diff options
-rw-r--r-- | Doc/library/hashlib.rst | 2 | ||||
-rw-r--r-- | Doc/library/ssl.rst | 112 | ||||
-rw-r--r-- | Modules/_ssl.c | 33 | ||||
-rw-r--r-- | Modules/clinic/_ssl.c.h | 40 |
4 files changed, 12 insertions, 175 deletions
diff --git a/Doc/library/hashlib.rst b/Doc/library/hashlib.rst index 6f92152..48c0bab 100644 --- a/Doc/library/hashlib.rst +++ b/Doc/library/hashlib.rst @@ -280,8 +280,6 @@ include a `salt <https://en.wikipedia.org/wiki/Salt_%28cryptography%29>`_. factor and *maxmem* limits memory (OpenSSL 1.1.0 defaults to 32 MiB). *dklen* is the length of the derived key. - .. availability:: OpenSSL 1.1+. - .. versionadded:: 3.6 diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index f7bdd56..9f74592 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -58,6 +58,11 @@ by SSL sockets created through the :meth:`SSLContext.wrap_socket` method. In the future the ssl module will require at least OpenSSL 1.0.2 or 1.1.0. +.. versionchanged:: 3.10 + + :pep:`644` has been implemented. The ssl module requires OpenSSL 1.1.1 + or newer. + Functions, Constants, and Exceptions ------------------------------------ @@ -325,19 +330,6 @@ Random generation :func:`ssl.RAND_egd` and :func:`ssl.RAND_add` to increase the randomness of the pseudo-random number generator. -.. function:: RAND_egd(path) - - If you are running an entropy-gathering daemon (EGD) somewhere, and *path* - is the pathname of a socket connection open to it, this will read 256 bytes - of randomness from the socket, and add it to the SSL pseudo-random number - generator to increase the security of generated secret keys. This is - typically only necessary on systems without better sources of randomness. - - See http://egd.sourceforge.net/ or http://prngd.sourceforge.net/ for sources - of entropy-gathering daemons. - - .. availability:: not available with LibreSSL and OpenSSL > 1.1.0. - .. function:: RAND_add(bytes, entropy) Mix the given *bytes* into the SSL pseudo-random number generator. The @@ -879,8 +871,6 @@ Constants Disable compression on the SSL channel. This is useful if the application protocol supports its own compression scheme. - This option is only available with OpenSSL 1.0.0 and later. - .. versionadded:: 3.3 .. class:: Options @@ -1593,25 +1583,7 @@ to speed up repeated connections from the same clients. >>> ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) >>> ctx.set_ciphers('ECDHE+AESGCM:!ECDSA') - >>> ctx.get_ciphers() # OpenSSL 1.0.x - [{'alg_bits': 256, - 'description': 'ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA ' - 'Enc=AESGCM(256) Mac=AEAD', - 'id': 50380848, - 'name': 'ECDHE-RSA-AES256-GCM-SHA384', - 'protocol': 'TLSv1/SSLv3', - 'strength_bits': 256}, - {'alg_bits': 128, - 'description': 'ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA ' - 'Enc=AESGCM(128) Mac=AEAD', - 'id': 50380847, - 'name': 'ECDHE-RSA-AES128-GCM-SHA256', - 'protocol': 'TLSv1/SSLv3', - 'strength_bits': 128}] - - On OpenSSL 1.1 and newer the cipher dict contains additional fields:: - - >>> ctx.get_ciphers() # OpenSSL 1.1+ + >>> ctx.get_ciphers() [{'aead': True, 'alg_bits': 256, 'auth': 'auth-rsa', @@ -1637,8 +1609,6 @@ to speed up repeated connections from the same clients. 'strength_bits': 128, 'symmetric': 'aes-128-gcm'}] - .. availability:: OpenSSL 1.0.2+. - .. versionadded:: 3.6 .. method:: SSLContext.set_default_verify_paths() @@ -1663,8 +1633,8 @@ to speed up repeated connections from the same clients. when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will give the currently selected cipher. - OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites - cannot be disabled with :meth:`~SSLContext.set_ciphers`. + TLS 1.3 cipher suites cannot be disabled with + :meth:`~SSLContext.set_ciphers`. .. method:: SSLContext.set_alpn_protocols(protocols) @@ -1678,10 +1648,6 @@ to speed up repeated connections from the same clients. This method will raise :exc:`NotImplementedError` if :data:`HAS_ALPN` is ``False``. - OpenSSL 1.1.0 to 1.1.0e will abort the handshake and raise :exc:`SSLError` - when both sides support ALPN but cannot agree on a protocol. 