diff options
| author | Benjamin Peterson <benjamin@python.org> | 2015-03-05 03:49:41 (GMT) |
|---|---|---|
| committer | Benjamin Peterson <benjamin@python.org> | 2015-03-05 03:49:41 (GMT) |
| commit | 72ef9610593bfee5f504f9070482a265ac5eac69 (patch) | |
| tree | 33837c10c7d44aa8a631d435140f73453e89003a | |
| parent | b1ebba5bd569ede9b6f9573d6618fb3a6abddae5 (diff) | |
| download | cpython-72ef9610593bfee5f504f9070482a265ac5eac69.zip cpython-72ef9610593bfee5f504f9070482a265ac5eac69.tar.gz cpython-72ef9610593bfee5f504f9070482a265ac5eac69.tar.bz2 | |
expose X509_V_FLAG_TRUSTED_FIRST
| -rw-r--r-- | Doc/library/ssl.rst | 14 | ||||
| -rw-r--r-- | Lib/test/test_ssl.py | 5 | ||||
| -rw-r--r-- | Modules/_ssl.c | 4 |
3 files changed, 18 insertions, 5 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index b261eee..d328c2b 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -482,9 +482,9 @@ Constants .. data:: VERIFY_DEFAULT - Possible value for :attr:`SSLContext.verify_flags`. In this mode, - certificate revocation lists (CRLs) are not checked. By default OpenSSL - does neither require nor verify CRLs. + Possible value for :attr:`SSLContext.verify_flags`. In this mode, certificate + revocation lists (CRLs) are not checked. By default OpenSSL does neither + require nor verify CRLs. .. versionadded:: 2.7.9 @@ -512,6 +512,14 @@ Constants .. versionadded:: 2.7.9 +.. data:: VERIFY_X509_TRUSTED_FIRST + + Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to + prefer trusted certificates when building the trust chain to validate a + certificate. This flag is enabled by default. + + .. versionadded:: 2.7.10 + .. data:: PROTOCOL_SSLv23 Selects the highest protocol version that both the client and server support. diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index e9e80ee..b2d57cf 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -749,8 +749,9 @@ class ContextTests(unittest.TestCase): "verify_flags need OpenSSL > 0.9.8") def test_verify_flags(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) - # default value by OpenSSL - self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT) + # default value + tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0) + self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf) ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF) ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 309d00b..8515c0f 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4052,6 +4052,10 @@ init_ssl(void) X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); PyModule_AddIntConstant(m, "VERIFY_X509_STRICT", X509_V_FLAG_X509_STRICT); +#ifdef X509_V_FLAG_TRUSTED_FIRST + PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST", + X509_V_FLAG_TRUSTED_FIRST); +#endif /* Alert Descriptions from ssl.h */ /* note RESERVED constants no longer intended for use have been removed */ |