def connect(self, host=None, port=None, cert=None, key=None):
        '''
        Connect to another portal somewhere. If retry is set, will attempt to reconnect
        with the target continuously. As of the time of this writing, you cannot stop a 
        polling connection without taking down the portal.

        :param retry: continuously attempt to connect on drops or rejections
        :type retry: bool.
        '''

        host = host if host else self.host
        port = port if port else self.port
        cert = cert if cert else self.certCa
        key = key if key else self.keyPrivate  # ???

        # the first term is the name the server is using in the cert (for now)
        ctx = optionsForClientTLS(u"pds.production", Certificate.loadPEM(cert), PrivateCertificate.loadPEM(key))

        factory = RiffleClientFactory()
        SSL4ClientEndpoint(reactor, host, port, ctx,).connect(factory)

        print 'Connecting to ' + host + ':' + str(port)
        avatar = yield factory.login(self)

        defer.returnValue(Levy(avatar))

    def setUp(self):
        """
        Create a L{PantheonHTTPChecker} pointed at a mock authentication service
        with some simple site and user information.
        """
        self.site = 'example.com'
        self.cwd = '/some/path'
        self.uid = 1542
        self.username = 'alice'
        self.password = 'correct password'
        keyString = FilePath(__file__).sibling('id_rsa').getContent()
        self.privateKey = Key.fromString(keyString)

        caKeyString = FilePath(__file__).sibling('cakey.pem').getContent()
        self.caKey = KeyPair.load(caKeyString, FILETYPE_PEM)
        caCertString = FilePath(__file__).sibling('cacert.pem').getContent()
        self.caCert = PrivateCertificate.load(
            caCertString, self.caKey, FILETYPE_PEM)

        self.resource = MockPantheonAuthResource(
            sites={self.site: [self.username]},
            authorizations={self.site: dict(cwd=self.cwd, uid=self.uid)},
            passwords={self.username: self.password},
            keys={self.username: self.privateKey},
            )
        self.server = MockPantheonAuthServer(
            reactor, self.resource, self.caCert)
        self.server.startService()
        self.addCleanup(self.server.stopService)

    def getFactory(self):
        if self.factory is None:
            if self.certificateFile is not None:
                cert = PrivateCertificate.loadPEM(
                    file(self.certificateFile).read())
                certOpts = CertificateOptions(
                    cert.privateKey.original,
                    cert.original,
                    requireCertificate=False,
                    method=SSL.SSLv23_METHOD)
            else:
                certOpts = None

            self.portal = portal.Portal(
                self.userbase, [self.userbase, checkers.AllowAnonymousAccess()])
            self.factory = ESMTPFactory(
                self.portal,
                self.domain,
                {'CRAM-MD5': credentials.CramMD5Credentials,
                 'LOGIN': imap4.LOGINCredentials,
                 },
                certOpts)
            if self.debug:
                self.factory = policies.TrafficLoggingFactory(self.factory, 'smtp')
        return self.factory

def clientCertFor(name):
    signingCert = getCAPrivateCert()
    clientKey = KeyPair.generate(size=4096)
    csr = clientKey.requestObject(DN(CN=name), "sha1")
    clientCert = signingCert.signRequestObject(
        csr, serialNumber=1, digestAlgorithm="sha1")
    return PrivateCertificate.fromCertificateAndKeyPair(clientCert, clientKey)

def clientCertFor(p_name):
    l_signingCert = getCAPrivateCert()
    l_clientKey = KeyPair.generate(size = 4096)
    l_csr = l_clientKey.requestObject(DN(CN = p_name), "sha1")
    l_clientCert = l_signingCert.signRequestObject(
        l_csr, serialNumber = 1, digestAlgorithm = "sha1")
    return PrivateCertificate.fromCertificateAndKeyPair(l_clientCert, l_clientKey)

    def getServerContext(self):
        """
        Generate a new L{OpenSSL.SSL.Context} object configured to use a
        certificate signed by C{self.ca} and only accept connections from peers
        which are also using a certificate signed by C{self.ca}.
        """
        # Generate a new key for the server and have the CA sign a certificate
        # for it.
        key = KeyPair.generate(size=512)
        req = key.certificateRequest(DN(commonName='localhost'))
        certData = self.ca.signCertificateRequest(req, lambda dn: True, 1)
        cert = PrivateCertificate.load(certData, key)

        # Use the new key/certificate
        context = Context(TLSv1_METHOD)
        context.use_privatekey(key.original)
        context.use_certificate(cert.original)
        context.check_privatekey()

        # Allow peer certificates signed by the CA
        store = context.get_cert_store()
        store.add_cert(self.ca.original)

        # Verify the peer certificate and require that they have one.
        def verify(conn, cert, errno, depth, preverify_ok):
            return preverify_ok
        context.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify)
        return context

    def private_certificate(self):
        """
        Combine private key and certificate into a ``PrivateCertificate``.

