The do_handshake() method of SSLSocket class in Python

Method Name:

do_handshake

Method Signature:

do_handshake(block=False)

Parameters:

block – Default value is False. When specified True depends on the timeout value of socket for the duration of blocking before handshake is complete.

Return Value:

None

Overview:

The method do_handshake() does the TLS handshaking with the peer.
While the TLS handshaking can be done as part of connecting with the peer, it can also be opted for later by calling the do_handshake() explicitly.
In the Python code example below, if the wrap_socket() method on the SSLContext instance is called with do_handshake_on_connect = True (which is the default behaviour), then the time taken for the connect() will be more as it includes the time for completing the TLS handshake.

TLS Handshake:

The TLS handshake (also still called as SSL handshake) involves exchanging information and deciding on the following for the TLS communication being established:

The TLS version
Compression method
The cipher suit
Validating the identity of server and the client
Generation of Session Keys.

Example:

# Example Python program that uses an SSLSocket instance to
# connect to a server with SSL handshaking done explicitly through
# do_handshake() method

import socket
import ssl
import platform
import time

# Context creation
sslContext = ssl.create_default_context();
sslContext.verify_mode = ssl.CERT_REQUIRED;

# Check for OS X platform
if platform.system().lower() == 'darwin':
import certifi
import os

# Load the CA certificates used for validating the peer's certificate
sslContext.load_verify_locations(cafile=os.path.relpath(certifi.where()),
capath=None,
cadata=None);
# Create an SSLSocket
clientSocket = socket.socket();
secureClientSocket = sslContext.wrap_socket(clientSocket,
do_handshake_on_connect=False,
server_hostname="example.org");

# Only connect, no handshake
t1 = time.time();

retval = secureClientSocket.connect(("example.org", 443));
print("Time taken to establish the connection:%2.3f"%(time.time() - t1));

# Explicit handshake
t3 = time.time();
secureClientSocket.do_handshake();
print("Time taken for SSL handshake:%2.3f"%(time.time() - t3));

# Get the certificate of the server and print
serverCertificate = secureClientSocket.getpeercert();
print("Certificate obtained from the server:");
print(serverCertificate);

Output:

Time taken to establish the connection:0.331
Time taken for SSL handshake:0.433
Certificate obtained from the server:
{'subject': ((('countryName', 'US'),), (('stateOrProvinceName', 'California'),), (('localityName', 'Los Angeles'),), (('organizationName', 'Internet Corporation for Assigned Names and Numbers'),), (('commonName', '*.example.org'),)), 'issuer': ((('countryName', 'US'),), (('organizationName', 'DigiCert Inc'),), (('commonName', 'DigiCert Global G3 TLS ECC SHA384 2020 CA1'),)), 'version': 3, 'serialNumber': '0722A749B558476196D554445EDBD254', 'notBefore': 'Jan 15 00:00:00 2025 GMT', 'notAfter': 'Jan 15 23:59:59 2026 GMT', 'subjectAltName': (('DNS', '*.example.org'), ('DNS', 'example.org')), 'OCSP': ('http://ocsp.digicert.com',), 'caIssuers': ('http://cacerts.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-2.crt',), 'crlDistributionPoints': ('http://crl3.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-2.crl', 'http://crl4.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-2.crl')}