSLContext.maximum_version` 代替。"

#: ../../library/ssl.rst:734
msgid ""
"Prevents a TLSv1.1 connection. This option is only applicable in conjunction "
"with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.1 as "
"the protocol version. Available only with openssl version 1.0.1+."
msgstr ""
"防止 TLSv1.1 連線。此選項只可以跟 :const:`PROTOCOL_TLS` 一起使用。它會防止同"
"級選用 TLSv1.1 做為協定版本。只有 1.0.1 版後的 OpenSSL 版本才能使用。"

#: ../../library/ssl.rst:740 ../../library/ssl.rst:751
msgid "The option is deprecated since OpenSSL 1.1.0."
msgstr "此選項自 OpenSSL 1.1.0 版已被棄用。"

#: ../../library/ssl.rst:745
msgid ""
"Prevents a TLSv1.2 connection. This option is only applicable in conjunction "
"with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.2 as "
"the protocol version. Available only with openssl version 1.0.1+."
msgstr ""
"防止 TLSv1.2 連線。此選項只可以跟 :const:`PROTOCOL_TLS` 一起使用。它會防止同"
"級選用 TLSv1.2 做為協定版本。只有 1.0.1 版後的 OpenSSL 版本才能使用。"

#: ../../library/ssl.rst:756
msgid ""
"Prevents a TLSv1.3 connection. This option is only applicable in conjunction "
"with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.3 as "
"the protocol version. TLS 1.3 is available with OpenSSL 1.1.1 or later. When "
"Python has been compiled against an older version of OpenSSL, the flag "
"defaults to *0*."
msgstr ""
"防止 TLSv1.3 連線。此選項只可以跟 :const:`PROTOCOL_TLS` 一起使用。它會防止同"
"級選用 TLSv1.3 做為協定版本。TSL1.3 只適用於 1.1.1 版以後的 OpenSSL。當使用 "
"Python 編譯舊版的 OpenSSL 時，該標志預設為 *0*。"

#: ../../library/ssl.rst:764
msgid ""
"The option is deprecated since OpenSSL 1.1.0. It was added to 2.7.15 and "
"3.6.3 for backwards compatibility with OpenSSL 1.0.2."
msgstr ""
"此選項自 OpenSSL 1.1.0 以後已被棄用。它被添加到 2.7.15 和 3.6.3 中，以向後相"
"容 OpenSSL 1.0.2。"

#: ../../library/ssl.rst:770
msgid ""
"Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest "
"messages, and ignore renegotiation requests via ClientHello."
msgstr ""
"停用所有在 TLSv1.2 及更早版本的重協商 (renegotiation)。不發送 HelloRequest 訊"
"息，並忽略通過 ClientHello 的重協商請求。"

#: ../../library/ssl.rst:773
msgid "This option is only available with OpenSSL 1.1.0h and later."
msgstr "此選項僅適用於 OpenSSL 1.1.0h 及更新版本。"

#: ../../library/ssl.rst:779
msgid ""
"Use the server's cipher ordering preference, rather than the client's. This "
"option has no effect on client sockets and SSLv2 server sockets."
msgstr ""
"使用伺服器的加密方法名稱字串排序優先順序，而不是用戶端的。此選項並不會影響到"
"用戶端及 SSLv2 伺服器的 sockets。"

#: ../../library/ssl.rst:786
msgid ""
"Prevents reuse of the same DH key for distinct SSL sessions.  This improves "
"forward secrecy but requires more computational resources. This option only "
"applies to server sockets."
msgstr ""
"防止對不同的 SSL 會談重複使用相同的 DH 密鑰。這會加強向前保密但需要更多的運算"
"資源。此選項只適用於伺服器 sockets。"

#: ../../library/ssl.rst:794
msgid ""
"Prevents reuse of the same ECDH key for distinct SSL sessions.  This "
"improves forward secrecy but requires more computational resources. This "
"option only applies to server sockets."
msgstr ""
"防止對不同的 SSL 會談重複使用相同的 ECDH 密鑰。這會加強向前保密但需要更多的運"
"算資源。此選項只適用於伺服器 sockets。"

#: ../../library/ssl.rst:802
msgid ""
"Send dummy Change Cipher Spec (CCS) messages in TLS 1.3 handshake to make a "
"TLS 1.3 connection look more like a TLS 1.2 connection."
msgstr ""
"在 TLS 1.3 握手中發送虛擬的變更加密方法規範 (CCS) 消息，以使 TLS 1.3 連接看起"
"來更像 TLS 1.2 連線。"

#: ../../library/ssl.rst:805
msgid "This option is only available with OpenSSL 1.1.1 and later."
msgstr "此選項僅適用於 OpenSSL 1.1.1 及更新版本。"

#: ../../library/ssl.rst:811
msgid ""
"Disable compression on the SSL channel.  This is useful if the application "
"protocol supports its own compression scheme."
msgstr ""
"在 SSL 通道上禁用壓縮。如果應用程序協定支援自己的壓縮方案，這會很有用。"

#: ../../library/ssl.rst:818
msgid ":class:`enum.IntFlag` collection of OP_* constants."
msgstr ":class:`enum.IntFlag` 為 OP_* 常數中的一個集合。"

#: ../../library/ssl.rst:822
msgid "Prevent client side from requesting a session ticket."
msgstr "防止用戶端請求會談票據。"

#: ../../library/ssl.rst:828
msgid "Ignore unexpected shutdown of TLS connections."
msgstr "忽略意外關閉的 TLS 連線。"

#: ../../library/ssl.rst:830 ../../library/ssl.rst:846
msgid "This option is only available with OpenSSL 3.0.0 and later."
msgstr "此選項僅適用於 OpenSSL 3.0.0 及更新版本。"

#: ../../library/ssl.rst:836
msgid ""
"Enable the use of the kernel TLS. To benefit from the feature, OpenSSL must "
"have been compiled with support for it, and the negotiated cipher suites and "
"extensions must be supported by it (a list of supported ones may vary by "
"platform and kernel version)."
msgstr ""
"允許使用 TLS 核心。要想受益於該功能，OpenSSL 必須編譯為支援該功能，並且想使用"
"的加密套件及擴充套件也必須被該功能支援 (該功能所支援的列表可能會因平台及核心"
"而有所差異)。"

#: ../../library/ssl.rst:841
msgid ""
"Note that with enabled kernel TLS some cryptographic operations are "
"performed by the kernel directly and not via any available OpenSSL "
"Providers. This might be undesirable if, for example, the application "
"requires all cryptographic operations to be performed by the FIPS provider."
msgstr ""
"請注意當允許使用 TLS 核心時，一些加密操作將直接由核心執行而不是經由任何由可用"
"的 OpenSSL 所提供的程序，而這可能並非你所想使用的，例如：當應用程式要求所有的"
"加密操作由 FIPS 提供執行。"

#: ../../library/ssl.rst:852
msgid ""
"Allow legacy insecure renegotiation between OpenSSL and unpatched servers "
"only."
msgstr "只允許 OpenSSL 與未修補的伺服器進行遺留 (legacy) 不安全重協商。"

#: ../../library/ssl.rst:859
msgid ""
"Whether the OpenSSL library has built-in support for the *Application-Layer "
"Protocol Negotiation* TLS extension as described in :rfc:`7301`."
msgstr ""
"OpenSSL 函式庫是否內建支援 *應用層協定協商* TLS 擴充套件，該擴充套件描述在 :"
"rfc:`7301` 中。"

#: ../../library/ssl.rst:866
msgid ""
"Whether the OpenSSL library has built-in support not checking subject common "
"name and :attr:`SSLContext.hostname_checks_common_name` is writeable."
msgstr ""
"OpenSSL 函式庫是否內建支援不檢查主題通用名稱及 :attr:`SSLContext."
"hostname_checks_common_name` 是否可寫。"

#: ../../library/ssl.rst:874
msgid ""
"Whether the OpenSSL library has built-in support for the Elliptic Curve-"
"based Diffie-Hellman key exchange.  This should be true unless the feature "
"was explicitly disabled by the distributor."
msgstr ""
"OpenSSL 函式庫是否內建支援基於橢圓曲線的 (Elliptic Curve-based) Diffie-"
"Hellman 金鑰交換。此回傳值應該要為 true 除非發布者明確禁用此功能。"

#: ../../library/ssl.rst:882
msgid ""
"Whether the OpenSSL library has built-in support for the *Server Name "
"Indication* extension (as defined in :rfc:`6066`)."
msgstr ""
"OpenSSL 函式庫是否內建支援 *伺服器名稱提示* 擴充套件 (在 :rfc:`6066` 中定"
"義)。"

#: ../../library/ssl.rst:889
msgid ""
"Whether the OpenSSL library has built-in support for the *Next Protocol "
"Negotiation* as described in the `Application Layer Protocol Negotiation "
"<https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation>`_. "
"When true, you can use the :meth:`SSLContext.set_npn_protocols` method to "
"advertise which protocols you want to support."
msgstr ""
"OpenSSL 函式庫是否內建支援 *下一代協定協商* 該功能在\\ `應用層協定協商 "
"<https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation>`_ 中有"
"描述。當此值為 true 時，你可以使用 :meth:`SSLContext.set_npn_protocols` 方法"
"來公告你想支援的協定。"

#: ../../library/ssl.rst:899
msgid ""
"Whether the OpenSSL library has built-in support for the SSL 2.0 protocol."
msgstr "此 OpenSSL 函式庫是否內建支援 SSL 2.0 協定。"

#: ../../library/ssl.rst:905
msgid ""
"Whether the OpenSSL library has built-in support for the SSL 3.0 protocol."
msgstr "此 OpenSSL 函式庫是否內建支援 SSL 3.0 協定。"

#: ../../library/ssl.rst:911
msgid ""
"Whether the OpenSSL library has built-in support for the TLS 1.0 protocol."
msgstr "此 OpenSSL 函式庫是否內建支援 TLS 1.0 協定。"

#: ../../library/ssl.rst:917
msgid ""
"Whether the OpenSSL library has built-in support for the TLS 1.1 protocol."
msgstr "此 OpenSSL 函式庫是否內建支援 TLS 1.1 協定。"

#: ../../library/ssl.rst:923
msgid ""
"Whether the OpenSSL library has built-in support for the TLS 1.2 protocol."
msgstr "此 OpenSSL 函式庫是否內建支援 TLS 1.2 協定。"

#: ../../library/ssl.rst:929
msgid ""
"Whether the OpenSSL library has built-in support for the TLS 1.3 protocol."
msgstr "此 OpenSSL 函式庫是否內建支援 TLS 1.3 協定。"

#: ../../library/ssl.rst:935
msgid "Whether the OpenSSL library has built-in support for TLS-PSK."
msgstr "此 OpenSSL 函式庫是否內建支援 TLS-PSK。"

#: ../../library/ssl.rst:941
msgid "Whether the OpenSSL library has built-in support for TLS-PHA."
msgstr "此 OpenSSL 函式庫是否內建支援 TLS-PHA。"

#: ../../library/ssl.rst:947
msgid ""
"List of supported TLS channel binding types.  Strings in this list can be "
"used as arguments to :meth:`SSLSocket.get_channel_binding`."
msgstr ""
"支援的 TLS 通道綁定類型列表。列表中的字串可以作為 :meth:`SSLSocket."
"get_channel_binding` 的參數。"

#: ../../library/ssl.rst:954
msgid "The version string of the OpenSSL library loaded by the interpreter::"
msgstr "直譯器所加載的 OpenSSL 函式庫的版本字串::"

#: ../../library/ssl.rst:956
msgid ""
">>> ssl.OPENSSL_VERSION\n"
"'OpenSSL 1.0.2k  26 Jan 2017'"
msgstr ""
">>> ssl.OPENSSL_VERSION\n"
"'OpenSSL 1.0.2k  26 Jan 2017'"

#: ../../library/ssl.rst:963
msgid ""
"A tuple of five integers representing version information about the OpenSSL "
"library::"
msgstr "代表 OpenSSL 函式庫版本資訊的五個整數的元組： ::"

#: ../../library/ssl.rst:966
msgid ""
">>> ssl.OPENSSL_VERSION_INFO\n"
"(1, 0, 2, 11, 15)"
msgstr ""
">>> ssl.OPENSSL_VERSION_INFO\n"
"(1, 0, 2, 11, 15)"

#: ../../library/ssl.rst:973
msgid "The raw version number of the OpenSSL library, as a single integer::"
msgstr "OpenSSL 函式庫的初始版本，以單一整數表示::"

#: ../../library/ssl.rst:975
msgid ""
">>> ssl.OPENSSL_VERSION_NUMBER\n"
"268443839\n"
">>> hex(ssl.OPENSSL_VERSION_NUMBER)\n"
"'0x100020bf'"
msgstr ""
">>> ssl.OPENSSL_VERSION_NUMBER\n"
"268443839\n"
">>> hex(ssl.OPENSSL_VERSION_NUMBER)\n"
"'0x100020bf'"

#: ../../library/ssl.rst:986
msgid ""
"Alert Descriptions from :rfc:`5246` and others. The `IANA TLS Alert Registry "
"<https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-"
"parameters-6>`_ contains this list and references to the RFCs where their "
"meaning is defined."
msgstr ""
"來自 :rfc:`5246` 和其他文件的警報描述。`IANA TLS Alert Registry <https://www."
"iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6>`_ 包"
"含了此列表以及其含義定義所在的 RFC 的引用。"

#: ../../library/ssl.rst:990
msgid ""
"Used as the return value of the callback function in :meth:`SSLContext."
"set_servername_callback`."
msgstr ""
"被用來做為 :meth:`SSLContext.set_servername_callback` 中回呼函式的回傳值。"

#: ../../library/ssl.rst:997
msgid ":class:`enum.IntEnum` collection of ALERT_DESCRIPTION_* constants."
msgstr ":class:`enum.IntEnum` 為 ALERT_DESCRIPTION_* 常數中的一個集合。"

#: ../../library/ssl.rst:1003
msgid ""
"Option for :func:`create_default_context` and :meth:`SSLContext."
"load_default_certs`.  This value indicates that the context may be used to "
"authenticate web servers (therefore, it will be used to create client-side "
"sockets)."
msgstr ""
":func:`create_default_context` 和 :meth:`SSLContext.load_default_certs` 的選"
"項。此值表示該語境可能會用於驗證網頁伺服器 (因此它將用於建立用戶端 socket）。"

#: ../../library/ssl.rst:1012
msgid ""
"Option for :func:`create_default_context` and :meth:`SSLContext."
"load_default_certs`.  This value indicates that the context may be used to "
"authenticate web clients (therefore, it will be used to create server-side "
"sockets)."
msgstr ""
":func:`create_default_context` 和 :meth:`SSLContext.load_default_certs` 的選"
"項。此值表示該語境可能會用於驗證網頁用戶端 (因此，它將用於建立伺服器端的 "
"socket）。"

#: ../../library/ssl.rst:1021
msgid ":class:`enum.IntEnum` collection of SSL_ERROR_* constants."
msgstr ":class:`enum.IntEnum` 為 SSL_ERROR_* 常數中的一個集合。"

#: ../../library/ssl.rst:1027
msgid ""
":class:`enum.IntEnum` collection of SSL and TLS versions for :attr:"
"`SSLContext.maximum_version` and :attr:`SSLContext.minimum_version`."
msgstr ""
"用於 :attr:`SSLContext.maximum_version` 和 :attr:`SSLContext."
"minimum_version` 的 SSL 和 TLS 版本 :class:`enum.IntEnum` 集合。"

#: ../../library/ssl.rst:1035
msgid ""
"The minimum or maximum supported SSL or TLS version. These are magic "
"constants. Their values don't reflect the lowest and highest available TLS/"
"SSL versions."
msgstr ""
"最低或最高支援的 SSL 或 TLS 版本。這些是特殊常數。它們的值並不反映可用的最低"
"和最高 TLS/SSL 版本。"

#: ../../library/ssl.rst:1045
msgid "SSL 3.0 to TLS 1.3."
msgstr "SSL 3.0 到 TLS 1.3。"