        :return: ``PrivateCertificate`` instance.
        """
        return PrivateCertificate.fromCertificateAndKeyPair(
            self.certificate, self.keypair.keypair)

 def getServerContext(self):
     """
     Return a new SSL context suitable for use in a test server.
     """
     pem = self._pem.getContent()
     cert = PrivateCertificate.load(
         pem, KeyPair.load(pem, FILETYPE_PEM), FILETYPE_PEM)
     return cert.options()

def createCertOptions(server):
	pk = None
	cert = None
	if server.cert:
		pc = PrivateCertificate.loadPEM(open(server.cert,"rb").read())
		pk = pc.privateKey.original
		cert = pc.original
	tr = platformTrust() if server.verify else None
	return CertificateOptions(privateKey=pk, certificate=cert, trustRoot=tr)

def main(reactor):
    pemBytes = FilePath(b"ca-private-cert.pem").getContent()
    certificateAuthority = Certificate.loadPEM(pemBytes)
    myCertificate = PrivateCertificate.loadPEM(pemBytes)
    serverEndpoint = SSL4ServerEndpoint(
        reactor, 4321, myCertificate.options(certificateAuthority)
    )
    serverEndpoint.listen(Factory.forProtocol(ReportWhichClient))
    return Deferred()

def getCAPrivateCert():
    privatePath = FilePath(b"ca-private-cert.pem")
    if privatePath.exists():
        return PrivateCertificate.loadPEM(privatePath.getContent())
    else:
        caKey = KeyPair.generate(size=4096)
        caCert = caKey.selfSignedCert(1, CN="the-authority")
        privatePath.setContent(caCert.dumpPEM())
        return caCert

 def addSubprocesses(self, fds, name, factory):
     super(HendrixDeploySSL, self).addSubprocesses(fds, name, factory)
     if name == 'main_web_ssl':
         privateCert = PrivateCertificate.loadPEM(
             open(self.options['cert']).read() + open(self.options['key']).read()
         )
         factory = TLSMemoryBIOFactory(
             privateCert.options(), False, factory
         )

 def getServerContext(self):
     """
     Return a new SSL context suitable for use in a test server.
     """
     cert = PrivateCertificate.load(
         self._certificateText,
         KeyPair.load(self._privateKeyText, FILETYPE_PEM),
         FILETYPE_PEM)
     return cert.options()

    def open(self, port=None, cert=None):
        '''
        Listen for connections on the given port. 
        '''
        port = port if port else self.port
        cert = cert if cert else self.certCa

        ca = Certificate.loadPEM(cert)
        myCertificate = PrivateCertificate.loadPEM(cert)

        SSL4ServerEndpoint(reactor, port, myCertificate.options(ca)).listen(RiffleServerFactory(self))

 def getContextFactory(self):
     if SSL is None:
         raise RuntimeError("No SSL support: you need to install OpenSSL.")
     cert = PrivateCertificate.loadPEM(
         self.certificatePath.open().read())
     certOpts = CertificateOptions(
         cert.privateKey.original,
         cert.original,
         requireCertificate=False,
         method=SSL.SSLv23_METHOD)
     return certOpts

def start_ssl_cmd_server():
    with open(settings["Agent_Cert"], 'r') as certfile:
        certdata = certfile.read()
    if settings["Agent_Priv_Key"] != settings["Agent_Cert"]:
        with open(settings.get("Agent_Priv_Key"), 'r') as keyfile:
            certdata += keyfile.read()
    with open(settings.get("Broker_Cert"), 'r') as f:
        authdata = f.read()
    certificate = PrivateCertificate.loadPEM(certdata)
    authority = Certificate.loadPEM(authdata)
    factory = Factory.forProtocol(CommandHandler)
    reactor.listenSSL(int(settings.get("Command_Port")), factory, certificate.options(authority))

    def start(self, fd=None):
        pids = [str(os.getpid())]  # script pid

        if fd is None:
            # anything in this block is only run once

            # TODO add global services here, possibly add a services kwarg on
            # __init__
            self.addGlobalServices()

            self.hendrix.startService()
            if self.options['workers']:
                # Create a new listening port and several other processes to help out.
                childFDs = {0: 0, 1: 1, 2: 2}
                self.fds = {}
                for name in self.servers:
                    port = self.hendrix.get_port(name)
                    fd = port.fileno()
                    childFDs[fd] = fd
                    self.fds[name] = fd

                args = self.getSpawnArgs()
                transports = []
                for i in range(self.options['workers']):
                    transport = reactor.spawnProcess(
                        None, executable, args, childFDs=childFDs, env=environ
                    )
                    transports.append(transport)
                    pids.append(str(transport.pid))
            with open(self.pid, 'w') as pid_file:
                pid_file.write('\n'.join(pids))
        else:
            # Another process created the port, drop the tcp service and
            # just start listening on it.
            fds = pickle.loads(fd)
            factories = {}
            for name in self.servers:
                factory = self.disownService(name)
                factories[name] = factory
            self.hendrix.startService()
            for name, factory in factories.iteritems():
                if name == 'main_web_ssl':
                    privateCert = PrivateCertificate.loadPEM(
                        open(self.options['cert']).read() + open(self.options['key']).read()
                    )
                    factory = TLSMemoryBIOFactory(
                        privateCert.options(), False, factory
                    )
                port = reactor.adoptStreamPort(fds[name], AF_INET, factory)

        reactor.run()

def _create_tls_client_context(config, cbdir, log):
    """
    Create a CertificateOptions object for use with TLS listening endpoints.
    """
    # server hostname: The expected name of the remote host.
    hostname = config['hostname']

