summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRaymond Hettinger <python@rcn.com>2011-01-17 21:29:58 (GMT)
committerRaymond Hettinger <python@rcn.com>2011-01-17 21:29:58 (GMT)
commit4854d14f55a8c7a6c7ad59ce12aa86658f925981 (patch)
tree9a52fe94d00ebe25e9d10578e1d757e41c61c9f1
parent6e7f5823d0fcd9a67d69e6225798d545688efc79 (diff)
downloadcpython-4854d14f55a8c7a6c7ad59ce12aa86658f925981.zip
cpython-4854d14f55a8c7a6c7ad59ce12aa86658f925981.tar.gz
cpython-4854d14f55a8c7a6c7ad59ce12aa86658f925981.tar.bz2
Tidy-up the ssl section.
-rw-r--r--Doc/whatsnew/3.2.rst71
1 files changed, 33 insertions, 38 deletions
diff --git a/Doc/whatsnew/3.2.rst b/Doc/whatsnew/3.2.rst
index bdcf588..9bef0ca 100644
--- a/Doc/whatsnew/3.2.rst
+++ b/Doc/whatsnew/3.2.rst
@@ -1040,8 +1040,7 @@ by Georg Brandl in :issue:`8046` and :issue:`1286`.)
The :class:`~ftplib.FTP_TLS` class now accepts a *context* parameter, which is a
:class:`ssl.SSLContext` object allowing bundling SSL configuration options,
-certificates and private keys into a single (potentially long-lived)
-structure.
+certificates and private keys into a single (potentially long-lived) structure.
(Contributed by Giampaolo RodolĂ ; :issue:`8806`.)
@@ -1134,48 +1133,44 @@ The :mod:`socket` module has two new improvements.
ssl
---
-The :mod:`ssl` module gains an array of new functionalities which make it much easier
-to satisfy common requirements for secure (encrypted, authenticated) connections
-over the Internet:
+The :mod:`ssl` module added a number of features to satisfy common requirements
+for secure (encrypted, authenticated) internet connections:
-* A new class, :class:`~ssl.SSLContext`, serves as a container for various
- persistent SSL data, such as protocol settings, certificates, private keys,
- and various other options. The :meth:`~ssl.SSLContext.wrap_socket` method
- allows to create an SSL socket from such an SSL context. (Added by Antoine
- Pitrou; :issue:`8550`.)
+* A new class, :class:`~ssl.SSLContext`, serves as a container for persistent
+ SSL data, such as protocol settings, certificates, private keys, and various
+ other options. It includes a :meth:`~ssl.SSLContext.wrap_socket` for creating
+ an SSL socket from an SSL context.
-* A new function, :func:`ssl.match_hostname`, helps implement server identity
- verification for higher-level protocols by implementing the rules of
- HTTPS (from :rfc:`2818`), which are also suitable for other protocols.
- (Added by Antoine Pitrou, :issue:`1589`).
+* A new function, :func:`ssl.match_hostname`, supports server identity
+ verification for higher-level protocols by implementing the rules of HTTPS
+ (from :rfc:`2818`) which are also suitable for other protocols.
* The :func:`ssl.wrap_socket` constructor function now takes a *ciphers*
- argument that's a string listing the encryption algorithms to be allowed; the
- format of the string is described `in the OpenSSL documentation
- <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`__. (Added
- by Antoine Pitrou; :issue:`8322`.)
-
-* When linked against a recent enough version of OpenSSL, the :mod:`ssl`
- module now supports the Server Name Indication extension to the TLS
- protocol, allowing for several "virtual hosts" using different certificates
- on a single IP/port. This extension is only supported in client mode,
- and is activated by passing the *server_hostname* argument to
- :meth:`ssl.SSLContext.wrap_socket`.
- (Added by Antoine Pitrou, :issue:`5639`.)
+ argument. The *ciphers* string lists the allowed encryption algorithms using
+ the format described in the `OpenSSL documentation
+ <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`__.
+
+* When linked against recent versions of OpenSSL, the :mod:`ssl` module now
+ supports the Server Name Indication extension to the TLS protocol, allowing
+ multiple "virtual hosts" using different certificates on a single IP port.
+ This extension is only supported in client mode, and is activated by passing
+ the *server_hostname* argument to :meth:`ssl.SSLContext.wrap_socket`.
* Various options have been added to the :mod:`ssl` module, such as
- :data:`~ssl.OP_NO_SSLv2` which allows to force disabling of the insecure and
- obsolete SSLv2 protocol. (Added by Antoine Pitrou; :issue:`4870`.)
-
-* Another change makes the extension load all of OpenSSL's ciphers and digest
- algorithms so that they're all available. Some SSL certificates couldn't be
- verified, reporting an "unknown algorithm" error. (Reported by Beda Kosata,
- and fixed by Antoine Pitrou; :issue:`8484`.)
-
-* The version of OpenSSL being used is now available as the module attributes
- :data:`ssl.OPENSSL_VERSION` (a string), :data:`ssl.OPENSSL_VERSION_INFO` (a
- 5-tuple), and :data:`ssl.OPENSSL_VERSION_NUMBER` (an integer). (Added by
- Antoine Pitrou; :issue:`8321`.)
+ :data:`~ssl.OP_NO_SSLv2` which disables the insecure and obsolete SSLv2
+ protocol.
+
+* The extension now loads all the OpenSSL ciphers and digest algorithms. If
+ some SSL certificates cannot be verified, they are reported as an "unknown
+ algorithm" error.
+
+* The version of OpenSSL being used is now accessible using the module
+ attributes :data:`ssl.OPENSSL_VERSION` (a string),
+ :data:`ssl.OPENSSL_VERSION_INFO` (a 5-tuple), and
+ :data:`ssl.OPENSSL_VERSION_NUMBER` (an integer).
+
+(Contributed by Antoine Pitrou in :issue:`8850`, :issue:`1589`, :issue:`8322`,
+:issue:`5639`, :issue:`4870`, :issue:`8484`, and :issue:`8321`.)
nntp
----