#: ../../library/ssl.rst:1049
msgid ""
"All :class:`TLSVersion` members except :attr:`TLSVersion.TLSv1_2` and :attr:"
"`TLSVersion.TLSv1_3` are deprecated."
msgstr ""
"除了 :attr:`TLSVersion.TLSv1_2` 和 :attr:`TLSVersion.TLSv1_3` 之外，所有的 :"
"class:`TLSVersion` 成員都已被棄用。"

#: ../../library/ssl.rst:1054
msgid "SSL Sockets"
msgstr "SSL Sockets"

#: ../../library/ssl.rst:1058
msgid "SSL sockets provide the following methods of :ref:`socket-objects`:"
msgstr "SSL sockets 提供以下 :ref:`socket-objects` 方法："

#: ../../library/ssl.rst:1060
msgid ":meth:`~socket.socket.accept`"
msgstr ":meth:`~socket.socket.accept`"

#: ../../library/ssl.rst:1061
msgid ":meth:`~socket.socket.bind`"
msgstr ":meth:`~socket.socket.bind`"

#: ../../library/ssl.rst:1062
msgid ":meth:`~socket.socket.close`"
msgstr ":meth:`~socket.socket.close`"

#: ../../library/ssl.rst:1063
msgid ":meth:`~socket.socket.connect`"
msgstr ":meth:`~socket.socket.connect`"

#: ../../library/ssl.rst:1064
msgid ":meth:`~socket.socket.detach`"
msgstr ":meth:`~socket.socket.detach`"

#: ../../library/ssl.rst:1065
msgid ":meth:`~socket.socket.fileno`"
msgstr ":meth:`~socket.socket.fileno`"

#: ../../library/ssl.rst:1066
msgid ":meth:`~socket.socket.getpeername`, :meth:`~socket.socket.getsockname`"
msgstr ":meth:`~socket.socket.getpeername`、:meth:`~socket.socket.getsockname`"

#: ../../library/ssl.rst:1067
msgid ":meth:`~socket.socket.getsockopt`, :meth:`~socket.socket.setsockopt`"
msgstr ":meth:`~socket.socket.getsockopt`、:meth:`~socket.socket.setsockopt`"

#: ../../library/ssl.rst:1068
msgid ""
":meth:`~socket.socket.gettimeout`, :meth:`~socket.socket.settimeout`, :meth:"
"`~socket.socket.setblocking`"
msgstr ""
":meth:`~socket.socket.gettimeout`、:meth:`~socket.socket.settimeout`、:meth:"
"`~socket.socket.setblocking`"

#: ../../library/ssl.rst:1070
msgid ":meth:`~socket.socket.listen`"
msgstr ":meth:`~socket.socket.listen`"

#: ../../library/ssl.rst:1071
msgid ":meth:`~socket.socket.makefile`"
msgstr ":meth:`~socket.socket.makefile`"

#: ../../library/ssl.rst:1072
msgid ""
":meth:`~socket.socket.recv`, :meth:`~socket.socket.recv_into` (but passing a "
"non-zero ``flags`` argument is not allowed)"
msgstr ""
":meth:`~socket.socket.recv`、:meth:`~socket.socket.recv_into` （但不允許傳遞"
"非零的 ``flags`` 引數）"

#: ../../library/ssl.rst:1074
msgid ""
":meth:`~socket.socket.send`, :meth:`~socket.socket.sendall` (with the same "
"limitation)"
msgstr ""
":meth:`~socket.socket.send`、:meth:`~socket.socket.sendall` （同樣不允許傳遞"
"非零的 ``flags`` 引數）"

#: ../../library/ssl.rst:1076
msgid ""
":meth:`~socket.socket.sendfile` (but :mod:`os.sendfile` will be used for "
"plain-text sockets only, else :meth:`~socket.socket.send` will be used)"
msgstr ""
":meth:`~socket.socket.sendfile` （但 :mod:`os.sendfile` 只能用於純文本 "
"sockets，其餘則會使用 :meth:`~socket.socket.send`）"

#: ../../library/ssl.rst:1078
msgid ":meth:`~socket.socket.shutdown`"
msgstr ":meth:`~socket.socket.shutdown`"

#: ../../library/ssl.rst:1080
msgid ""
"However, since the SSL (and TLS) protocol has its own framing atop of TCP, "
"the SSL sockets abstraction can, in certain respects, diverge from the "
"specification of normal, OS-level sockets.  See especially the :ref:`notes "
"on non-blocking sockets <ssl-nonblocking>`."
msgstr ""
"然而，由於 SSL（和 TLS）協定在 TCP 之上有自己的框架，因此在某些方面，SSL "
"sockets 的抽象可能會與普通作業系統級別的 sockets 規範有所不同。特別是請參閱"
"\\ :ref:`關於 non-blocking sockets 的說明 <ssl-nonblocking>`。"

#: ../../library/ssl.rst:1085
msgid ""
"Instances of :class:`SSLSocket` must be created using the :meth:`SSLContext."
"wrap_socket` method."
msgstr ""
":class:`SSLSocket` 的實例必須使用 :meth:`SSLContext.wrap_socket` 方法建立。"

#: ../../library/ssl.rst:1088
msgid "The :meth:`sendfile` method was added."
msgstr "新增 :meth:`sendfile` 方法。"

#: ../../library/ssl.rst:1091
msgid ""
"The :meth:`shutdown` does not reset the socket timeout each time bytes are "
"received or sent. The socket timeout is now the maximum total duration of "
"the shutdown."
msgstr ""
":meth:`shutdown` 不會在每次接收或發送位元組時重置 socket 超時時間。現在，"
"socket 超時時間是關閉操作的最大總持續時間。"

#: ../../library/ssl.rst:1096
msgid ""
"It is deprecated to create a :class:`SSLSocket` instance directly, use :meth:"
"`SSLContext.wrap_socket` to wrap a socket."
msgstr ""
"直接建立 :class:`SSLSocket` 實例的方式已被棄用，請使用 :meth:`SSLContext."
"wrap_socket` 來包裝 socket。"

#: ../../library/ssl.rst:1100
msgid ""
":class:`SSLSocket` instances must to created with :meth:`~SSLContext."
"wrap_socket`. In earlier versions, it was possible to create instances "
"directly. This was never documented or officially supported."
msgstr ""
":class:`SSLSocket` 實例必須使用 :meth:`~SSLContext.wrap_socket` 建立。在較早"
"的版本中可以直接建立實例，但這從未被記錄或正式支援。"

#: ../../library/ssl.rst:1106
msgid ""
"Python now uses ``SSL_read_ex`` and ``SSL_write_ex`` internally. The "
"functions support reading and writing of data larger than 2 GB. Writing zero-"
"length data no longer fails with a protocol violation error."
msgstr ""
"Python 現在內部使用了 ``SSL_read_ex`` 和 ``SSL_write_ex`` 函式。這些函式支援"
"讀取和寫入大於 2 GB 的資料。寫入零長度的資料不再會導致協定違規錯誤。"

#: ../../library/ssl.rst:1111
msgid "SSL sockets also have the following additional methods and attributes:"
msgstr "SSL sockets 還具有以下附加方法和屬性："

#: ../../library/ssl.rst:1115
msgid ""
"Read up to *len* bytes of data from the SSL socket and return the result as "
"a ``bytes`` instance. If *buffer* is specified, then read into the buffer "
"instead, and return the number of bytes read."
msgstr ""
"從 SSL socket 讀取 *len* 位元組的資料，並將結果以 ``bytes`` 實例的形式回傳。"
"如果指定了 *buffer*，則將資料讀入緩衝區，並回傳讀取的位元組。"

#: ../../library/ssl.rst:1119
msgid ""
"Raise :exc:`SSLWantReadError` or :exc:`SSLWantWriteError` if the socket is :"
"ref:`non-blocking <ssl-nonblocking>` and the read would block."
msgstr ""
"如果 socket 是\\ :ref:`非阻塞的 <ssl-nonblocking>`\\ 則會引發 :exc:"
"`SSLWantReadError` 或 :exc:`SSLWantWriteError` 並且讀取操作將會被阻塞。"

#: ../../library/ssl.rst:1122
msgid ""
"As at any time a re-negotiation is possible, a call to :meth:`read` can also "
"cause write operations."
msgstr ""
"由於在任何時刻都可能發生重新協商，呼叫 :meth:`read` 也可能觸發寫入操作。"

#: ../../library/ssl.rst:1125
msgid ""
"The socket timeout is no longer reset each time bytes are received or sent. "
"The socket timeout is now the maximum total duration to read up to *len* "
"bytes."
msgstr ""
"當接收或發送位元組時，socket 的超時時間將不再重置。現在，socket 超時時間是讀"
"取最多 *len* 位元組的總最大持續時間。"

#: ../../library/ssl.rst:1130
msgid "Use :meth:`~SSLSocket.recv` instead of :meth:`~SSLSocket.read`."
msgstr "請改用 :meth:`~SSLSocket.recv` 來替換掉 :meth:`~SSLSocket.read`。"

#: ../../library/ssl.rst:1135
msgid ""
"Write *data* to the SSL socket and return the number of bytes written. The "
"*data* argument must be an object supporting the buffer interface."
msgstr ""
"將 *data* 寫入 SSL socket 並回傳寫入的位元組數量。*data* 引數必須是支援緩衝區"
"介面的物件。"

#: ../../library/ssl.rst:1138
msgid ""
"Raise :exc:`SSLWantReadError` or :exc:`SSLWantWriteError` if the socket is :"
"ref:`non-blocking <ssl-nonblocking>` and the write would block."
msgstr ""
"如果 socket 是\\ :ref:`非阻塞的 <ssl-nonblocking>`\\ 則會引發 :exc:"
"`SSLWantReadError` 或 :exc:`SSLWantWriteError` 並且寫入操作將會被阻塞。"

#: ../../library/ssl.rst:1141
msgid ""
"As at any time a re-negotiation is possible, a call to :meth:`write` can "
"also cause read operations."
msgstr ""
"由於在任何時刻都可能發生重新協商，呼叫 :meth:`write` 也可能觸發讀取操作。"

#: ../../library/ssl.rst:1144
msgid ""
"The socket timeout is no longer reset each time bytes are received or sent. "
"The socket timeout is now the maximum total duration to write *data*."
msgstr ""
"當接收或發送位元組時，socket 的超時時間將不再重置。現在，socket 超時時間是寫"
"入 *data* 的總最大持續時間。"

#: ../../library/ssl.rst:1148
msgid "Use :meth:`~SSLSocket.send` instead of :meth:`~SSLSocket.write`."
msgstr "請改用 :meth:`~SSLSocket.send` 來替換掉 :meth:`~SSLSocket.write`。"

#: ../../library/ssl.rst:1153
msgid ""
"The :meth:`~SSLSocket.read` and :meth:`~SSLSocket.write` methods are the low-"
"level methods that read and write unencrypted, application-level data and "
"decrypt/encrypt it to encrypted, wire-level data. These methods require an "
"active SSL connection, i.e. the handshake was completed and :meth:`SSLSocket."
"unwrap` was not called."
msgstr ""
":meth:`~SSLSocket.read` 和 :meth:`~SSLSocket.write` 方法為低階層的方法，負責"
"讀取和寫入未加密的應用層資料，並將其加密/解密為加密的寫入層資料。這些方法需要"
"一個已建立的 SSL 連接，即握手已完成，且未呼叫 :meth:`SSLSocket.unwrap`。"

#: ../../library/ssl.rst:1159
msgid ""
"Normally you should use the socket API methods like :meth:`~socket.socket."
"recv` and :meth:`~socket.socket.send` instead of these methods."
msgstr ""
"通常你應該使用像 :meth:`~socket.socket.recv` 和 :meth:`~socket.socket.send` "
"這樣的 socket API 方法，而不是直接使用這些方法。"

#: ../../library/ssl.rst:1165
msgid "Perform the SSL setup handshake."
msgstr "執行 SSL 設定握手。"

#: ../../library/ssl.rst:1167
msgid ""
"If *block* is true and the timeout obtained by :meth:`~socket.socket."
"gettimeout` is zero, the socket is set in blocking mode until the handshake "
"is performed."
msgstr ""

#: ../../library/ssl.rst:1170
msgid ""
"The handshake method also performs :func:`!match_hostname` when the :attr:"
"`~SSLContext.check_hostname` attribute of the socket's :attr:`~SSLSocket."
"context` is true."
msgstr ""
"當 socket 的 :attr:`~SSLSocket.context` 的 :attr:`~SSLContext."
"check_hostname` 屬性質為 true 時，握手方法也會執行 :func:`!match_hostname`。"

#: ../../library/ssl.rst:1175
msgid ""
"The socket timeout is no longer reset each time bytes are received or sent. "
"The socket timeout is now the maximum total duration of the handshake."
msgstr ""
"Socket 超時時間已經不會在每次接收或傳送位元組時重置。現在，超時時間是握手過程"
"的最大總持續時間。"

#: ../../library/ssl.rst:1179
msgid ""
"Hostname or IP address is matched by OpenSSL during handshake. The function :"
"func:`!match_hostname` is no longer used. In case OpenSSL refuses a hostname "
"or IP address, the handshake is aborted early and a TLS alert message is "
"sent to the peer."
msgstr ""
"在握手過程中，OpenSSL 會去配對主機名稱或 IP 地址。已不再使用 :func:`!"
"match_hostname` 函式。如果 OpenSSL 拒絕某個主機名稱或 IP 地址，握手將會提前中"
"止，並向對方發送 TLS 警報訊息。"

#: ../../library/ssl.rst:1187
msgid ""
"If there is no certificate for the peer on the other end of the connection, "
"return ``None``.  If the SSL handshake hasn't been done yet, raise :exc:"
"`ValueError`."
msgstr ""
"如果連線端沒有證書，則回傳 ``None``。如果 SSL 握手尚未完成，則引發 :exc:"
"`ValueError`。"

#: ../../library/ssl.rst:1191
msgid ""
"If the ``binary_form`` parameter is :const:`False`, and a certificate was "
"received from the peer, this method returns a :class:`dict` instance.  If "
"the certificate was not validated, the dict is empty.  If the certificate "
"was validated, it returns a dict with several keys, amongst them ``subject`` "
"(the principal for which the certificate was issued) and ``issuer`` (the "
"principal issuing the certificate).  If a certificate contains an instance "
"of the *Subject Alternative Name* extension (see :rfc:`3280`), there will "
"also be a ``subjectAltName`` key in the dictionary."
msgstr ""
"如果 ``binary_form`` 參數為 :const:`False`，且從對等 (peer) 接收到證書，則該"
"方法回傳一個 :class:`dict` 實例。如果證書未被驗證，則該字典為空。若證書已被驗"
"證，則回傳的字典將包含數個鍵值，包括 ``subject`` (證書所簽發的對象) 和 "
"``issuer`` (簽發證書的主體)。如果證書中包含 *Subject Alternative Name* 擴充 "
"(參考\\ :rfc:`3280`\\ )，字典中還會有一個 ``subjectAltName`` 鍵。"

#: ../../library/ssl.rst:1200
msgid ""
"The ``subject`` and ``issuer`` fields are tuples containing the sequence of "
"relative distinguished names (RDNs) given in the certificate's data "
"structure for the respective fields, and each RDN is a sequence of name-"
"value pairs.  Here is a real-world example::"
msgstr ""
"``subject`` 和 ``issuer`` 欄位欄位是包含相對識別名稱 (relative distinguished "
"names, RDNs) 序列的元組，這些 RDN 來自證書資料結構中的相應欄位。每個 RDN 都是"
"一組名稱與值的對。以下是現實中的範例： ::"

