summaryrefslogtreecommitdiffstats
path: root/Doc/whatsnew
diff options
context:
space:
mode:
authorChristian Heimes <christian@python.org>2018-01-27 14:51:38 (GMT)
committerGitHub <noreply@github.com>2018-01-27 14:51:38 (GMT)
commit61d478c71c5341cdc54e6bfb4ace4252852fd972 (patch)
tree5ad17242b4c341df03664ee5cde87cdb80b0ee50 /Doc/whatsnew
parent746cc75541f31278864a10b995e7d009bd2ff053 (diff)
downloadcpython-61d478c71c5341cdc54e6bfb4ace4252852fd972.zip
cpython-61d478c71c5341cdc54e6bfb4ace4252852fd972.tar.gz
cpython-61d478c71c5341cdc54e6bfb4ace4252852fd972.tar.bz2
bpo-31399: Let OpenSSL verify hostname and IP address (#3462)
bpo-31399: Let OpenSSL verify hostname and IP The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses. * Remove match_hostname calls * Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host() * Add documentation for OpenSSL 1.0.2 requirement * Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform. * Add hostname_checks_common_name Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'Doc/whatsnew')
-rw-r--r--Doc/whatsnew/3.7.rst32
1 files changed, 32 insertions, 0 deletions
diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst
index 133975a..1ece6a3 100644
--- a/Doc/whatsnew/3.7.rst
+++ b/Doc/whatsnew/3.7.rst
@@ -568,6 +568,32 @@ can be set within the scope of a group.
``'^$'`` or ``(?=-)`` that matches an empty string.
(Contributed by Serhiy Storchaka in :issue:`25054`.)
+ssl
+---
+
+The ssl module now uses OpenSSL's builtin API instead of
+:func:`~ssl.match_hostname` to check host name or IP address. Values
+are validated during TLS handshake. Any cert validation error including
+a failing host name match now raises :exc:`~ssl.SSLCertVerificationError` and
+aborts the handshake with a proper TLS Alert message. The new exception
+contains additional information. Host name validation can be customized
+with :attr:`~ssl.SSLContext.host_flags`.
+(Contributed by Christian Heimes in :issue:`31399`.)
+
+.. note::
+ The improved host name check requires an OpenSSL 1.0.2 or 1.1 compatible
+ libssl. OpenSSL 0.9.8 and 1.0.1 are no longer supported. LibreSSL is
+ temporarily not supported until it gains the necessary OpenSSL 1.0.2 APIs.
+
+The ssl module no longer sends IP addresses in SNI TLS extension.
+(Contributed by Christian Heimes in :issue:`32185`.)
+
+:func:`~ssl.match_hostname` no longer supports partial wildcards like
+``www*.example.org``. :attr:`~ssl.SSLContext.host_flags` has partial
+wildcard matching disabled by default.
+(Contributed by Mandeep Singh in :issue:`23033` and Christian Heimes in
+:issue:`31399`.)
+
string
------
@@ -1120,6 +1146,12 @@ Other CPython implementation changes
emitted in the first place), and an explicit ``error::BytesWarning``
warnings filter added to convert them to exceptions.
+* CPython' :mod:`ssl` module requires OpenSSL 1.0.2 or 1.1 compatible libssl.
+ OpenSSL 1.0.1 has reached end of lifetime on 2016-12-31 and is no longer
+ supported. LibreSSL is temporarily not supported as well. LibreSSL releases
+ up to version 2.6.4 are missing required OpenSSL 1.0.2 APIs.
+
+
Documentation
=============