diff options
author | Christian Heimes <christian@python.org> | 2018-01-27 14:51:38 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-01-27 14:51:38 (GMT) |
commit | 61d478c71c5341cdc54e6bfb4ace4252852fd972 (patch) | |
tree | 5ad17242b4c341df03664ee5cde87cdb80b0ee50 /Doc/whatsnew | |
parent | 746cc75541f31278864a10b995e7d009bd2ff053 (diff) | |
download | cpython-61d478c71c5341cdc54e6bfb4ace4252852fd972.zip cpython-61d478c71c5341cdc54e6bfb4ace4252852fd972.tar.gz cpython-61d478c71c5341cdc54e6bfb4ace4252852fd972.tar.bz2 |
bpo-31399: Let OpenSSL verify hostname and IP address (#3462)
bpo-31399: Let OpenSSL verify hostname and IP
The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and
X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses.
* Remove match_hostname calls
* Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host()
* Add documentation for OpenSSL 1.0.2 requirement
* Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform.
* Add hostname_checks_common_name
Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'Doc/whatsnew')
-rw-r--r-- | Doc/whatsnew/3.7.rst | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst index 133975a..1ece6a3 100644 --- a/Doc/whatsnew/3.7.rst +++ b/Doc/whatsnew/3.7.rst @@ -568,6 +568,32 @@ can be set within the scope of a group. ``'^$'`` or ``(?=-)`` that matches an empty string. (Contributed by Serhiy Storchaka in :issue:`25054`.) +ssl +--- + +The ssl module now uses OpenSSL's builtin API instead of +:func:`~ssl.match_hostname` to check host name or IP address. Values +are validated during TLS handshake. Any cert validation error including +a failing host name match now raises :exc:`~ssl.SSLCertVerificationError` and +aborts the handshake with a proper TLS Alert message. The new exception +contains additional information. Host name validation can be customized +with :attr:`~ssl.SSLContext.host_flags`. +(Contributed by Christian Heimes in :issue:`31399`.) + +.. note:: + The improved host name check requires an OpenSSL 1.0.2 or 1.1 compatible + libssl. OpenSSL 0.9.8 and 1.0.1 are no longer supported. LibreSSL is + temporarily not supported until it gains the necessary OpenSSL 1.0.2 APIs. + +The ssl module no longer sends IP addresses in SNI TLS extension. +(Contributed by Christian Heimes in :issue:`32185`.) + +:func:`~ssl.match_hostname` no longer supports partial wildcards like +``www*.example.org``. :attr:`~ssl.SSLContext.host_flags` has partial +wildcard matching disabled by default. +(Contributed by Mandeep Singh in :issue:`23033` and Christian Heimes in +:issue:`31399`.) + string ------ @@ -1120,6 +1146,12 @@ Other CPython implementation changes emitted in the first place), and an explicit ``error::BytesWarning`` warnings filter added to convert them to exceptions. +* CPython' :mod:`ssl` module requires OpenSSL 1.0.2 or 1.1 compatible libssl. + OpenSSL 1.0.1 has reached end of lifetime on 2016-12-31 and is no longer + supported. LibreSSL is temporarily not supported as well. LibreSSL releases + up to version 2.6.4 are missing required OpenSSL 1.0.2 APIs. + + Documentation ============= |