#: ../../library/ssl.rst:1205
msgid ""
"{'issuer': ((('countryName', 'IL'),),\n"
"            (('organizationName', 'StartCom Ltd.'),),\n"
"            (('organizationalUnitName',\n"
"              'Secure Digital Certificate Signing'),),\n"
"            (('commonName',\n"
"              'StartCom Class 2 Primary Intermediate Server CA'),)),\n"
" 'notAfter': 'Nov 22 08:15:19 2013 GMT',\n"
" 'notBefore': 'Nov 21 03:09:52 2011 GMT',\n"
" 'serialNumber': '95F0',\n"
" 'subject': ((('description', '571208-SLe257oHY9fVQ07Z'),),\n"
"             (('countryName', 'US'),),\n"
"             (('stateOrProvinceName', 'California'),),\n"
"             (('localityName', 'San Francisco'),),\n"
"             (('organizationName', 'Electronic Frontier Foundation, "
"Inc.'),),\n"
"             (('commonName', '*.eff.org'),),\n"
"             (('emailAddress', 'hostmaster@eff.org'),)),\n"
" 'subjectAltName': (('DNS', '*.eff.org'), ('DNS', 'eff.org')),\n"
" 'version': 3}"
msgstr ""
"{'issuer': ((('countryName', 'IL'),),\n"
"            (('organizationName', 'StartCom Ltd.'),),\n"
"            (('organizationalUnitName',\n"
"              'Secure Digital Certificate Signing'),),\n"
"            (('commonName',\n"
"              'StartCom Class 2 Primary Intermediate Server CA'),)),\n"
" 'notAfter': 'Nov 22 08:15:19 2013 GMT',\n"
" 'notBefore': 'Nov 21 03:09:52 2011 GMT',\n"
" 'serialNumber': '95F0',\n"
" 'subject': ((('description', '571208-SLe257oHY9fVQ07Z'),),\n"
"             (('countryName', 'US'),),\n"
"             (('stateOrProvinceName', 'California'),),\n"
"             (('localityName', 'San Francisco'),),\n"
"             (('organizationName', 'Electronic Frontier Foundation, "
"Inc.'),),\n"
"             (('commonName', '*.eff.org'),),\n"
"             (('emailAddress', 'hostmaster@eff.org'),)),\n"
" 'subjectAltName': (('DNS', '*.eff.org'), ('DNS', 'eff.org')),\n"
" 'version': 3}"

#: ../../library/ssl.rst:1224
msgid ""
"If the ``binary_form`` parameter is :const:`True`, and a certificate was "
"provided, this method returns the DER-encoded form of the entire certificate "
"as a sequence of bytes, or :const:`None` if the peer did not provide a "
"certificate.  Whether the peer provides a certificate depends on the SSL "
"socket's role:"
msgstr ""
"如果 ``binary_form`` 參數設定為 :const:`True`，且對等提供了證書，則該方法會"
"以 DER 編碼形式 將整個證書以位元組序列形式回傳。如果對等未提供證書，則回傳 :"
"const:`None`。對等是否提供證書取決於 SSL socket 的腳色："

#: ../../library/ssl.rst:1230
msgid ""
"for a client SSL socket, the server will always provide a certificate, "
"regardless of whether validation was required;"
msgstr "對於用戶端 SSL socket，伺服器將永遠提供證書，無論是否需要進行驗證；"

#: ../../library/ssl.rst:1233
msgid ""
"for a server SSL socket, the client will only provide a certificate when "
"requested by the server; therefore :meth:`getpeercert` will return :const:"
"`None` if you used :const:`CERT_NONE` (rather than :const:`CERT_OPTIONAL` "
"or :const:`CERT_REQUIRED`)."
msgstr ""
"對於伺服器 SSL socket，用戶端僅在伺服器要求時才會提供證書；因此，如果你使用的"
"是 :const:`CERT_NONE` (而非 :const:`CERT_OPTIONAL` 或 :const:"
"`CERT_REQUIRED`)，則 :meth:`getpeercert` 會回傳 :const:`None`。"

#: ../../library/ssl.rst:1238
msgid "See also :attr:`SSLContext.check_hostname`."
msgstr "請見 :attr:`SSLContext.check_hostname`。"

#: ../../library/ssl.rst:1240
msgid ""
"The returned dictionary includes additional items such as ``issuer`` and "
"``notBefore``."
msgstr ""

#: ../../library/ssl.rst:1244
msgid ""
":exc:`ValueError` is raised when the handshake isn't done. The returned "
"dictionary includes additional X509v3 extension items   such as "
"``crlDistributionPoints``, ``caIssuers`` and ``OCSP`` URIs."
msgstr ""

#: ../../library/ssl.rst:1249
msgid "IPv6 address strings no longer have a trailing new line."
msgstr ""

#: ../../library/ssl.rst:1254
msgid ""
"Returns verified certificate chain provided by the other end of the SSL "
"channel as a list of DER-encoded bytes. If certificate verification was "
"disabled method acts the same as :meth:`~SSLSocket.get_unverified_chain`."
msgstr ""

#: ../../library/ssl.rst:1263
msgid ""
"Returns raw certificate chain provided by the other end of the SSL channel "
"as a list of DER-encoded bytes."
msgstr ""

#: ../../library/ssl.rst:1270
msgid ""
"Returns a three-value tuple containing the name of the cipher being used, "
"the version of the SSL protocol that defines its use, and the number of "
"secret bits being used.  If no connection has been established, returns "
"``None``."
msgstr ""

#: ../../library/ssl.rst:1276
msgid ""
"Return the list of ciphers available in both the client and server.  Each "
"entry of the returned list is a three-value tuple containing the name of the "
"cipher, the version of the SSL protocol that defines its use, and the number "
"of secret bits the cipher uses.  :meth:`~SSLSocket.shared_ciphers` returns "
"``None`` if no connection has been established or the socket is a client "
"socket."
msgstr ""

#: ../../library/ssl.rst:1287
msgid ""
"Return the compression algorithm being used as a string, or ``None`` if the "
"connection isn't compressed."
msgstr ""

#: ../../library/ssl.rst:1290
msgid ""
"If the higher-level protocol supports its own compression mechanism, you can "
"use :data:`OP_NO_COMPRESSION` to disable SSL-level compression."
msgstr ""

#: ../../library/ssl.rst:1297
msgid ""
"Get channel binding data for current connection, as a bytes object.  Returns "
"``None`` if not connected or the handshake has not been completed."
msgstr ""

#: ../../library/ssl.rst:1300
msgid ""
"The *cb_type* parameter allow selection of the desired channel binding type. "
"Valid channel binding types are listed in the :data:`CHANNEL_BINDING_TYPES` "
"list.  Currently only the 'tls-unique' channel binding, defined by :rfc:"
"`5929`, is supported.  :exc:`ValueError` will be raised if an unsupported "
"channel binding type is requested."
msgstr ""

#: ../../library/ssl.rst:1310
msgid ""
"Return the protocol that was selected during the TLS handshake.  If :meth:"
"`SSLContext.set_alpn_protocols` was not called, if the other party does not "
"support ALPN, if this socket does not support any of the client's proposed "
"protocols, or if the handshake has not happened yet, ``None`` is returned."
msgstr ""

#: ../../library/ssl.rst:1320
msgid ""
"Return the higher-level protocol that was selected during the TLS/SSL "
"handshake. If :meth:`SSLContext.set_npn_protocols` was not called, or if the "
"other party does not support NPN, or if the handshake has not yet happened, "
"this will return ``None``."
msgstr ""

#: ../../library/ssl.rst:1329 ../../library/ssl.rst:1698
msgid "NPN has been superseded by ALPN"
msgstr ""

#: ../../library/ssl.rst:1333
msgid ""
"Performs the SSL shutdown handshake, which removes the TLS layer from the "
"underlying socket, and returns the underlying socket object.  This can be "
"used to go from encrypted operation over a connection to unencrypted.  The "
"returned socket should always be used for further communication with the "
"other side of the connection, rather than the original socket."
msgstr ""

#: ../../library/ssl.rst:1341
msgid ""
"Requests post-handshake authentication (PHA) from a TLS 1.3 client. PHA can "
"only be initiated for a TLS 1.3 connection from a server-side socket, after "
"the initial TLS handshake and with PHA enabled on both sides, see :attr:"
"`SSLContext.post_handshake_auth`."
msgstr ""

#: ../../library/ssl.rst:1346
msgid ""
"The method does not perform a cert exchange immediately. The server-side "
"sends a CertificateRequest during the next write event and expects the "
"client to respond with a certificate on the next read event."
msgstr ""

#: ../../library/ssl.rst:1350
msgid ""
"If any precondition isn't met (e.g. not TLS 1.3, PHA not enabled), an :exc:"
"`SSLError` is raised."
msgstr ""

#: ../../library/ssl.rst:1354
msgid ""
"Only available with OpenSSL 1.1.1 and TLS 1.3 enabled. Without TLS 1.3 "
"support, the method raises :exc:`NotImplementedError`."
msgstr ""

#: ../../library/ssl.rst:1361
msgid ""
"Return the actual SSL protocol version negotiated by the connection as a "
"string, or ``None`` if no secure connection is established. As of this "
"writing, possible return values include ``\"SSLv2\"``, ``\"SSLv3\"``, "
"``\"TLSv1\"``, ``\"TLSv1.1\"`` and ``\"TLSv1.2\"``. Recent OpenSSL versions "
"may define more return values."
msgstr ""

#: ../../library/ssl.rst:1371
msgid ""
"Returns the number of already decrypted bytes available for read, pending on "
"the connection."
msgstr ""

#: ../../library/ssl.rst:1376
msgid "The :class:`SSLContext` object this SSL socket is tied to."
msgstr ""

#: ../../library/ssl.rst:1382
msgid ""
"A boolean which is ``True`` for server-side sockets and ``False`` for client-"
"side sockets."
msgstr ""

#: ../../library/ssl.rst:1389
msgid ""
"Hostname of the server: :class:`str` type, or ``None`` for server-side "
"socket or if the hostname was not specified in the constructor."
msgstr ""

#: ../../library/ssl.rst:1394
msgid ""
"The attribute is now always ASCII text. When ``server_hostname`` is an "
"internationalized domain name (IDN), this attribute now stores the A-label "
"form (``\"xn--pythn-mua.org\"``), rather than the U-label form (``\"pythön."
"org\"``)."
msgstr ""

#: ../../library/ssl.rst:1402
msgid ""
"The :class:`SSLSession` for this SSL connection. The session is available "
"for client and server side sockets after the TLS handshake has been "
"performed. For client sockets the session can be set before :meth:"
"`~SSLSocket.do_handshake` has been called to reuse a session."
msgstr ""

#: ../../library/ssl.rst:1415
msgid "SSL Contexts"
msgstr ""

#: ../../library/ssl.rst:1419
msgid ""
"An SSL context holds various data longer-lived than single SSL connections, "
"such as SSL configuration options, certificate(s) and private key(s). It "
"also manages a cache of SSL sessions for server-side sockets, in order to "
"speed up repeated connections from the same clients."
msgstr ""

#: ../../library/ssl.rst:1426
msgid ""
"Create a new SSL context.  You may pass *protocol* which must be one of the "
"``PROTOCOL_*`` constants defined in this module.  The parameter specifies "
"which version of the SSL protocol to use.  Typically, the server chooses a "
"particular protocol version, and the client must adapt to the server's "
"choice.  Most of the versions are not interoperable with the other "
"versions.  If not specified, the default is :data:`PROTOCOL_TLS`; it "
"provides the most compatibility with other versions."
msgstr ""

#: ../../library/ssl.rst:1435
msgid ""
"Here's a table showing which versions in a client (down the side) can "
"connect to which versions in a server (along the top):"
msgstr ""

#: ../../library/ssl.rst:1441
msgid "*client* / **server**"
msgstr "*client* / **server**"

#: ../../library/ssl.rst:1441
msgid "**SSLv2**"
msgstr "**SSLv2**"

#: ../../library/ssl.rst:1441
msgid "**SSLv3**"
msgstr "**SSLv3**"

#: ../../library/ssl.rst:1441
msgid "**TLS** [3]_"
msgstr "**TLS** [3]_"

#: ../../library/ssl.rst:1441
msgid "**TLSv1**"
msgstr "**TLSv1**"

#: ../../library/ssl.rst:1441
msgid "**TLSv1.1**"
msgstr "**TLSv1.1**"

#: ../../library/ssl.rst:1441
msgid "**TLSv1.2**"
msgstr "**TLSv1.2**"

#: ../../library/ssl.rst:1443
msgid "*SSLv2*"
msgstr "*SSLv2*"

#: ../../library/ssl.rst:1443 ../../library/ssl.rst:1444
#: ../../library/ssl.rst:1445 ../../library/ssl.rst:1446
#: ../../library/ssl.rst:1447 ../../library/ssl.rst:1448
msgid "yes"
msgstr ""

#: ../../library/ssl.rst:1443 ../../library/ssl.rst:1444
#: ../../library/ssl.rst:1446 ../../library/ssl.rst:1447
#: ../../library/ssl.rst:1448
msgid "no"
msgstr ""

#: ../../library/ssl.rst:1443 ../../library/ssl.rst:1445
msgid "no [1]_"
msgstr ""

#: ../../library/ssl.rst:1444
msgid "*SSLv3*"
msgstr "*SSLv3*"

#: ../../library/ssl.rst:1444 ../../library/ssl.rst:1445
msgid "no [2]_"
msgstr ""

#: ../../library/ssl.rst:1445
msgid "*TLS* (*SSLv23*) [3]_"
msgstr "*TLS* (*SSLv23*) [3]_"

#: ../../library/ssl.rst:1446
msgid "*TLSv1*"
msgstr "*TLSv1*"

#: ../../library/ssl.rst:1447
msgid "*TLSv1.1*"
msgstr "*TLSv1.1*"

#: ../../library/ssl.rst:1448
msgid "*TLSv1.2*"
msgstr "*TLSv1.2*"

#: ../../library/ssl.rst:1451
msgid "Footnotes"
msgstr "註腳"

#: ../../library/ssl.rst:1452
msgid ":class:`SSLContext` disables SSLv2 with :data:`OP_NO_SSLv2` by default."
msgstr ":class:`SSLContext` 預設會關閉 SSLv2 的 :data:`OP_NO_SSLv2`。"

#: ../../library/ssl.rst:1453
msgid ":class:`SSLContext` disables SSLv3 with :data:`OP_NO_SSLv3` by default."
msgstr ":class:`SSLContext` 預設會關閉 SSLv3 的 :data:`OP_NO_SSLv3`。"

#: ../../library/ssl.rst:1454
msgid ""
"TLS 1.3 protocol will be available with :data:`PROTOCOL_TLS` in OpenSSL >= "
"1.1.1. There is no dedicated PROTOCOL constant for just TLS 1.3."
msgstr ""

#: ../../library/ssl.rst:1459
msgid ""
":func:`create_default_context` lets the :mod:`ssl` module choose security "
"settings for a given purpose."
msgstr ""

#: ../../library/ssl.rst:1464
msgid ""
"The context is created with secure default values. The options :data:"
"`OP_NO_COMPRESSION`, :data:`OP_CIPHER_SERVER_PREFERENCE`, :data:"
"`OP_SINGLE_DH_USE`, :data:`OP_SINGLE_ECDH_USE`, :data:`OP_NO_SSLv2`, and :"
"data:`OP_NO_SSLv3` (except for :data:`PROTOCOL_SSLv3`) are set by default. "
"The initial cipher suite list contains only ``HIGH`` ciphers, no ``NULL`` "
"ciphers and no ``MD5`` ciphers."
msgstr ""

#: ../../library/ssl.rst:1474
msgid ""
":class:`SSLContext` without protocol argument is deprecated. The context "
"class will either require :data:`PROTOCOL_TLS_CLIENT` or :data:"
"`PROTOCOL_TLS_SERVER` protocol in the future."
msgstr ""

#: ../../library/ssl.rst:1480
msgid ""
"The default cipher suites now include only secure AES and ChaCha20 ciphers "
"with forward secrecy and security level 2. RSA and DH keys with less than "
"2048 bits and ECC keys with less than 224 bits are prohibited. :data:"
"`PROTOCOL_TLS`, :data:`PROTOCOL_TLS_CLIENT`, and :data:`PROTOCOL_TLS_SERVER` "
"use TLS 1.2 as minimum TLS version."
msgstr ""

#: ../../library/ssl.rst:1488
msgid ""
":class:`SSLContext` only supports limited mutation once it has been used by "
"a connection. Adding new certificates to the internal trust store is "
"allowed, but changing ciphers, verification settings, or mTLS certificates "
"may result in surprising behavior."
msgstr ""

