summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenjamin Peterson <benjamin@python.org>2015-03-05 03:49:41 (GMT)
committerBenjamin Peterson <benjamin@python.org>2015-03-05 03:49:41 (GMT)
commit990fcaac3c428569697f62a80fd95ab4d4b93151 (patch)
tree5bcaae3384ac88a2749f9422f72708c6a2faa1e7
parentfdb19715879babc580f63bc129f5b0ff46482d1c (diff)
downloadcpython-990fcaac3c428569697f62a80fd95ab4d4b93151.zip
cpython-990fcaac3c428569697f62a80fd95ab4d4b93151.tar.gz
cpython-990fcaac3c428569697f62a80fd95ab4d4b93151.tar.bz2
expose X509_V_FLAG_TRUSTED_FIRST
Diffstat
-rw-r--r--Doc/library/ssl.rst14
-rw-r--r--Lib/test/test_ssl.py5
-rw-r--r--Modules/_ssl.c4
3 files changed, 18 insertions, 5 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 015e0db..bb30d0f 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -499,9 +499,9 @@ Constants
.. data:: VERIFY_DEFAULT
- Possible value for :attr:`SSLContext.verify_flags`. In this mode,
- certificate revocation lists (CRLs) are not checked. By default OpenSSL
- does neither require nor verify CRLs.
+ Possible value for :attr:`SSLContext.verify_flags`. In this mode, certificate
+ revocation lists (CRLs) are not checked. By default OpenSSL does neither
+ require nor verify CRLs.
.. versionadded:: 3.4
@@ -529,6 +529,14 @@ Constants
.. versionadded:: 3.4
+.. data:: VERIFY_X509_TRUSTED_FIRST
+
+ Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to
+ prefer trusted certificates when building the trust chain to validate a
+ certificate. This flag is enabled by default.
+
+ .. versionadded:: 3.4.5
+
.. data:: PROTOCOL_SSLv23
Selects the highest protocol version that both the client and server support.
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index dc82475..6353e23 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -710,8 +710,9 @@ class ContextTests(unittest.TestCase):
"verify_flags need OpenSSL > 0.9.8")
def test_verify_flags(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
- # default value by OpenSSL
- self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
+ # default value
+ tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
+ self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index a5b94eb..9bd0776 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -4004,6 +4004,10 @@ PyInit__ssl(void)
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
X509_V_FLAG_X509_STRICT);
+#ifdef X509_V_FLAG_TRUSTED_FIRST
+ PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST",
+ X509_V_FLAG_TRUSTED_FIRST);
+#endif
/* Alert Descriptions from ssl.h */
/* note RESERVED constants no longer intended for use have been removed */
generated by cgit v0.12 at 2025-08-29 12:05:03 (GMT)