8.2.8. Enable SSL in Python Clients

The Python clients has an optional parameter ssl_trustfile (see Python SSL Parameters). When this parameter is specified, trust store validation of the certificate is performed.

The Python client matches the server's SSL certificate against the connection hostname when the optional parameter ssl_trustfile is supplied.

When using the EXTERNAL SASL mechanism for authentication, you must provide the client name in the connection string. This client name provided in the connection string must match the identity of the SSL certificate. Missing either these two will cause the connection to fail: by not providing the client name in the connection string, or providing a client name that does match the identity of the SSL certificate.

ssl_certfile - the path to a file that contains the PEM-formatted certificate used to identify the local side of the connection (the client). This is needed if the server requires client-side authentication.

ssl_keyfile - In some cases the client's private key is stored in the same file as the certificate (i.e. ssl_certfile). If the ssl_certfile does not contain the client's private key, this parameter must be set to the path to a file containing the private key in PEM file format.

ssl_skip_hostname_check - When set to true the connection hostname verification against the server certificate is skipped.

ssl_trustfile - this parameter contains a path to a PEM-formatted file containing a chain of trusted Certificate Authority (CA) certificates. These certificates are used to authenticate the remote server.

These parameters are passed as arguments to the qpid.Connection() object when it is constructed. For example:

Connection("amqps://client@127.0.0.1:5671", ssl_certfile="/path/to/certfile", ssl_keyfile="/path/to/keyfile")