#: ../../library/ssl.rst:1495
msgid ""
":class:`SSLContext` is designed to be shared and used by multiple "
"connections. Thus, it is thread-safe as long as it is not reconfigured after "
"being used by a connection."
msgstr ""

#: ../../library/ssl.rst:1500
msgid ":class:`SSLContext` objects have the following methods and attributes:"
msgstr ":class:`SSLContext` 物件具有以下方法和屬性："

#: ../../library/ssl.rst:1504
msgid ""
"Get statistics about quantities of loaded X.509 certificates, count of X.509 "
"certificates flagged as CA certificates and certificate revocation lists as "
"dictionary."
msgstr ""

#: ../../library/ssl.rst:1508
msgid "Example for a context with one CA cert and one other cert::"
msgstr ""

#: ../../library/ssl.rst:1510
msgid ""
">>> context.cert_store_stats()\n"
"{'crl': 0, 'x509_ca': 1, 'x509': 2}"
msgstr ""
">>> context.cert_store_stats()\n"
"{'crl': 0, 'x509_ca': 1, 'x509': 2}"

#: ../../library/ssl.rst:1518
msgid ""
"Load a private key and the corresponding certificate.  The *certfile* string "
"must be the path to a single file in PEM format containing the certificate "
"as well as any number of CA certificates needed to establish the "
"certificate's authenticity.  The *keyfile* string, if present, must point to "
"a file containing the private key.  Otherwise the private key will be taken "
"from *certfile* as well.  See the discussion of :ref:`ssl-certificates` for "
"more information on how the certificate is stored in the *certfile*."
msgstr ""

#: ../../library/ssl.rst:1527
msgid ""
"The *password* argument may be a function to call to get the password for "
"decrypting the private key.  It will only be called if the private key is "
"encrypted and a password is necessary.  It will be called with no arguments, "
"and it should return a string, bytes, or bytearray.  If the return value is "
"a string it will be encoded as UTF-8 before using it to decrypt the key. "
"Alternatively a string, bytes, or bytearray value may be supplied directly "
"as the *password* argument.  It will be ignored if the private key is not "
"encrypted and no password is needed."
msgstr ""

#: ../../library/ssl.rst:1536
msgid ""
"If the *password* argument is not specified and a password is required, "
"OpenSSL's built-in password prompting mechanism will be used to "
"interactively prompt the user for a password."
msgstr ""

#: ../../library/ssl.rst:1540
msgid ""
"An :class:`SSLError` is raised if the private key doesn't match with the "
"certificate."
msgstr ""

#: ../../library/ssl.rst:1543
msgid "New optional argument *password*."
msgstr "新增可選引數 *password*。"

#: ../../library/ssl.rst:1548
msgid ""
"Load a set of default \"certification authority\" (CA) certificates from "
"default locations. On Windows it loads CA certs from the ``CA`` and ``ROOT`` "
"system stores. On all systems it calls :meth:`SSLContext."
"set_default_verify_paths`. In the future the method may load CA certificates "
"from other locations, too."
msgstr ""

#: ../../library/ssl.rst:1554
msgid ""
"The *purpose* flag specifies what kind of CA certificates are loaded. The "
"default settings :const:`Purpose.SERVER_AUTH` loads certificates, that are "
"flagged and trusted for TLS web server authentication (client side "
"sockets). :const:`Purpose.CLIENT_AUTH` loads CA certificates for client "
"certificate verification on the server side."
msgstr ""

#: ../../library/ssl.rst:1564
msgid ""
"Load a set of \"certification authority\" (CA) certificates used to validate "
"other peers' certificates when :data:`verify_mode` is other than :data:"
"`CERT_NONE`.  At least one of *cafile* or *capath* must be specified."
msgstr ""

#: ../../library/ssl.rst:1568
msgid ""
"This method can also load certification revocation lists (CRLs) in PEM or "
"DER format. In order to make use of CRLs, :attr:`SSLContext.verify_flags` "
"must be configured properly."
msgstr ""

#: ../../library/ssl.rst:1572
msgid ""
"The *cafile* string, if present, is the path to a file of concatenated CA "
"certificates in PEM format. See the discussion of :ref:`ssl-certificates` "
"for more information about how to arrange the certificates in this file."
msgstr ""

#: ../../library/ssl.rst:1577
msgid ""
"The *capath* string, if present, is the path to a directory containing "
"several CA certificates in PEM format, following an `OpenSSL specific layout "
"<https://docs.openssl.org/master/man3/SSL_CTX_load_verify_locations/>`_."
msgstr ""

#: ../../library/ssl.rst:1582
msgid ""
"The *cadata* object, if present, is either an ASCII string of one or more "
"PEM-encoded certificates or a :term:`bytes-like object` of DER-encoded "
"certificates. Like with *capath* extra lines around PEM-encoded certificates "
"are ignored but at least one certificate must be present."
msgstr ""

#: ../../library/ssl.rst:1587
msgid "New optional argument *cadata*"
msgstr "新增可選引數 *cadata*"

#: ../../library/ssl.rst:1592
msgid ""
"Get a list of loaded \"certification authority\" (CA) certificates. If the "
"``binary_form`` parameter is :const:`False` each list entry is a dict like "
"the output of :meth:`SSLSocket.getpeercert`. Otherwise the method returns a "
"list of DER-encoded certificates. The returned list does not contain "
"certificates from *capath* unless a certificate was requested and loaded by "
"a SSL connection."
msgstr ""

#: ../../library/ssl.rst:1600
msgid ""
"Certificates in a capath directory aren't loaded unless they have been used "
"at least once."
msgstr ""

#: ../../library/ssl.rst:1607
msgid ""
"Get a list of enabled ciphers. The list is in order of cipher priority. See :"
"meth:`SSLContext.set_ciphers`."
msgstr ""

#: ../../library/ssl.rst:1612
msgid ""
">>> ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)\n"
">>> ctx.set_ciphers('ECDHE+AESGCM:!ECDSA')\n"
">>> ctx.get_ciphers()\n"
"[{'aead': True,\n"
"  'alg_bits': 256,\n"
"  'auth': 'auth-rsa',\n"
"  'description': 'ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  '\n"
"                 'Enc=AESGCM(256) Mac=AEAD',\n"
"  'digest': None,\n"
"  'id': 50380848,\n"
"  'kea': 'kx-ecdhe',\n"
"  'name': 'ECDHE-RSA-AES256-GCM-SHA384',\n"
"  'protocol': 'TLSv1.2',\n"
"  'strength_bits': 256,\n"
"  'symmetric': 'aes-256-gcm'},\n"
" {'aead': True,\n"
"  'alg_bits': 128,\n"
"  'auth': 'auth-rsa',\n"
"  'description': 'ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  '\n"
"                 'Enc=AESGCM(128) Mac=AEAD',\n"
"  'digest': None,\n"
"  'id': 50380847,\n"
"  'kea': 'kx-ecdhe',\n"
"  'name': 'ECDHE-RSA-AES128-GCM-SHA256',\n"
"  'protocol': 'TLSv1.2',\n"
"  'strength_bits': 128,\n"
"  'symmetric': 'aes-128-gcm'}]"
msgstr ""
">>> ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)\n"
">>> ctx.set_ciphers('ECDHE+AESGCM:!ECDSA')\n"
">>> ctx.get_ciphers()\n"
"[{'aead': True,\n"
"  'alg_bits': 256,\n"
"  'auth': 'auth-rsa',\n"
"  'description': 'ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  '\n"
"                 'Enc=AESGCM(256) Mac=AEAD',\n"
"  'digest': None,\n"
"  'id': 50380848,\n"
"  'kea': 'kx-ecdhe',\n"
"  'name': 'ECDHE-RSA-AES256-GCM-SHA384',\n"
"  'protocol': 'TLSv1.2',\n"
"  'strength_bits': 256,\n"
"  'symmetric': 'aes-256-gcm'},\n"
" {'aead': True,\n"
"  'alg_bits': 128,\n"
"  'auth': 'auth-rsa',\n"
"  'description': 'ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  '\n"
"                 'Enc=AESGCM(128) Mac=AEAD',\n"
"  'digest': None,\n"
"  'id': 50380847,\n"
"  'kea': 'kx-ecdhe',\n"
"  'name': 'ECDHE-RSA-AES128-GCM-SHA256',\n"
"  'protocol': 'TLSv1.2',\n"
"  'strength_bits': 128,\n"
"  'symmetric': 'aes-128-gcm'}]"

#: ../../library/ssl.rst:1644
msgid ""
"Load a set of default \"certification authority\" (CA) certificates from a "
"filesystem path defined when building the OpenSSL library.  Unfortunately, "
"there's no easy way to know whether this method succeeds: no error is "
"returned if no certificates are to be found.  When the OpenSSL library is "
"provided as part of the operating system, though, it is likely to be "
"configured properly."
msgstr ""

#: ../../library/ssl.rst:1653
msgid ""
"Set the available ciphers for sockets created with this context. It should "
"be a string in the `OpenSSL cipher list format <https://docs.openssl.org/"
"master/man1/ciphers/>`_. If no cipher can be selected (because compile-time "
"options or other configuration forbids use of all the specified ciphers), "
"an :class:`SSLError` will be raised."
msgstr ""

#: ../../library/ssl.rst:1661
msgid ""
"when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will give "
"the currently selected cipher."
msgstr ""

#: ../../library/ssl.rst:1664
msgid ""
"TLS 1.3 cipher suites cannot be disabled with :meth:`~SSLContext."
"set_ciphers`."
msgstr ""

#: ../../library/ssl.rst:1669
msgid ""
"Specify which protocols the socket should advertise during the SSL/TLS "
"handshake. It should be a list of ASCII strings, like ``['http/1.1', "
"'spdy/2']``, ordered by preference. The selection of a protocol will happen "
"during the handshake, and will play out according to :rfc:`7301`. After a "
"successful handshake, the :meth:`SSLSocket.selected_alpn_protocol` method "
"will return the agreed-upon protocol."
msgstr ""

#: ../../library/ssl.rst:1676
msgid ""
"This method will raise :exc:`NotImplementedError` if :data:`HAS_ALPN` is "
"``False``."
msgstr ""
"此方法會在 :data:`HAS_ALPN` 為 ``False`` 時引發 :exc:`NotImplementedError`。"

#: ../../library/ssl.rst:1683
msgid ""
"Specify which protocols the socket should advertise during the SSL/TLS "
"handshake. It should be a list of strings, like ``['http/1.1', 'spdy/2']``, "
"ordered by preference. The selection of a protocol will happen during the "
"handshake, and will play out according to the `Application Layer Protocol "
"Negotiation <https://en.wikipedia.org/wiki/Application-"
"Layer_Protocol_Negotiation>`_. After a successful handshake, the :meth:"
"`SSLSocket.selected_npn_protocol` method will return the agreed-upon "
"protocol."
msgstr ""

#: ../../library/ssl.rst:1691
msgid ""
"This method will raise :exc:`NotImplementedError` if :data:`HAS_NPN` is "
"``False``."
msgstr ""
"此方法會在 :data:`HAS_NPN` 為 ``False`` 時引發 :exc:`NotImplementedError`。"

#: ../../library/ssl.rst:1702
msgid ""
"Register a callback function that will be called after the TLS Client Hello "
"handshake message has been received by the SSL/TLS server when the TLS "
"client specifies a server name indication. The server name indication "
"mechanism is specified in :rfc:`6066` section 3 - Server Name Indication."
msgstr ""

#: ../../library/ssl.rst:1707
msgid ""
"Only one callback can be set per ``SSLContext``.  If *sni_callback* is set "
"to ``None`` then the callback is disabled. Calling this function a "
"subsequent time will disable the previously registered callback."
msgstr ""

#: ../../library/ssl.rst:1711
msgid ""
"The callback function will be called with three arguments; the first being "
"the :class:`ssl.SSLSocket`, the second is a string that represents the "
"server name that the client is intending to communicate (or :const:`None` if "
"the TLS Client Hello does not contain a server name) and the third argument "
"is the original :class:`SSLContext`. The server name argument is text. For "
"internationalized domain name, the server name is an IDN A-label (``\"xn--"
"pythn-mua.org\"``)."
msgstr ""

#: ../../library/ssl.rst:1719
msgid ""
"A typical use of this callback is to change the :class:`ssl.SSLSocket`'s :"
"attr:`SSLSocket.context` attribute to a new object of type :class:"
"`SSLContext` representing a certificate chain that matches the server name."
msgstr ""

#: ../../library/ssl.rst:1724
msgid ""
"Due to the early negotiation phase of the TLS connection, only limited "
"methods and attributes are usable like :meth:`SSLSocket."
"selected_alpn_protocol` and :attr:`SSLSocket.context`. The :meth:`SSLSocket."
"getpeercert`, :meth:`SSLSocket.get_verified_chain`, :meth:`SSLSocket."
"get_unverified_chain` :meth:`SSLSocket.cipher` and :meth:`SSLSocket."
"compression` methods require that the TLS connection has progressed beyond "
"the TLS Client Hello and therefore will not return meaningful values nor can "
"they be called safely."
msgstr ""

#: ../../library/ssl.rst:1733
msgid ""
"The *sni_callback* function must return ``None`` to allow the TLS "
"negotiation to continue.  If a TLS failure is required, a constant :const:"
"`ALERT_DESCRIPTION_* <ALERT_DESCRIPTION_INTERNAL_ERROR>` can be returned.  "
"Other return values will result in a TLS fatal error with :const:"
"`ALERT_DESCRIPTION_INTERNAL_ERROR`."
msgstr ""

#: ../../library/ssl.rst:1739
msgid ""
"If an exception is raised from the *sni_callback* function the TLS "
"connection will terminate with a fatal TLS alert message :const:"
"`ALERT_DESCRIPTION_HANDSHAKE_FAILURE`."
msgstr ""

#: ../../library/ssl.rst:1743
msgid ""
"This method will raise :exc:`NotImplementedError` if the OpenSSL library had "
"OPENSSL_NO_TLSEXT defined when it was built."
msgstr ""

#: ../../library/ssl.rst:1750
msgid ""
"This is a legacy API retained for backwards compatibility. When possible, "
"you should use :attr:`sni_callback` instead. The given "
"*server_name_callback* is similar to *sni_callback*, except that when the "
"server hostname is an IDN-encoded internationalized domain name, the "
"*server_name_callback* receives a decoded U-label (``\"pythön.org\"``)."
msgstr ""

#: ../../library/ssl.rst:1756
msgid ""
"If there is a decoding error on the server name, the TLS connection will "
"terminate with an :const:`ALERT_DESCRIPTION_INTERNAL_ERROR` fatal TLS alert "
"message to the client."
msgstr ""

#: ../../library/ssl.rst:1764
msgid ""
"Load the key generation parameters for Diffie-Hellman (DH) key exchange. "
"Using DH key exchange improves forward secrecy at the expense of "
"computational resources (both on the server and on the client). The *dhfile* "
"parameter should be the path to a file containing DH parameters in PEM "
"format."
msgstr ""

#: ../../library/ssl.rst:1770
msgid ""
"This setting doesn't apply to client sockets.  You can also use the :data:"
"`OP_SINGLE_DH_USE` option to further improve security."
msgstr ""

#: ../../library/ssl.rst:1777
msgid ""
"Set the curve name for Elliptic Curve-based Diffie-Hellman (ECDH) key "
"exchange.  ECDH is significantly faster than regular DH while arguably as "
"secure.  The *curve_name* parameter should be a string describing a well-"
"known elliptic curve, for example ``prime256v1`` for a widely supported "
"curve."
msgstr ""

#: ../../library/ssl.rst:1783
msgid ""
"This setting doesn't apply to client sockets.  You can also use the :data:"
"`OP_SINGLE_ECDH_USE` option to further improve security."
msgstr ""

#: ../../library/ssl.rst:1786
msgid "This method is not available if :data:`HAS_ECDH` is ``False``."
msgstr "此方法在 :data:`HAS_ECDH` 為 ``False`` 時不可用。"

#: ../../library/ssl.rst:1791
msgid ""
"`SSL/TLS & Perfect Forward Secrecy <https://vincent.bernat.ch/en/blog/2011-"
"ssl-perfect-forward-secrecy>`_"
msgstr ""