    # explicit trust (certificate) root
    ca_certs = None
    if 'ca_certificates' in config:
        log.info("TLS client using explicit trust ({cnt_certs} certificates)", cnt_certs=len(config['ca_certificates']))
        ca_certs = []
        for cert_fname in [os.path.abspath(os.path.join(cbdir, x)) for x in (config['ca_certificates'])]:
            cert = crypto.load_certificate(
                crypto.FILETYPE_PEM,
                six.u(open(cert_fname, 'r').read())
            )
            log.info("TLS client trust root CA certificate loaded from '{fname}'", fname=cert_fname)
            ca_certs.append(cert)
        ca_certs = OpenSSLCertificateAuthorities(ca_certs)
    else:
        log.info("TLS client using platform trust")

    # client key/cert to use
    client_cert = None
    if 'key' in config:
        if 'certificate' not in config:
            raise Exception('TLS client key present, but certificate missing')

        key_fname = os.path.abspath(os.path.join(cbdir, config['key']))
        with open(key_fname, 'r') as f:
            private_key = KeyPair.load(f.read(), format=crypto.FILETYPE_PEM)
            log.info("Loaded client TLS key from '{key_fname}'", key_fname=key_fname)

        cert_fname = os.path.abspath(os.path.join(cbdir, config['certificate']))
        with open(cert_fname, 'r') as f:
            cert = Certificate.loadPEM(f.read(),)
            log.info("Loaded client TLS certificate from '{cert_fname}' (cn='{cert_cn}', sha256={cert_sha256}..)",
                     cert_fname=cert_fname,
                     cert_cn=cert.getSubject().CN,
                     cert_sha256=cert.digest('sha256')[:12])

        client_cert = PrivateCertificate.fromCertificateAndKeyPair(cert, private_key)
    else:
        if 'certificate' in config:
            log.warn('TLS client certificate present, but key is missing')

    # create TLS client context
    ctx = optionsForClientTLS(hostname, trustRoot=ca_certs, clientCertificate=client_cert)

    return ctx

 def test_ssl(self):
     """
     When passed an SSL strports description, L{clientFromString} returns a
     L{SSL4ClientEndpoint} instance initialized with the values from the
     string.
     """
     reactor = object()
     client = endpoints.clientFromString(
         reactor,
         "ssl:host=example.net:port=4321:privateKey=%s:"
         "certKey=%s:bindAddress=10.0.0.3:timeout=3:caCertsDir=%s" %
          (escapedPEMPathName,
           escapedPEMPathName,
           escapedCAsPathName))
     self.assertIsInstance(client, endpoints.SSL4ClientEndpoint)
     self.assertIdentical(client._reactor, reactor)
     self.assertEqual(client._host, "example.net")
     self.assertEqual(client._port, 4321)
     self.assertEqual(client._timeout, 3)
     self.assertEqual(client._bindAddress, "10.0.0.3")
     certOptions = client._sslContextFactory
     self.assertIsInstance(certOptions, CertificateOptions)
     ctx = certOptions.getContext()
     self.assertIsInstance(ctx, ContextType)
     self.assertEqual(Certificate(certOptions.certificate),
                       testCertificate)
     privateCert = PrivateCertificate(certOptions.certificate)
     privateCert._setPrivateKey(KeyPair(certOptions.privateKey))
     self.assertEqual(privateCert, testPrivateCertificate)
     expectedCerts = [
         Certificate.loadPEM(x.getContent()) for x in
             [casPath.child("thing1.pem"), casPath.child("thing2.pem")]
         if x.basename().lower().endswith('.pem')
     ]
     self.assertEqual(sorted((Certificate(x) for x in certOptions.caCerts),
                             key=lambda cert: cert.digest()),
                      sorted(expectedCerts,
                             key=lambda cert: cert.digest()))

 def __init__(self, uri, verify, timeout=600, reactor=reactor, clientCert=None):
     Resource.__init__(self)
     self._uri = URLPath.fromString(uri)
     self._verify = verify
     self._timeout = timeout
     self._reactor = reactor
     pool = HTTPConnectionPool(reactor)
     if clientCert is not None:
         clientCert = PrivateCertificate.loadPEM(
             FilePath(clientCert).getContent())
     self._agent = Agent(
         reactor,
         StupidPolicyForHTTPS(InsecureTLSOptions(clientCert)),
         pool=pool)