diff options
author | Raymond Hettinger <python@rcn.com> | 2011-01-17 21:29:58 (GMT) |
---|---|---|
committer | Raymond Hettinger <python@rcn.com> | 2011-01-17 21:29:58 (GMT) |
commit | 4854d14f55a8c7a6c7ad59ce12aa86658f925981 (patch) | |
tree | 9a52fe94d00ebe25e9d10578e1d757e41c61c9f1 | |
parent | 6e7f5823d0fcd9a67d69e6225798d545688efc79 (diff) | |
download | cpython-4854d14f55a8c7a6c7ad59ce12aa86658f925981.zip cpython-4854d14f55a8c7a6c7ad59ce12aa86658f925981.tar.gz cpython-4854d14f55a8c7a6c7ad59ce12aa86658f925981.tar.bz2 |
Tidy-up the ssl section.
-rw-r--r-- | Doc/whatsnew/3.2.rst | 71 |
1 files changed, 33 insertions, 38 deletions
diff --git a/Doc/whatsnew/3.2.rst b/Doc/whatsnew/3.2.rst index bdcf588..9bef0ca 100644 --- a/Doc/whatsnew/3.2.rst +++ b/Doc/whatsnew/3.2.rst @@ -1040,8 +1040,7 @@ by Georg Brandl in :issue:`8046` and :issue:`1286`.) The :class:`~ftplib.FTP_TLS` class now accepts a *context* parameter, which is a :class:`ssl.SSLContext` object allowing bundling SSL configuration options, -certificates and private keys into a single (potentially long-lived) -structure. +certificates and private keys into a single (potentially long-lived) structure. (Contributed by Giampaolo RodolĂ ; :issue:`8806`.) @@ -1134,48 +1133,44 @@ The :mod:`socket` module has two new improvements. ssl --- -The :mod:`ssl` module gains an array of new functionalities which make it much easier -to satisfy common requirements for secure (encrypted, authenticated) connections -over the Internet: +The :mod:`ssl` module added a number of features to satisfy common requirements +for secure (encrypted, authenticated) internet connections: -* A new class, :class:`~ssl.SSLContext`, serves as a container for various - persistent SSL data, such as protocol settings, certificates, private keys, - and various other options. The :meth:`~ssl.SSLContext.wrap_socket` method - allows to create an SSL socket from such an SSL context. (Added by Antoine - Pitrou; :issue:`8550`.) +* A new class, :class:`~ssl.SSLContext`, serves as a container for persistent + SSL data, such as protocol settings, certificates, private keys, and various + other options. It includes a :meth:`~ssl.SSLContext.wrap_socket` for creating + an SSL socket from an SSL context. -* A new function, :func:`ssl.match_hostname`, helps implement server identity - verification for higher-level protocols by implementing the rules of - HTTPS (from :rfc:`2818`), which are also suitable for other protocols. - (Added by Antoine Pitrou, :issue:`1589`). +* A new function, :func:`ssl.match_hostname`, supports server identity + verification for higher-level protocols by implementing the rules of HTTPS + (from :rfc:`2818`) which are also suitable for other protocols. * The :func:`ssl.wrap_socket` constructor function now takes a *ciphers* - argument that's a string listing the encryption algorithms to be allowed; the - format of the string is described `in the OpenSSL documentation - <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`__. (Added - by Antoine Pitrou; :issue:`8322`.) - -* When linked against a recent enough version of OpenSSL, the :mod:`ssl` - module now supports the Server Name Indication extension to the TLS - protocol, allowing for several "virtual hosts" using different certificates - on a single IP/port. This extension is only supported in client mode, - and is activated by passing the *server_hostname* argument to - :meth:`ssl.SSLContext.wrap_socket`. - (Added by Antoine Pitrou, :issue:`5639`.) + argument. The *ciphers* string lists the allowed encryption algorithms using + the format described in the `OpenSSL documentation + <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`__. + +* When linked against recent versions of OpenSSL, the :mod:`ssl` module now + supports the Server Name Indication extension to the TLS protocol, allowing + multiple "virtual hosts" using different certificates on a single IP port. + This extension is only supported in client mode, and is activated by passing + the *server_hostname* argument to :meth:`ssl.SSLContext.wrap_socket`. * Various options have been added to the :mod:`ssl` module, such as - :data:`~ssl.OP_NO_SSLv2` which allows to force disabling of the insecure and - obsolete SSLv2 protocol. (Added by Antoine Pitrou; :issue:`4870`.) - -* Another change makes the extension load all of OpenSSL's ciphers and digest - algorithms so that they're all available. Some SSL certificates couldn't be - verified, reporting an "unknown algorithm" error. (Reported by Beda Kosata, - and fixed by Antoine Pitrou; :issue:`8484`.) - -* The version of OpenSSL being used is now available as the module attributes - :data:`ssl.OPENSSL_VERSION` (a string), :data:`ssl.OPENSSL_VERSION_INFO` (a - 5-tuple), and :data:`ssl.OPENSSL_VERSION_NUMBER` (an integer). (Added by - Antoine Pitrou; :issue:`8321`.) + :data:`~ssl.OP_NO_SSLv2` which disables the insecure and obsolete SSLv2 + protocol. + +* The extension now loads all the OpenSSL ciphers and digest algorithms. If + some SSL certificates cannot be verified, they are reported as an "unknown + algorithm" error. + +* The version of OpenSSL being used is now accessible using the module + attributes :data:`ssl.OPENSSL_VERSION` (a string), + :data:`ssl.OPENSSL_VERSION_INFO` (a 5-tuple), and + :data:`ssl.OPENSSL_VERSION_NUMBER` (an integer). + +(Contributed by Antoine Pitrou in :issue:`8850`, :issue:`1589`, :issue:`8322`, +:issue:`5639`, :issue:`4870`, :issue:`8484`, and :issue:`8321`.) nntp ---- |