#: ../../library/ssl.rst:1792
msgid "Vincent Bernat."
msgstr ""

#: ../../library/ssl.rst:1798
msgid ""
"Wrap an existing Python socket *sock* and return an instance of :attr:"
"`SSLContext.sslsocket_class` (default :class:`SSLSocket`). The returned SSL "
"socket is tied to the context, its settings and certificates. *sock* must be "
"a :const:`~socket.SOCK_STREAM` socket; other socket types are unsupported."
msgstr ""

#: ../../library/ssl.rst:1804
msgid ""
"The parameter ``server_side`` is a boolean which identifies whether server-"
"side or client-side behavior is desired from this socket."
msgstr ""

#: ../../library/ssl.rst:1807
msgid ""
"For client-side sockets, the context construction is lazy; if the underlying "
"socket isn't connected yet, the context construction will be performed "
"after :meth:`connect` is called on the socket.  For server-side sockets, if "
"the socket has no remote peer, it is assumed to be a listening socket, and "
"the server-side SSL wrapping is automatically performed on client "
"connections accepted via the :meth:`accept` method. The method may raise :"
"exc:`SSLError`."
msgstr ""

#: ../../library/ssl.rst:1815
msgid ""
"On client connections, the optional parameter *server_hostname* specifies "
"the hostname of the service which we are connecting to.  This allows a "
"single server to host multiple SSL-based services with distinct "
"certificates, quite similarly to HTTP virtual hosts. Specifying "
"*server_hostname* will raise a :exc:`ValueError` if *server_side* is true."
msgstr ""

#: ../../library/ssl.rst:1821
msgid ""
"The parameter ``do_handshake_on_connect`` specifies whether to do the SSL "
"handshake automatically after doing a :meth:`socket.connect`, or whether the "
"application program will call it explicitly, by invoking the :meth:"
"`SSLSocket.do_handshake` method.  Calling :meth:`SSLSocket.do_handshake` "
"explicitly gives the program control over the blocking behavior of the "
"socket I/O involved in the handshake."
msgstr ""

#: ../../library/ssl.rst:1828
msgid ""
"The parameter ``suppress_ragged_eofs`` specifies how the :meth:`SSLSocket."
"recv` method should signal unexpected EOF from the other end of the "
"connection.  If specified as :const:`True` (the default), it returns a "
"normal EOF (an empty bytes object) in response to unexpected EOF errors "
"raised from the underlying socket; if :const:`False`, it will raise the "
"exceptions back to the caller."
msgstr ""

#: ../../library/ssl.rst:1835
msgid "*session*, see :attr:`~SSLSocket.session`."
msgstr ""

#: ../../library/ssl.rst:1837
msgid ""
"To wrap an :class:`SSLSocket` in another :class:`SSLSocket`, use :meth:"
"`SSLContext.wrap_bio`."
msgstr ""

#: ../../library/ssl.rst:1840
msgid ""
"Always allow a server_hostname to be passed, even if OpenSSL does not have "
"SNI."
msgstr ""

#: ../../library/ssl.rst:1844 ../../library/ssl.rst:1871
msgid "*session* argument was added."
msgstr "新增 *session* 引數。"

#: ../../library/ssl.rst:1847
msgid ""
"The method returns an instance of :attr:`SSLContext.sslsocket_class` instead "
"of hard-coded :class:`SSLSocket`."
msgstr ""

#: ../../library/ssl.rst:1853
msgid ""
"The return type of :meth:`SSLContext.wrap_socket`, defaults to :class:"
"`SSLSocket`. The attribute can be assigned to on instances of :class:"
"`SSLContext` in order to return a custom subclass of :class:`SSLSocket`."
msgstr ""

#: ../../library/ssl.rst:1863
msgid ""
"Wrap the BIO objects *incoming* and *outgoing* and return an instance of :"
"attr:`SSLContext.sslobject_class` (default :class:`SSLObject`). The SSL "
"routines will read input data from the incoming BIO and write data to the "
"outgoing BIO."
msgstr ""

#: ../../library/ssl.rst:1868
msgid ""
"The *server_side*, *server_hostname* and *session* parameters have the same "
"meaning as in :meth:`SSLContext.wrap_socket`."
msgstr ""

#: ../../library/ssl.rst:1874
msgid ""
"The method returns an instance of :attr:`SSLContext.sslobject_class` instead "
"of hard-coded :class:`SSLObject`."
msgstr ""

#: ../../library/ssl.rst:1880
msgid ""
"The return type of :meth:`SSLContext.wrap_bio`, defaults to :class:"
"`SSLObject`. The attribute can be overridden on instance of class in order "
"to return a custom subclass of :class:`SSLObject`."
msgstr ""

#: ../../library/ssl.rst:1888
msgid ""
"Get statistics about the SSL sessions created or managed by this context. A "
"dictionary is returned which maps the names of each `piece of information "
"<https://docs.openssl.org/1.1.1/man3/SSL_CTX_sess_number/>`_ to their "
"numeric values.  For example, here is the total number of hits and misses in "
"the session cache since the context was created::"
msgstr ""

#: ../../library/ssl.rst:1893
msgid ""
">>> stats = context.session_stats()\n"
">>> stats['hits'], stats['misses']\n"
"(0, 0)"
msgstr ""
">>> stats = context.session_stats()\n"
">>> stats['hits'], stats['misses']\n"
"(0, 0)"

#: ../../library/ssl.rst:1899
msgid ""
"Whether to match the peer cert's hostname in :meth:`SSLSocket.do_handshake`. "
"The context's :attr:`~SSLContext.verify_mode` must be set to :data:"
"`CERT_OPTIONAL` or :data:`CERT_REQUIRED`, and you must pass "
"*server_hostname* to :meth:`~SSLContext.wrap_socket` in order to match the "
"hostname.  Enabling hostname checking automatically sets :attr:`~SSLContext."
"verify_mode` from :data:`CERT_NONE` to :data:`CERT_REQUIRED`.  It cannot be "
"set back to :data:`CERT_NONE` as long as hostname checking is enabled. The :"
"data:`PROTOCOL_TLS_CLIENT` protocol enables hostname checking by default. "
"With other protocols, hostname checking must be enabled explicitly."
msgstr ""

#: ../../library/ssl.rst:1912
msgid ""
"import socket, ssl\n"
"\n"
"context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)\n"
"context.verify_mode = ssl.CERT_REQUIRED\n"
"context.check_hostname = True\n"
"context.load_default_certs()\n"
"\n"
"s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n"
"ssl_sock = context.wrap_socket(s, server_hostname='www.verisign.com')\n"
"ssl_sock.connect(('www.verisign.com', 443))"
msgstr ""
"import socket, ssl\n"
"\n"
"context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)\n"
"context.verify_mode = ssl.CERT_REQUIRED\n"
"context.check_hostname = True\n"
"context.load_default_certs()\n"
"\n"
"s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n"
"ssl_sock = context.wrap_socket(s, server_hostname='www.verisign.com')\n"
"ssl_sock.connect(('www.verisign.com', 443))"

#: ../../library/ssl.rst:1927
msgid ""
":attr:`~SSLContext.verify_mode` is now automatically changed to :data:"
"`CERT_REQUIRED`  when hostname checking is enabled and :attr:`~SSLContext."
"verify_mode` is :data:`CERT_NONE`. Previously the same operation would have "
"failed with a :exc:`ValueError`."
msgstr ""

#: ../../library/ssl.rst:1934
msgid ""
"Write TLS keys to a keylog file, whenever key material is generated or "
"received. The keylog file is designed for debugging purposes only. The file "
"format is specified by NSS and used by many traffic analyzers such as "
"Wireshark. The log file is opened in append-only mode. Writes are "
"synchronized between threads, but not between processes."
msgstr ""

#: ../../library/ssl.rst:1944
msgid ""
"A :class:`TLSVersion` enum member representing the highest supported TLS "
"version. The value defaults to :attr:`TLSVersion.MAXIMUM_SUPPORTED`. The "
"attribute is read-only for protocols other than :const:`PROTOCOL_TLS`, :"
"const:`PROTOCOL_TLS_CLIENT`, and :const:`PROTOCOL_TLS_SERVER`."
msgstr ""

#: ../../library/ssl.rst:1949
msgid ""
"The attributes :attr:`~SSLContext.maximum_version`, :attr:`~SSLContext."
"minimum_version` and :attr:`SSLContext.options` all affect the supported SSL "
"and TLS versions of the context. The implementation does not prevent invalid "
"combination. For example a context with :attr:`OP_NO_TLSv1_2` in :attr:"
"`~SSLContext.options` and :attr:`~SSLContext.maximum_version` set to :attr:"
"`TLSVersion.TLSv1_2` will not be able to establish a TLS 1.2 connection."
msgstr ""

#: ../../library/ssl.rst:1962
msgid ""
"Like :attr:`SSLContext.maximum_version` except it is the lowest supported "
"version or :attr:`TLSVersion.MINIMUM_SUPPORTED`."
msgstr ""

#: ../../library/ssl.rst:1969
msgid ""
"Control the number of TLS 1.3 session tickets of a :const:"
"`PROTOCOL_TLS_SERVER` context. The setting has no impact on TLS 1.0 to 1.2 "
"connections."
msgstr ""

#: ../../library/ssl.rst:1977
msgid ""
"An integer representing the set of SSL options enabled on this context. The "
"default value is :data:`OP_ALL`, but you can specify other options such as :"
"data:`OP_NO_SSLv2` by ORing them together."
msgstr ""

#: ../../library/ssl.rst:1981
msgid ":attr:`SSLContext.options` returns :class:`Options` flags:"
msgstr ":attr:`SSLContext.options` 會回傳 :class:`Options` 旗標："

#: ../../library/ssl.rst:1989
msgid ""
"All ``OP_NO_SSL*`` and ``OP_NO_TLS*`` options have been deprecated since "
"Python 3.7. Use :attr:`SSLContext.minimum_version` and :attr:`SSLContext."
"maximum_version` instead."
msgstr ""

#: ../../library/ssl.rst:1995
msgid ""
"Enable TLS 1.3 post-handshake client authentication. Post-handshake auth is "
"disabled by default and a server can only request a TLS client certificate "
"during the initial handshake. When enabled, a server may request a TLS "
"client certificate at any time after the handshake."
msgstr ""

#: ../../library/ssl.rst:2000
msgid ""
"When enabled on client-side sockets, the client signals the server that it "
"supports post-handshake authentication."
msgstr ""

#: ../../library/ssl.rst:2003
msgid ""
"When enabled on server-side sockets, :attr:`SSLContext.verify_mode` must be "
"set to :data:`CERT_OPTIONAL` or :data:`CERT_REQUIRED`, too. The actual "
"client cert exchange is delayed until :meth:`SSLSocket."
"verify_client_post_handshake` is called and some I/O is performed."
msgstr ""

#: ../../library/ssl.rst:2013
msgid ""
"The protocol version chosen when constructing the context.  This attribute "
"is read-only."
msgstr ""

#: ../../library/ssl.rst:2018
msgid ""
"Whether :attr:`~SSLContext.check_hostname` falls back to verify the cert's "
"subject common name in the absence of a subject alternative name extension "
"(default: true)."
msgstr ""

#: ../../library/ssl.rst:2026
msgid ""
"The flag had no effect with OpenSSL before version 1.1.1l. Python 3.8.9, "
"3.9.3, and 3.10 include workarounds for previous versions."
msgstr ""

#: ../../library/ssl.rst:2031
msgid ""
"An integer representing the `security level <https://docs.openssl.org/master/"
"man3/SSL_CTX_get_security_level/>`_ for the context. This attribute is read-"
"only."
msgstr ""

#: ../../library/ssl.rst:2039
msgid ""
"The flags for certificate verification operations. You can set flags like :"
"data:`VERIFY_CRL_CHECK_LEAF` by ORing them together. By default OpenSSL does "
"neither require nor verify certificate revocation lists (CRLs)."
msgstr ""

#: ../../library/ssl.rst:2045
msgid ":attr:`SSLContext.verify_flags` returns :class:`VerifyFlags` flags:"
msgstr ":attr:`SSLContext.verify_flags` 會回傳 :class:`VerifyFlags` 旗標："

#: ../../library/ssl.rst:2053
msgid ""
"Whether to try to verify other peers' certificates and how to behave if "
"verification fails.  This attribute must be one of :data:`CERT_NONE`, :data:"
"`CERT_OPTIONAL` or :data:`CERT_REQUIRED`."
msgstr ""

#: ../../library/ssl.rst:2057
msgid ":attr:`SSLContext.verify_mode` returns :class:`VerifyMode` enum:"
msgstr ":attr:`SSLContext.verify_mode` 會回傳 :class:`VerifyMode` 列舉："

#: ../../library/ssl.rst:2065
msgid ""
"Enables TLS-PSK (pre-shared key) authentication on a client-side connection."
msgstr ""

#: ../../library/ssl.rst:2067 ../../library/ssl.rst:2116
msgid ""
"In general, certificate based authentication should be preferred over this "
"method."
msgstr ""

#: ../../library/ssl.rst:2069
msgid ""
"The parameter ``callback`` is a callable object with the signature: ``def "
"callback(hint: str | None) -> tuple[str | None, bytes]``. The ``hint`` "
"parameter is an optional identity hint sent by the server. The return value "
"is a tuple in the form (client-identity, psk). Client-identity is an "
"optional string which may be used by the server to select a corresponding "
"PSK for the client. The string must be less than or equal to ``256`` octets "
"when UTF-8 encoded. PSK is a :term:`bytes-like object` representing the pre-"
"shared key. Return a zero length PSK to reject the connection."
msgstr ""

#: ../../library/ssl.rst:2079 ../../library/ssl.rst:2125
msgid "Setting ``callback`` to :const:`None` removes any existing callback."
msgstr ""

#: ../../library/ssl.rst:2082
msgid "When using TLS 1.3:"
msgstr "使用 TLS 1.3 時："

#: ../../library/ssl.rst:2084
msgid "the ``hint`` parameter is always :const:`None`."
msgstr "``hint`` 參數始終為 :const:`None`。"

#: ../../library/ssl.rst:2085
msgid "client-identity must be a non-empty string."
msgstr ""

#: ../../library/ssl.rst:2087 ../../library/ssl.rst:2134
msgid "Example usage::"
msgstr "範例用法： ::"

#: ../../library/ssl.rst:2089
msgid ""
"context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)\n"
"context.check_hostname = False\n"
"context.verify_mode = ssl.CERT_NONE\n"
"context.maximum_version = ssl.TLSVersion.TLSv1_2\n"
"context.set_ciphers('PSK')\n"
"\n"
"# A simple lambda:\n"
"psk = bytes.fromhex('c0ffee')\n"
"context.set_psk_client_callback(lambda hint: (None, psk))\n"
"\n"
"# A table using the hint from the server:\n"
"psk_table = { 'ServerId_1': bytes.fromhex('c0ffee'),\n"
"              'ServerId_2': bytes.fromhex('facade')\n"
"}\n"
"def callback(hint):\n"
"    return 'ClientId_1', psk_table.get(hint, b'')\n"
"context.set_psk_client_callback(callback)"
msgstr ""

#: ../../library/ssl.rst:2107 ../../library/ssl.rst:2152
msgid ""
"This method will raise :exc:`NotImplementedError` if :data:`HAS_PSK` is "
"``False``."
msgstr ""

#: ../../library/ssl.rst:2114
msgid ""
"Enables TLS-PSK (pre-shared key) authentication on a server-side connection."
msgstr ""

#: ../../library/ssl.rst:2118
msgid ""
"The parameter ``callback`` is a callable object with the signature: ``def "
"callback(identity: str | None) -> bytes``. The ``identity`` parameter is an "
"optional identity sent by the client which can be used to select a "
"corresponding PSK. The return value is a :term:`bytes-like object` "
"representing the pre-shared key. Return a zero length PSK to reject the "
"connection."
msgstr ""

#: ../../library/ssl.rst:2127
msgid ""
"The parameter ``identity_hint`` is an optional identity hint string sent to "
"the client. The string must be less than or equal to ``256`` octets when "
"UTF-8 encoded."
msgstr ""

#: ../../library/ssl.rst:2132
msgid ""
"When using TLS 1.3 the ``identity_hint`` parameter is not sent to the client."
msgstr ""

#: ../../library/ssl.rst:2136
msgid ""
"context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)\n"
"context.maximum_version = ssl.TLSVersion.TLSv1_2\n"
"context.set_ciphers('PSK')\n"
"\n"
"# A simple lambda:\n"
"psk = bytes.fromhex('c0ffee')\n"
"context.set_psk_server_callback(lambda identity: psk)\n"
"\n"
"# A table using the identity of the client:\n"
"psk_table = { 'ClientId_1': bytes.fromhex('c0ffee'),\n"
"              'ClientId_2': bytes.fromhex('facade')\n"
"}\n"
"def callback(identity):\n"
"    return psk_table.get(identity, b'')\n"
"context.set_psk_server_callback(callback, 'ServerId_1')"
msgstr ""

#: ../../library/ssl.rst:2164
msgid "Certificates"
msgstr ""

#: ../../library/ssl.rst:2166
msgid ""
"Certificates in general are part of a public-key / private-key system.  In "
"this system, each *principal*, (which may be a machine, or a person, or an "
"organization) is assigned a unique two-part encryption key.  One part of the "
"key is public, and is called the *public key*; the other part is kept "
"secret, and is called the *private key*.  The two parts are related, in that "
"if you encrypt a message with one of the parts, you can decrypt it with the "
"other part, and **only** with the other part."
msgstr ""

#: ../../library/ssl.rst:2174
msgid ""
"A certificate contains information about two principals.  It contains the "
"name of a *subject*, and the subject's public key.  It also contains a "
"statement by a second principal, the *issuer*, that the subject is who they "
"claim to be, and that this is indeed the subject's public key.  The issuer's "
"statement is signed with the issuer's private key, which only the issuer "
"knows.  However, anyone can verify the issuer's statement by finding the "
"issuer's public key, decrypting the statement with it, and comparing it to "
"the other information in the certificate. The certificate also contains "
"information about the time period over which it is valid.  This is expressed "
"as two fields, called \"notBefore\" and \"notAfter\"."
msgstr ""

#: ../../library/ssl.rst:2184
msgid ""
"In the Python use of certificates, a client or server can use a certificate "
"to prove who they are.  The other side of a network connection can also be "
"required to produce a certificate, and that certificate can be validated to "
"the satisfaction of the client or server that requires such validation.  The "
"connection attempt can be set to raise an exception if the validation fails. "
"Validation is done automatically, by the underlying OpenSSL framework; the "
"application need not concern itself with its mechanics.  But the application "
"does usually need to provide sets of certificates to allow this process to "
"take place."
msgstr ""

#: ../../library/ssl.rst:2194
msgid ""
"Python uses files to contain certificates.  They should be formatted as "
"\"PEM\" (see :rfc:`1422`), which is a base-64 encoded form wrapped with a "
"header line and a footer line::"
msgstr ""

#: ../../library/ssl.rst:2198
msgid ""
"-----BEGIN CERTIFICATE-----\n"
"... (certificate in base64 PEM encoding) ...\n"
"-----END CERTIFICATE-----"
msgstr ""
"-----BEGIN CERTIFICATE-----\n"
"... (certificate in base64 PEM encoding) ...\n"
"-----END CERTIFICATE-----"

#: ../../library/ssl.rst:2203
msgid "Certificate chains"
msgstr ""

#: ../../library/ssl.rst:2205
msgid ""
"The Python files which contain certificates can contain a sequence of "
"certificates, sometimes called a *certificate chain*.  This chain should "
"start with the specific certificate for the principal who \"is\" the client "
"or server, and then the certificate for the issuer of that certificate, and "
"then the certificate for the issuer of *that* certificate, and so on up the "
"chain till you get to a certificate which is *self-signed*, that is, a "
"certificate which has the same subject and issuer, sometimes called a *root "
"certificate*.  The certificates should just be concatenated together in the "
"certificate file.  For example, suppose we had a three certificate chain, "
"from our server certificate to the certificate of the certification "
"authority that signed our server certificate, to the root certificate of the "
"agency which issued the certification authority's certificate::"
msgstr ""

#: ../../library/ssl.rst:2218
msgid ""
"-----BEGIN CERTIFICATE-----\n"
"... (certificate for your server)...\n"
"-----END CERTIFICATE-----\n"
"-----BEGIN CERTIFICATE-----\n"
"... (the certificate for the CA)...\n"
"-----END CERTIFICATE-----\n"
"-----BEGIN CERTIFICATE-----\n"
"... (the root certificate for the CA's issuer)...\n"
"-----END CERTIFICATE-----"
msgstr ""
"-----BEGIN CERTIFICATE-----\n"
"... (certificate for your server)...\n"
"-----END CERTIFICATE-----\n"
"-----BEGIN CERTIFICATE-----\n"
"... (the certificate for the CA)...\n"
"-----END CERTIFICATE-----\n"
"-----BEGIN CERTIFICATE-----\n"
"... (the root certificate for the CA's issuer)...\n"
"-----END CERTIFICATE-----"

#: ../../library/ssl.rst:2229
msgid "CA certificates"
msgstr ""

#: ../../library/ssl.rst:2231
msgid ""
"If you are going to require validation of the other side of the connection's "
"certificate, you need to provide a \"CA certs\" file, filled with the "
"certificate chains for each issuer you are willing to trust.  Again, this "
"file just contains these chains concatenated together.  For validation, "
"Python will use the first chain it finds in the file which matches.  The "
"platform's certificates file can be used by calling :meth:`SSLContext."
"load_default_certs`, this is done automatically with :func:`."
"create_default_context`."
msgstr ""

#: ../../library/ssl.rst:2240
msgid "Combined key and certificate"
msgstr ""

#: ../../library/ssl.rst:2242
msgid ""
"Often the private key is stored in the same file as the certificate; in this "
"case, only the ``certfile`` parameter to :meth:`SSLContext.load_cert_chain` "
"needs to be passed.  If the private key is stored with the certificate, it "
"should come before the first certificate in the certificate chain::"
msgstr ""

#: ../../library/ssl.rst:2248
msgid ""
"-----BEGIN RSA PRIVATE KEY-----\n"
"... (private key in base64 encoding) ...\n"
"-----END RSA PRIVATE KEY-----\n"
"-----BEGIN CERTIFICATE-----\n"
"... (certificate in base64 PEM encoding) ...\n"
"-----END CERTIFICATE-----"
msgstr ""
"-----BEGIN RSA PRIVATE KEY-----\n"
"... (private key in base64 encoding) ...\n"
"-----END RSA PRIVATE KEY-----\n"
"-----BEGIN CERTIFICATE-----\n"
"... (certificate in base64 PEM encoding) ...\n"
"-----END CERTIFICATE-----"

#: ../../library/ssl.rst:2256
msgid "Self-signed certificates"
msgstr ""

#: ../../library/ssl.rst:2258
msgid ""
"If you are going to create a server that provides SSL-encrypted connection "
"services, you will need to acquire a certificate for that service.  There "
"are many ways of acquiring appropriate certificates, such as buying one from "
"a certification authority.  Another common practice is to generate a self-"
"signed certificate.  The simplest way to do this is with the OpenSSL "
"package, using something like the following::"
msgstr ""

#: ../../library/ssl.rst:2265
msgid ""
"% openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem\n"
"Generating a 1024 bit RSA private key\n"
".......++++++\n"
".............................++++++\n"
"writing new private key to 'cert.pem'\n"
"-----\n"
"You are about to be asked to enter information that will be incorporated\n"
"into your certificate request.\n"
"What you are about to enter is what is called a Distinguished Name or a DN.\n"
"There are quite a few fields but you can leave some blank\n"
"For some fields there will be a default value,\n"
"If you enter '.', the field will be left blank.\n"
"-----\n"
"Country Name (2 letter code) [AU]:US\n"
"State or Province Name (full name) [Some-State]:MyState\n"
"Locality Name (eg, city) []:Some City\n"
"Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Organization, "
"Inc.\n"
"Organizational Unit Name (eg, section) []:My Group\n"
"Common Name (eg, YOUR name) []:myserver.mygroup.myorganization.com\n"
"Email Address []:ops@myserver.mygroup.myorganization.com\n"
"%"
msgstr ""

#: ../../library/ssl.rst:2287
msgid ""
"The disadvantage of a self-signed certificate is that it is its own root "
"certificate, and no one else will have it in their cache of known (and "
"trusted) root certificates."
msgstr ""

#: ../../library/ssl.rst:2293
msgid "Examples"
msgstr "範例"

#: ../../library/ssl.rst:2296
msgid "Testing for SSL support"
msgstr ""

#: ../../library/ssl.rst:2298
msgid ""
"To test for the presence of SSL support in a Python installation, user code "
"should use the following idiom::"
msgstr ""

#: ../../library/ssl.rst:2301
msgid ""
"try:\n"
"    import ssl\n"
"except ImportError:\n"
"    pass\n"
"else:\n"
"    ...  # do something that requires SSL support"
msgstr ""

#: ../../library/ssl.rst:2309
msgid "Client-side operation"
msgstr ""

#: ../../library/ssl.rst:2311
msgid ""
"This example creates a SSL context with the recommended security settings "
"for client sockets, including automatic certificate verification::"
msgstr ""

#: ../../library/ssl.rst:2314
msgid ">>> context = ssl.create_default_context()"
msgstr ">>> context = ssl.create_default_context()"

#: ../../library/ssl.rst:2316
msgid ""
"If you prefer to tune security settings yourself, you might create a context "
"from scratch (but beware that you might not get the settings right)::"
msgstr ""

#: ../../library/ssl.rst:2320
msgid ""
">>> context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)\n"
">>> context.load_verify_locations(\"/etc/ssl/certs/ca-bundle.crt\")"
msgstr ""
">>> context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)\n"
">>> context.load_verify_locations(\"/etc/ssl/certs/ca-bundle.crt\")"

#: ../../library/ssl.rst:2323
msgid ""
"(this snippet assumes your operating system places a bundle of all CA "
"certificates in ``/etc/ssl/certs/ca-bundle.crt``; if not, you'll get an "
"error and have to adjust the location)"
msgstr ""

#: ../../library/ssl.rst:2327
msgid ""
"The :data:`PROTOCOL_TLS_CLIENT` protocol configures the context for cert "
"validation and hostname verification. :attr:`~SSLContext.verify_mode` is set "
"to :data:`CERT_REQUIRED` and :attr:`~SSLContext.check_hostname` is set to "
"``True``. All other protocols create SSL contexts with insecure defaults."
msgstr ""

#: ../../library/ssl.rst:2332
msgid ""
"When you use the context to connect to a server, :const:`CERT_REQUIRED` and :"
"attr:`~SSLContext.check_hostname` validate the server certificate: it "
"ensures that the server certificate was signed with one of the CA "
"certificates, checks the signature for correctness, and verifies other "
"properties like validity and identity of the hostname::"
msgstr ""

#: ../../library/ssl.rst:2338
msgid ""
">>> conn = context.wrap_socket(socket.socket(socket.AF_INET),\n"
"...                            server_hostname=\"www.python.org\")\n"
">>> conn.connect((\"www.python.org\", 443))"
msgstr ""
">>> conn = context.wrap_socket(socket.socket(socket.AF_INET),\n"
"...                            server_hostname=\"www.python.org\")\n"
">>> conn.connect((\"www.python.org\", 443))"

#: ../../library/ssl.rst:2342
msgid "You may then fetch the certificate::"
msgstr ""

#: ../../library/ssl.rst:2344
msgid ">>> cert = conn.getpeercert()"
msgstr ">>> cert = conn.getpeercert()"

#: ../../library/ssl.rst:2346
msgid ""
"Visual inspection shows that the certificate does identify the desired "
"service (that is, the HTTPS host ``www.python.org``)::"
msgstr ""

#: ../../library/ssl.rst:2349
msgid ""
">>> pprint.pprint(cert)\n"
"{'OCSP': ('http://ocsp.digicert.com',),\n"
" 'caIssuers': ('http://cacerts.digicert.com/"
"DigiCertSHA2ExtendedValidationServerCA.crt',),\n"
" 'crlDistributionPoints': ('http://crl3.digicert.com/sha2-ev-server-g1."
"crl',\n"
"                           'http://crl4.digicert.com/sha2-ev-server-g1."
"crl'),\n"
" 'issuer': ((('countryName', 'US'),),\n"
"            (('organizationName', 'DigiCert Inc'),),\n"
"            (('organizationalUnitName', 'www.digicert.com'),),\n"
"            (('commonName', 'DigiCert SHA2 Extended Validation Server "
"CA'),)),\n"
" 'notAfter': 'Sep  9 12:00:00 2016 GMT',\n"
" 'notBefore': 'Sep  5 00:00:00 2014 GMT',\n"
" 'serialNumber': '01BB6F00122B177F36CAB49CEA8B6B26',\n"
" 'subject': ((('businessCategory', 'Private Organization'),),\n"
"             (('1.3.6.1.4.1.311.60.2.1.3', 'US'),),\n"
"             (('1.3.6.1.4.1.311.60.2.1.2', 'Delaware'),),\n"
"             (('serialNumber', '3359300'),),\n"
"             (('streetAddress', '16 Allen Rd'),),\n"
"             (('postalCode', '03894-4801'),),\n"
"             (('countryName', 'US'),),\n"
"             (('stateOrProvinceName', 'NH'),),\n"
"             (('localityName', 'Wolfeboro'),),\n"
"             (('organizationName', 'Python Software Foundation'),),\n"
"             (('commonName', 'www.python.org'),)),\n"
" 'subjectAltName': (('DNS', 'www.python.org'),\n"
"                    ('DNS', 'python.org'),\n"
"                    ('DNS', 'pypi.org'),\n"
"                    ('DNS', 'docs.python.org'),\n"
"                    ('DNS', 'testpypi.org'),\n"
"                    ('DNS', 'bugs.python.org'),\n"
"                    ('DNS', 'wiki.python.org'),\n"
"                    ('DNS', 'hg.python.org'),\n"
"                    ('DNS', 'mail.python.org'),\n"
"                    ('DNS', 'packaging.python.org'),\n"
"                    ('DNS', 'pythonhosted.org'),\n"
"                    ('DNS', 'www.pythonhosted.org'),\n"
"                    ('DNS', 'test.pythonhosted.org'),\n"
"                    ('DNS', 'us.pycon.org'),\n"
"                    ('DNS', 'id.python.org')),\n"
" 'version': 3}"
msgstr ""
">>> pprint.pprint(cert)\n"
"{'OCSP': ('http://ocsp.digicert.com',),\n"
" 'caIssuers': ('http://cacerts.digicert.com/"
"DigiCertSHA2ExtendedValidationServerCA.crt',),\n"
" 'crlDistributionPoints': ('http://crl3.digicert.com/sha2-ev-server-g1."
"crl',\n"
"                           'http://crl4.digicert.com/sha2-ev-server-g1."
"crl'),\n"
" 'issuer': ((('countryName', 'US'),),\n"
"            (('organizationName', 'DigiCert Inc'),),\n"
"            (('organizationalUnitName', 'www.digicert.com'),),\n"
"            (('commonName', 'DigiCert SHA2 Extended Validation Server "
"CA'),)),\n"
" 'notAfter': 'Sep  9 12:00:00 2016 GMT',\n"
" 'notBefore': 'Sep  5 00:00:00 2014 GMT',\n"
" 'serialNumber': '01BB6F00122B177F36CAB49CEA8B6B26',\n"
" 'subject': ((('businessCategory', 'Private Organization'),),\n"
"             (('1.3.6.1.4.1.311.60.2.1.3', 'US'),),\n"
"             (('1.3.6.1.4.1.311.60.2.1.2', 'Delaware'),),\n"
"             (('serialNumber', '3359300'),),\n"
"             (('streetAddress', '16 Allen Rd'),),\n"
"             (('postalCode', '03894-4801'),),\n"
"             (('countryName', 'US'),),\n"
"             (('stateOrProvinceName', 'NH'),),\n"
"             (('localityName', 'Wolfeboro'),),\n"
"             (('organizationName', 'Python Software Foundation'),),\n"
"             (('commonName', 'www.python.org'),)),\n"
" 'subjectAltName': (('DNS', 'www.python.org'),\n"
"                    ('DNS', 'python.org'),\n"
"                    ('DNS', 'pypi.org'),\n"
"                    ('DNS', 'docs.python.org'),\n"
"                    ('DNS', 'testpypi.org'),\n"
"                    ('DNS', 'bugs.python.org'),\n"
"                    ('DNS', 'wiki.python.org'),\n"
"                    ('DNS', 'hg.python.org'),\n"
"                    ('DNS', 'mail.python.org'),\n"
"                    ('DNS', 'packaging.python.org'),\n"
"                    ('DNS', 'pythonhosted.org'),\n"
"                    ('DNS', 'www.pythonhosted.org'),\n"
"                    ('DNS', 'test.pythonhosted.org'),\n"
"                    ('DNS', 'us.pycon.org'),\n"
"                    ('DNS', 'id.python.org')),\n"
" 'version': 3}"

#: ../../library/ssl.rst:2389
msgid ""
"Now the SSL channel is established and the certificate verified, you can "
"proceed to talk with the server::"
msgstr ""

#: ../../library/ssl.rst:2392
msgid ""
">>> conn.sendall(b\"HEAD / HTTP/1.0\\r\\nHost: linuxfr.org\\r\\n\\r\\n\")\n"
">>> pprint.pprint(conn.recv(1024).split(b\"\\r\\n\"))\n"
"[b'HTTP/1.1 200 OK',\n"
" b'Date: Sat, 18 Oct 2014 18:27:20 GMT',\n"
" b'Server: nginx',\n"
" b'Content-Type: text/html; charset=utf-8',\n"
" b'X-Frame-Options: SAMEORIGIN',\n"
" b'Content-Length: 45679',\n"
" b'Accept-Ranges: bytes',\n"
" b'Via: 1.1 varnish',\n"
" b'Age: 2188',\n"
" b'X-Served-By: cache-lcy1134-LCY',\n"
" b'X-Cache: HIT',\n"
" b'X-Cache-Hits: 11',\n"
" b'Vary: Cookie',\n"
" b'Strict-Transport-Security: max-age=63072000; includeSubDomains',\n"
" b'Connection: close',\n"
" b'',\n"
" b'']"
msgstr ""
">>> conn.sendall(b\"HEAD / HTTP/1.0\\r\\nHost: linuxfr.org\\r\\n\\r\\n\")\n"
">>> pprint.pprint(conn.recv(1024).split(b\"\\r\\n\"))\n"
"[b'HTTP/1.1 200 OK',\n"
" b'Date: Sat, 18 Oct 2014 18:27:20 GMT',\n"
" b'Server: nginx',\n"
" b'Content-Type: text/html; charset=utf-8',\n"
" b'X-Frame-Options: SAMEORIGIN',\n"
" b'Content-Length: 45679',\n"
" b'Accept-Ranges: bytes',\n"
" b'Via: 1.1 varnish',\n"
" b'Age: 2188',\n"
" b'X-Served-By: cache-lcy1134-LCY',\n"
" b'X-Cache: HIT',\n"
" b'X-Cache-Hits: 11',\n"
" b'Vary: Cookie',\n"
" b'Strict-Transport-Security: max-age=63072000; includeSubDomains',\n"
" b'Connection: close',\n"
" b'',\n"
" b'']"

#: ../../library/ssl.rst:2416
msgid "Server-side operation"
msgstr "伺服器端操作"

#: ../../library/ssl.rst:2418
msgid ""
"For server operation, typically you'll need to have a server certificate, "
"and private key, each in a file.  You'll first create a context holding the "
"key and the certificate, so that clients can check your authenticity.  Then "
"you'll open a socket, bind it to a port, call :meth:`listen` on it, and "
"start waiting for clients to connect::"
msgstr ""

#: ../../library/ssl.rst:2424
msgid ""
"import socket, ssl\n"
"\n"
"context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)\n"
"context.load_cert_chain(certfile=\"mycertfile\", keyfile=\"mykeyfile\")\n"
"\n"
"bindsocket = socket.socket()\n"
"bindsocket.bind(('myaddr.example.com', 10023))\n"
"bindsocket.listen(5)"
msgstr ""
"import socket, ssl\n"
"\n"
"context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)\n"
"context.load_cert_chain(certfile=\"mycertfile\", keyfile=\"mykeyfile\")\n"
"\n"
"bindsocket = socket.socket()\n"
"bindsocket.bind(('myaddr.example.com', 10023))\n"
"bindsocket.listen(5)"

#: ../../library/ssl.rst:2433
msgid ""
"When a client connects, you'll call :meth:`accept` on the socket to get the "
"new socket from the other end, and use the context's :meth:`SSLContext."
"wrap_socket` method to create a server-side SSL socket for the connection::"
msgstr ""

#: ../../library/ssl.rst:2437
msgid ""
"while True:\n"
"    newsocket, fromaddr = bindsocket.accept()\n"
"    connstream = context.wrap_socket(newsocket, server_side=True)\n"
"    try:\n"
"        deal_with_client(connstream)\n"
"    finally:\n"
"        connstream.shutdown(socket.SHUT_RDWR)\n"
"        connstream.close()"
msgstr ""
"while True:\n"
"    newsocket, fromaddr = bindsocket.accept()\n"
"    connstream = context.wrap_socket(newsocket, server_side=True)\n"
"    try:\n"
"        deal_with_client(connstream)\n"
"    finally:\n"
"        connstream.shutdown(socket.SHUT_RDWR)\n"
"        connstream.close()"

#: ../../library/ssl.rst:2446
msgid ""
"Then you'll read data from the ``connstream`` and do something with it till "
"you are finished with the client (or the client is finished with you)::"
msgstr ""

#: ../../library/ssl.rst:2449
msgid ""
"def deal_with_client(connstream):\n"
"    data = connstream.recv(1024)\n"
"    # empty data means the client is finished with us\n"
"    while data:\n"
"        if not do_something(connstream, data):\n"
"            # we'll assume do_something returns False\n"
"            # when we're finished with client\n"
"            break\n"
"        data = connstream.recv(1024)\n"
"    # finished with client"
msgstr ""

#: ../../library/ssl.rst:2460
msgid ""
"And go back to listening for new client connections (of course, a real "
"server would probably handle each client connection in a separate thread, or "
"put the sockets in :ref:`non-blocking mode <ssl-nonblocking>` and use an "
"event loop)."
msgstr ""

#: ../../library/ssl.rst:2468
msgid "Notes on non-blocking sockets"
msgstr ""

#: ../../library/ssl.rst:2470
msgid ""
"SSL sockets behave slightly different than regular sockets in non-blocking "
"mode. When working with non-blocking sockets, there are thus several things "
"you need to be aware of:"
msgstr ""

#: ../../library/ssl.rst:2474
msgid ""
"Most :class:`SSLSocket` methods will raise either :exc:`SSLWantWriteError` "
"or :exc:`SSLWantReadError` instead of :exc:`BlockingIOError` if an I/O "
"operation would block. :exc:`SSLWantReadError` will be raised if a read "
"operation on the underlying socket is necessary, and :exc:"
"`SSLWantWriteError` for a write operation on the underlying socket. Note "
"that attempts to *write* to an SSL socket may require *reading* from the "
"underlying socket first, and attempts to *read* from the SSL socket may "
"require a prior *write* to the underlying socket."
msgstr ""

#: ../../library/ssl.rst:2486
msgid ""
"In earlier Python versions, the :meth:`!SSLSocket.send` method returned zero "
"instead of raising :exc:`SSLWantWriteError` or :exc:`SSLWantReadError`."
msgstr ""

#: ../../library/ssl.rst:2490
msgid ""
"Calling :func:`~select.select` tells you that the OS-level socket can be "
"read from (or written to), but it does not imply that there is sufficient "
"data at the upper SSL layer.  For example, only part of an SSL frame might "
"have arrived.  Therefore, you must be ready to handle :meth:`SSLSocket.recv` "
"and :meth:`SSLSocket.send` failures, and retry after another call to :func:"
"`~select.select`."
msgstr ""

#: ../../library/ssl.rst:2497
msgid ""
"Conversely, since the SSL layer has its own framing, a SSL socket may still "
"have data available for reading without :func:`~select.select` being aware "
"of it.  Therefore, you should first call :meth:`SSLSocket.recv` to drain any "
"potentially available data, and then only block on a :func:`~select.select` "
"call if still necessary."
msgstr ""

#: ../../library/ssl.rst:2503
msgid ""
"(of course, similar provisions apply when using other primitives such as :"
"func:`~select.poll`, or those in the :mod:`selectors` module)"
msgstr ""

#: ../../library/ssl.rst:2506
msgid ""
"The SSL handshake itself will be non-blocking: the :meth:`SSLSocket."
"do_handshake` method has to be retried until it returns successfully.  Here "
"is a synopsis using :func:`~select.select` to wait for the socket's "
"readiness::"
msgstr ""

#: ../../library/ssl.rst:2511
msgid ""
"while True:\n"
"    try:\n"
"        sock.do_handshake()\n"
"        break\n"
"    except ssl.SSLWantReadError:\n"
"        select.select([sock], [], [])\n"
"    except ssl.SSLWantWriteError:\n"
"        select.select([], [sock], [])"
msgstr ""
"while True:\n"
"    try:\n"
"        sock.do_handshake()\n"
"        break\n"
"    except ssl.SSLWantReadError:\n"
"        select.select([sock], [], [])\n"
"    except ssl.SSLWantWriteError:\n"
"        select.select([], [sock], [])"

#: ../../library/ssl.rst:2522
msgid ""
"The :mod:`asyncio` module supports :ref:`non-blocking SSL sockets <ssl-"
"nonblocking>` and provides a higher level :ref:`Streams API <asyncio-"
"streams>`. It polls for events using the :mod:`selectors` module and "
"handles :exc:`SSLWantWriteError`, :exc:`SSLWantReadError` and :exc:"
"`BlockingIOError` exceptions. It runs the SSL handshake asynchronously as "
"well."
msgstr ""

#: ../../library/ssl.rst:2531
msgid "Memory BIO Support"
msgstr "記憶體 BIO 支援"

#: ../../library/ssl.rst:2535
msgid ""
"Ever since the SSL module was introduced in Python 2.6, the :class:"
"`SSLSocket` class has provided two related but distinct areas of "
"functionality:"
msgstr ""

#: ../../library/ssl.rst:2538
msgid "SSL protocol handling"
msgstr ""

#: ../../library/ssl.rst:2539
msgid "Network IO"
msgstr ""

#: ../../library/ssl.rst:2541
msgid ""
"The network IO API is identical to that provided by :class:`socket.socket`, "
"from which :class:`SSLSocket` also inherits. This allows an SSL socket to be "
"used as a drop-in replacement for a regular socket, making it very easy to "
"add SSL support to an existing application."
msgstr ""

#: ../../library/ssl.rst:2546
msgid ""
"Combining SSL protocol handling and network IO usually works well, but there "
"are some cases where it doesn't. An example is async IO frameworks that want "
"to use a different IO multiplexing model than the \"select/poll on a file "
"descriptor\" (readiness based) model that is assumed by :class:`socket."
"socket` and by the internal OpenSSL socket IO routines. This is mostly "
"relevant for platforms like Windows where this model is not efficient. For "
"this purpose, a reduced scope variant of :class:`SSLSocket` called :class:"
"`SSLObject` is provided."
msgstr ""

#: ../../library/ssl.rst:2557
msgid ""
"A reduced-scope variant of :class:`SSLSocket` representing an SSL protocol "
"instance that does not contain any network IO methods. This class is "
"typically used by framework authors that want to implement asynchronous IO "
"for SSL through memory buffers."
msgstr ""

#: ../../library/ssl.rst:2562
msgid ""
"This class implements an interface on top of a low-level SSL object as "
"implemented by OpenSSL. This object captures the state of an SSL connection "
"but does not provide any network IO itself. IO needs to be performed through "
"separate \"BIO\" objects which are OpenSSL's IO abstraction layer."
msgstr ""

#: ../../library/ssl.rst:2567
msgid ""
"This class has no public constructor.  An :class:`SSLObject` instance must "
"be created using the :meth:`~SSLContext.wrap_bio` method. This method will "
"create the :class:`SSLObject` instance and bind it to a pair of BIOs. The "
"*incoming* BIO is used to pass data from Python to the SSL protocol "
"instance, while the *outgoing* BIO is used to pass data the other way around."
msgstr ""

#: ../../library/ssl.rst:2574
msgid "The following methods are available:"
msgstr ""

#: ../../library/ssl.rst:2576
msgid ":attr:`~SSLSocket.context`"
msgstr ":attr:`~SSLSocket.context`"

#: ../../library/ssl.rst:2577
msgid ":attr:`~SSLSocket.server_side`"
msgstr ":attr:`~SSLSocket.server_side`"

#: ../../library/ssl.rst:2578
msgid ":attr:`~SSLSocket.server_hostname`"
msgstr ":attr:`~SSLSocket.server_hostname`"

#: ../../library/ssl.rst:2579
msgid ":attr:`~SSLSocket.session`"
msgstr ":attr:`~SSLSocket.session`"

#: ../../library/ssl.rst:2580
msgid ":attr:`~SSLSocket.session_reused`"
msgstr ":attr:`~SSLSocket.session_reused`"

#: ../../library/ssl.rst:2581
msgid ":meth:`~SSLSocket.read`"
msgstr ":meth:`~SSLSocket.read`"

#: ../../library/ssl.rst:2582
msgid ":meth:`~SSLSocket.write`"
msgstr ":meth:`~SSLSocket.write`"

#: ../../library/ssl.rst:2583
msgid ":meth:`~SSLSocket.getpeercert`"
msgstr ":meth:`~SSLSocket.getpeercert`"

#: ../../library/ssl.rst:2584
msgid ":meth:`~SSLSocket.get_verified_chain`"
msgstr ":meth:`~SSLSocket.get_verified_chain`"

#: ../../library/ssl.rst:2585
msgid ":meth:`~SSLSocket.get_unverified_chain`"
msgstr ":meth:`~SSLSocket.get_unverified_chain`"

#: ../../library/ssl.rst:2586
msgid ":meth:`~SSLSocket.selected_alpn_protocol`"
msgstr ":meth:`~SSLSocket.selected_alpn_protocol`"

#: ../../library/ssl.rst:2587
msgid ":meth:`~SSLSocket.selected_npn_protocol`"
msgstr ":meth:`~SSLSocket.selected_npn_protocol`"

#: ../../library/ssl.rst:2588
msgid ":meth:`~SSLSocket.cipher`"
msgstr ":meth:`~SSLSocket.cipher`"

#: ../../library/ssl.rst:2589
msgid ":meth:`~SSLSocket.shared_ciphers`"
msgstr ":meth:`~SSLSocket.shared_ciphers`"

#: ../../library/ssl.rst:2590
msgid ":meth:`~SSLSocket.compression`"
msgstr ":meth:`~SSLSocket.compression`"

#: ../../library/ssl.rst:2591
msgid ":meth:`~SSLSocket.pending`"
msgstr ":meth:`~SSLSocket.pending`"

#: ../../library/ssl.rst:2592
msgid ":meth:`~SSLSocket.do_handshake`"
msgstr ":meth:`~SSLSocket.do_handshake`"

#: ../../library/ssl.rst:2593
msgid ":meth:`~SSLSocket.verify_client_post_handshake`"
msgstr ":meth:`~SSLSocket.verify_client_post_handshake`"

#: ../../library/ssl.rst:2594
msgid ":meth:`~SSLSocket.unwrap`"
msgstr ":meth:`~SSLSocket.unwrap`"

#: ../../library/ssl.rst:2595
msgid ":meth:`~SSLSocket.get_channel_binding`"
msgstr ":meth:`~SSLSocket.get_channel_binding`"

#: ../../library/ssl.rst:2596
msgid ":meth:`~SSLSocket.version`"
msgstr ":meth:`~SSLSocket.version`"

#: ../../library/ssl.rst:2598
msgid ""
"When compared to :class:`SSLSocket`, this object lacks the following "
"features:"
msgstr ""

#: ../../library/ssl.rst:2601
msgid ""
"Any form of network IO; ``recv()`` and ``send()`` read and write only to the "
"underlying :class:`MemoryBIO` buffers."
msgstr ""

#: ../../library/ssl.rst:2604
msgid ""
"There is no *do_handshake_on_connect* machinery. You must always manually "
"call :meth:`~SSLSocket.do_handshake` to start the handshake."
msgstr ""

#: ../../library/ssl.rst:2607
msgid ""
"There is no handling of *suppress_ragged_eofs*. All end-of-file conditions "
"that are in violation of the protocol are reported via the :exc:"
"`SSLEOFError` exception."
msgstr ""

#: ../../library/ssl.rst:2611
msgid ""
"The method :meth:`~SSLSocket.unwrap` call does not return anything, unlike "
"for an SSL socket where it returns the underlying socket."
msgstr ""

#: ../../library/ssl.rst:2614
msgid ""
"The *server_name_callback* callback passed to :meth:`SSLContext."
"set_servername_callback` will get an :class:`SSLObject` instance instead of "
"a :class:`SSLSocket` instance as its first parameter."
msgstr ""

#: ../../library/ssl.rst:2618
msgid "Some notes related to the use of :class:`SSLObject`:"
msgstr ""

#: ../../library/ssl.rst:2620
msgid ""
"All IO on an :class:`SSLObject` is :ref:`non-blocking <ssl-nonblocking>`. "
"This means that for example :meth:`~SSLSocket.read` will raise an :exc:"
"`SSLWantReadError` if it needs more data than the incoming BIO has available."
msgstr ""

#: ../../library/ssl.rst:2625
msgid ""
":class:`SSLObject` instances must be created with :meth:`~SSLContext."
"wrap_bio`. In earlier versions, it was possible to create instances "
"directly. This was never documented or officially supported."
msgstr ""

#: ../../library/ssl.rst:2631
msgid ""
"An SSLObject communicates with the outside world using memory buffers. The "
"class :class:`MemoryBIO` provides a memory buffer that can be used for this "
"purpose.  It wraps an OpenSSL memory BIO (Basic IO) object:"
msgstr ""

#: ../../library/ssl.rst:2637
msgid ""
"A memory buffer that can be used to pass data between Python and an SSL "
"protocol instance."
msgstr ""

#: ../../library/ssl.rst:2642
msgid "Return the number of bytes currently in the memory buffer."
msgstr ""

#: ../../library/ssl.rst:2646
msgid ""
"A boolean indicating whether the memory BIO is current at the end-of-file "
"position."
msgstr ""

#: ../../library/ssl.rst:2651
msgid ""
"Read up to *n* bytes from the memory buffer. If *n* is not specified or "
"negative, all bytes are returned."
msgstr ""

#: ../../library/ssl.rst:2656
msgid ""
"Write the bytes from *buf* to the memory BIO. The *buf* argument must be an "
"object supporting the buffer protocol."
msgstr ""

#: ../../library/ssl.rst:2659
msgid ""
"The return value is the number of bytes written, which is always equal to "
"the length of *buf*."
msgstr ""

#: ../../library/ssl.rst:2664
msgid ""
"Write an EOF marker to the memory BIO. After this method has been called, it "
"is illegal to call :meth:`~MemoryBIO.write`. The attribute :attr:`eof` will "
"become true after all data currently in the buffer has been read."
msgstr ""

#: ../../library/ssl.rst:2670
msgid "SSL session"
msgstr ""

#: ../../library/ssl.rst:2676
msgid "Session object used by :attr:`~SSLSocket.session`."
msgstr ""

#: ../../library/ssl.rst:2688
msgid "Security considerations"
msgstr ""

#: ../../library/ssl.rst:2691
msgid "Best defaults"
msgstr ""

#: ../../library/ssl.rst:2693
msgid ""
"For **client use**, if you don't have any special requirements for your "
"security policy, it is highly recommended that you use the :func:"
"`create_default_context` function to create your SSL context. It will load "
"the system's trusted CA certificates, enable certificate validation and "
"hostname checking, and try to choose reasonably secure protocol and cipher "
"settings."
msgstr ""

#: ../../library/ssl.rst:2700
msgid ""
"For example, here is how you would use the :class:`smtplib.SMTP` class to "
"create a trusted, secure connection to a SMTP server::"
msgstr ""

#: ../../library/ssl.rst:2703
msgid ""
">>> import ssl, smtplib\n"
">>> smtp = smtplib.SMTP(\"mail.python.org\", port=587)\n"
">>> context = ssl.create_default_context()\n"
">>> smtp.starttls(context=context)\n"
"(220, b'2.0.0 Ready to start TLS')"
msgstr ""
">>> import ssl, smtplib\n"
">>> smtp = smtplib.SMTP(\"mail.python.org\", port=587)\n"
">>> context = ssl.create_default_context()\n"
">>> smtp.starttls(context=context)\n"
"(220, b'2.0.0 Ready to start TLS')"

#: ../../library/ssl.rst:2709
msgid ""
"If a client certificate is needed for the connection, it can be added with :"
"meth:`SSLContext.load_cert_chain`."
msgstr ""

#: ../../library/ssl.rst:2712
msgid ""
"By contrast, if you create the SSL context by calling the :class:"
"`SSLContext` constructor yourself, it will not have certificate validation "
"nor hostname checking enabled by default.  If you do so, please read the "
"paragraphs below to achieve a good security level."
msgstr ""

#: ../../library/ssl.rst:2718
msgid "Manual settings"
msgstr "手動設定"

#: ../../library/ssl.rst:2721
msgid "Verifying certificates"
msgstr "驗證憑證"

#: ../../library/ssl.rst:2723
msgid ""
"When calling the :class:`SSLContext` constructor directly, :const:"
"`CERT_NONE` is the default.  Since it does not authenticate the other peer, "
"it can be insecure, especially in client mode where most of the time you "
"would like to ensure the authenticity of the server you're talking to. "
"Therefore, when in client mode, it is highly recommended to use :const:"
"`CERT_REQUIRED`.  However, it is in itself not sufficient; you also have to "
"check that the server certificate, which can be obtained by calling :meth:"
"`SSLSocket.getpeercert`, matches the desired service.  For many protocols "
"and applications, the service can be identified by the hostname. This common "
"check is automatically performed when :attr:`SSLContext.check_hostname` is "
"enabled."
msgstr ""

#: ../../library/ssl.rst:2735
msgid ""
"Hostname matchings is now performed by OpenSSL. Python no longer uses :func:"
"`!match_hostname`."
msgstr ""

#: ../../library/ssl.rst:2739
msgid ""
"In server mode, if you want to authenticate your clients using the SSL layer "
"(rather than using a higher-level authentication mechanism), you'll also "
"have to specify :const:`CERT_REQUIRED` and similarly check the client "
"certificate."
msgstr ""

#: ../../library/ssl.rst:2745
msgid "Protocol versions"
msgstr "協定版本"

#: ../../library/ssl.rst:2747
msgid ""
"SSL versions 2 and 3 are considered insecure and are therefore dangerous to "
"use.  If you want maximum compatibility between clients and servers, it is "
"recommended to use :const:`PROTOCOL_TLS_CLIENT` or :const:"
"`PROTOCOL_TLS_SERVER` as the protocol version. SSLv2 and SSLv3 are disabled "
"by default."
msgstr ""

#: ../../library/ssl.rst:2755
msgid ""
">>> client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)\n"
">>> client_context.minimum_version = ssl.TLSVersion.TLSv1_3\n"
">>> client_context.maximum_version = ssl.TLSVersion.TLSv1_3"
msgstr ""
">>> client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)\n"
">>> client_context.minimum_version = ssl.TLSVersion.TLSv1_3\n"
">>> client_context.maximum_version = ssl.TLSVersion.TLSv1_3"

#: ../../library/ssl.rst:2760
msgid ""
"The SSL context created above will only allow TLSv1.3 and later (if "
"supported by your system) connections to a server. :const:"
"`PROTOCOL_TLS_CLIENT` implies certificate validation and hostname checks by "
"default. You have to load certificates into the context."
msgstr ""

#: ../../library/ssl.rst:2767
msgid "Cipher selection"
msgstr ""

#: ../../library/ssl.rst:2769
msgid ""
"If you have advanced security requirements, fine-tuning of the ciphers "
"enabled when negotiating a SSL session is possible through the :meth:"
"`SSLContext.set_ciphers` method.  Starting from Python 3.2.3, the ssl module "
"disables certain weak ciphers by default, but you may want to further "
"restrict the cipher choice. Be sure to read OpenSSL's documentation about "
"the `cipher list format <https://docs.openssl.org/1.1.1/man1/ciphers/#cipher-"
"list-format>`_. If you want to check which ciphers are enabled by a given "
"cipher list, use :meth:`SSLContext.get_ciphers` or the ``openssl ciphers`` "
"command on your system."
msgstr ""

#: ../../library/ssl.rst:2780
msgid "Multi-processing"
msgstr ""

#: ../../library/ssl.rst:2782
msgid ""
"If using this module as part of a multi-processed application (using, for "
"example the :mod:`multiprocessing` or :mod:`concurrent.futures` modules), be "
"aware that OpenSSL's internal random number generator does not properly "
"handle forked processes.  Applications must change the PRNG state of the "
"parent process if they use any SSL feature with :func:`os.fork`.  Any "
"successful call of :func:`~ssl.RAND_add` or :func:`~ssl.RAND_bytes` is "
"sufficient."
msgstr ""

#: ../../library/ssl.rst:2794
msgid "TLS 1.3"
msgstr "TLS 1.3"

#: ../../library/ssl.rst:2798
msgid ""
"The TLS 1.3 protocol behaves slightly differently than previous version of "
"TLS/SSL. Some new TLS 1.3 features are not yet available."
msgstr ""

#: ../../library/ssl.rst:2801
msgid ""
"TLS 1.3 uses a disjunct set of cipher suites. All AES-GCM and ChaCha20 "
"cipher suites are enabled by default.  The method :meth:`SSLContext."
"set_ciphers` cannot enable or disable any TLS 1.3 ciphers yet, but :meth:"
"`SSLContext.get_ciphers` returns them."
msgstr ""

#: ../../library/ssl.rst:2805
msgid ""
"Session tickets are no longer sent as part of the initial handshake and are "
"handled differently.  :attr:`SSLSocket.session` and :class:`SSLSession` are "
"not compatible with TLS 1.3."
msgstr ""

#: ../../library/ssl.rst:2808
msgid ""
"Client-side certificates are also no longer verified during the initial "
"handshake.  A server can request a certificate at any time.  Clients process "
"certificate requests while they send or receive application data from the "
"server."
msgstr ""

#: ../../library/ssl.rst:2812
msgid ""
"TLS 1.3 features like early data, deferred TLS client cert request, "
"signature algorithm configuration, and rekeying are not supported yet."
msgstr ""

#: ../../library/ssl.rst:2818
msgid "Class :class:`socket.socket`"
msgstr ":class:`socket.socket` 類別"

#: ../../library/ssl.rst:2819
msgid "Documentation of underlying :mod:`socket` class"
msgstr "底層 :mod:`socket` 類別的文件"

#: ../../library/ssl.rst:2821
msgid ""
"`SSL/TLS Strong Encryption: An Introduction <https://httpd.apache.org/docs/"
"trunk/en/ssl/ssl_intro.html>`_"
msgstr ""
"`SSL/TLS Strong Encryption: An Introduction <https://httpd.apache.org/docs/"
"trunk/en/ssl/ssl_intro.html>`_"

#: ../../library/ssl.rst:2822
msgid "Intro from the Apache HTTP Server documentation"
msgstr "Apache HTTP Server 文件的介紹"

#: ../../library/ssl.rst:2824
msgid ""
":rfc:`RFC 1422: Privacy Enhancement for Internet Electronic Mail: Part II: "
"Certificate-Based Key Management <1422>`"
msgstr ""
":rfc:`RFC 1422: Privacy Enhancement for Internet Electronic Mail: Part II: "
"Certificate-Based Key Management <1422>`"

#: ../../library/ssl.rst:2825
msgid "Steve Kent"
msgstr "Steve Kent"

#: ../../library/ssl.rst:2827
msgid ":rfc:`RFC 4086: Randomness Requirements for Security <4086>`"
msgstr ":rfc:`RFC 4086: Randomness Requirements for Security <4086>`"

#: ../../library/ssl.rst:2828
msgid "Donald E., Jeffrey I. Schiller"
msgstr "Donald E., Jeffrey I. Schiller"

#: ../../library/ssl.rst:2830
msgid ""
":rfc:`RFC 5280: Internet X.509 Public Key Infrastructure Certificate and "
"Certificate Revocation List (CRL) Profile <5280>`"
msgstr ""
":rfc:`RFC 5280: Internet X.509 Public Key Infrastructure Certificate and "
"Certificate Revocation List (CRL) Profile <5280>`"

#: ../../library/ssl.rst:2831
msgid "D. Cooper"
msgstr "D. Cooper"

#: ../../library/ssl.rst:2833
msgid ""
":rfc:`RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2 "
"<5246>`"
msgstr ""
":rfc:`RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2 "
"<5246>`"

#: ../../library/ssl.rst:2834
msgid "T. Dierks et. al."
msgstr "T. Dierks et. al."

#: ../../library/ssl.rst:2836
msgid ":rfc:`RFC 6066: Transport Layer Security (TLS) Extensions <6066>`"
msgstr ":rfc:`RFC 6066: Transport Layer Security (TLS) Extensions <6066>`"

#: ../../library/ssl.rst:2837
msgid "D. Eastlake"
msgstr "D. Eastlake"

#: ../../library/ssl.rst:2839
msgid ""
"`IANA TLS: Transport Layer Security (TLS) Parameters <https://www.iana.org/"
"assignments/tls-parameters/tls-parameters.xml>`_"
msgstr ""
"`IANA TLS: Transport Layer Security (TLS) Parameters <https://www.iana.org/"
"assignments/tls-parameters/tls-parameters.xml>`_"

#: ../../library/ssl.rst:2840
msgid "IANA"
msgstr "IANA"

#: ../../library/ssl.rst:2842
msgid ""
":rfc:`RFC 7525: Recommendations for Secure Use of Transport Layer Security "
"(TLS) and Datagram Transport Layer Security (DTLS) <7525>`"
msgstr ""
":rfc:`RFC 7525: Recommendations for Secure Use of Transport Layer Security "
"(TLS) and Datagram Transport Layer Security (DTLS) <7525>`"

#: ../../library/ssl.rst:2843
msgid "IETF"
msgstr "IETF"

#: ../../library/ssl.rst:2845
msgid ""
"`Mozilla's Server Side TLS recommendations <https://wiki.mozilla.org/"
"Security/Server_Side_TLS>`_"
msgstr ""
"`Mozilla's Server Side TLS recommendations <https://wiki.mozilla.org/"
"Security/Server_Side_TLS>`_"

#: ../../library/ssl.rst:2846
msgid "Mozilla"
msgstr "Mozilla"

#: ../../library/ssl.rst:12
msgid "OpenSSL"
msgstr "OpenSSL"

#: ../../library/ssl.rst:12
msgid "(use in module ssl)"
msgstr "（用於 ssl 模組）"

#: ../../library/ssl.rst:14
msgid "TLS"
msgstr "TLS"

#: ../../library/ssl.rst:14
msgid "SSL"
msgstr "SSL"

#: ../../library/ssl.rst:14
msgid "Transport Layer Security"
msgstr "Transport Layer Security（傳輸層安全）"

#: ../../library/ssl.rst:14
msgid "Secure Sockets Layer"
msgstr "Secure Sockets Layer（安全 socket 層）"

#: ../../library/ssl.rst:2157
msgid "certificates"
msgstr "certificates（憑證）"

#: ../../library/ssl.rst:2159
msgid "X509 certificate"
msgstr "X509 certificate（X509 憑證）"