1.1.0f+ - behaves like 1.0.2, :meth:`SSLSocket.selected_alpn_protocol` returns None. - .. versionadded:: 3.5 .. method:: SSLContext.set_npn_protocols(protocols) @@ -1883,7 +1849,7 @@ to speed up repeated connections from the same clients. .. method:: SSLContext.session_stats() Get statistics about the SSL sessions created or managed by this context. - A dictionary is returned which maps the names of each `piece of information <https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_sess_number.html>`_ to their + A dictionary is returned which maps the names of each `piece of information <https://www.openssl.org/docs/man1.1.1/ssl/SSL_CTX_sess_number.html>`_ to their numeric values. For example, here is the total number of hits and misses in the session cache since the context was created:: @@ -1926,10 +1892,6 @@ to speed up repeated connections from the same clients. :attr:`~SSLContext.verify_mode` is :data:`CERT_NONE`. Previously the same operation would have failed with a :exc:`ValueError`. - .. note:: - - This features requires OpenSSL 0.9.8f or newer. - .. attribute:: SSLContext.keylog_filename Write TLS keys to a keylog file, whenever key material is generated or @@ -1940,10 +1902,6 @@ to speed up repeated connections from the same clients. .. versionadded:: 3.8 - .. note:: - - This features requires OpenSSL 1.1.1 or newer. - .. attribute:: SSLContext.maximum_version A :class:`TLSVersion` enum member representing the highest supported @@ -1960,11 +1918,6 @@ to speed up repeated connections from the same clients. :attr:`~SSLContext.maximum_version` set to :attr:`TLSVersion.TLSv1_2` will not be able to establish a TLS 1.2 connection. - .. note:: - - This attribute is not available unless the ssl module is compiled - with OpenSSL 1.1.0g or newer. - .. versionadded:: 3.7 .. attribute:: SSLContext.minimum_version @@ -1972,11 +1925,6 @@ to speed up repeated connections from the same clients. Like :attr:`SSLContext.maximum_version` except it is the lowest supported version or :attr:`TLSVersion.MINIMUM_SUPPORTED`. - .. note:: - - This attribute is not available unless the ssl module is compiled - with OpenSSL 1.1.0g or newer. - .. versionadded:: 3.7 .. attribute:: SSLContext.num_tickets @@ -1985,11 +1933,6 @@ to speed up repeated connections from the same clients. :attr:`TLS_PROTOCOL_SERVER` context. The setting has no impact on TLS 1.0 to 1.2 connections. - .. note:: - - This attribute is not available unless the ssl module is compiled - with OpenSSL 1.1.1 or newer. - .. versionadded:: 3.8 .. attribute:: SSLContext.options @@ -1998,11 +1941,6 @@ to speed up repeated connections from the same clients. The default value is :data:`OP_ALL`, but you can specify other options such as :data:`OP_NO_SSLv2` by ORing them together. - .. note:: - With versions of OpenSSL older than 0.9.8m, it is only possible - to set options, not to clear them. Attempting to clear an option - (by resetting the corresponding bits) will raise a :exc:`ValueError`. - .. versionchanged:: 3.6 :attr:`SSLContext.options` returns :class:`Options` flags: @@ -2025,10 +1963,6 @@ to speed up repeated connections from the same clients. :meth:`SSLSocket.verify_client_post_handshake` is called and some I/O is performed. - .. note:: - Only available with OpenSSL 1.1.1 and TLS 1.3 enabled. Without TLS 1.3 - support, the property value is None and can't be modified - .. versionadded:: 3.8 .. attribute:: SSLContext.protocol @@ -2042,9 +1976,6 @@ to speed up repeated connections from the same clients. subject common name in the absence of a subject alternative name extension (default: true). - .. note:: - Only writeable with OpenSSL 1.1.0 or higher. - .. versionadded:: 3.7 .. versionchanged:: 3.10 @@ -2058,8 +1989,6 @@ to speed up repeated connections from the same clients. <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html>`_ for the context. This attribute is read-only. - .. availability:: OpenSSL 1.1.0 or newer - .. versionadded:: 3.10 .. attribute:: SSLContext.verify_flags @@ -2067,7 +1996,6 @@ to speed up repeated connections from the same clients. The flags for certificate verification operations. You can set flags like :data:`VERIFY_CRL_CHECK_LEAF` by ORing them together. By default OpenSSL does neither require nor verify certificate revocation lists (CRLs). - Available only with openssl version 0.9.8+. .. versionadded:: 3.4 @@ -2733,9 +2661,8 @@ TLS 1.3 .. versionadded:: 3.7 -Python has provisional and experimental support for TLS 1.3 with OpenSSL -1.1.1. The new protocol behaves slightly differently than previous version -of TLS/SSL. Some new TLS 1.3 features are not yet available. +The TLS 1.3 protocol behaves slightly differently than previous version +of TLS/SSL. Some new TLS 1.3 features are not yet available. - TLS 1.3 uses a disjunct set of cipher suites. All AES-GCM and ChaCha20 cipher suites are enabled by default. The method @@ -2752,23 +2679,6 @@ of TLS/SSL. Some new TLS 1.3 features are not yet available. signature algorithm configuration, and rekeying are not supported yet. -.. _ssl-libressl: - -LibreSSL support ----------------- - -LibreSSL is a fork of OpenSSL 1.0.1. The ssl module has limited support for -LibreSSL. Some features are not available when the ssl module is compiled -with LibreSSL. - -* LibreSSL >= 2.6.1 no longer supports NPN. The methods - :meth:`SSLContext.set_npn_protocols` and - :meth:`SSLSocket.selected_npn_protocol` are not available. -* :meth:`SSLContext.set_default_verify_paths` ignores the env vars - :envvar:`SSL_CERT_FILE` and :envvar:`SSL_CERT_PATH` although - :func:`get_default_verify_paths` still reports them. - - .. seealso:: Class :class:`socket.socket` diff --git a/Modules/_ssl.c b/Modules/_ssl.c index f441a16..92aabcb 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4971,38 +4971,6 @@ _ssl_RAND_status_impl(PyObject *module) return PyLong_FromLong(RAND_status()); } -#ifndef OPENSSL_NO_EGD -/* LCOV_EXCL_START */ -/*[clinic input] -_ssl.RAND_egd - path: object(converter="PyUnicode_FSConverter") - / - -Queries the entropy gather daemon (EGD) on the socket named by 'path'. - -Returns number of bytes read. Raises SSLError if connection to EGD -fails or if it does not provide enough data to seed PRNG. -[clinic start generated code]*/ - -static PyObject * -_ssl_RAND_egd_impl(PyObject *module, PyObject *path) -/*[clinic end generated code: output=02a67c7c367f52fa input=1aeb7eb948312195]*/ -{ - int bytes = RAND_egd(PyBytes_AsString(path)); - Py_DECREF(path); - if (bytes == -1) { - PyErr_SetString(PySSLErrorObject, - "EGD connection failed or EGD did not return " - "enough data to seed the PRNG"); - return NULL; - } - return PyLong_FromLong(bytes); -} -/* LCOV_EXCL_STOP */ -#endif /* OPENSSL_NO_EGD */ - - - /*[clinic input] _ssl.get_default_verify_paths @@ -5445,7 +5413,6 @@ static PyMethodDef PySSL_methods[] = { _SSL_RAND_ADD_METHODDEF _SSL_RAND_BYTES_METHODDEF _SSL_RAND_PSEUDO_BYTES_METHODDEF - _SSL_RAND_EGD_METHODDEF _SSL_RAND_STATUS_METHODDEF _SSL_GET_DEFAULT_VERIFY_PATHS_METHODDEF _SSL_ENUM_CERTIFICATES_METHODDEF diff --git a/Modules/clinic/_ssl.c.h b/Modules/clinic/_ssl.c.h index 95aad0c..74ab5a8 100644 --- a/Modules/clinic/_ssl.c.h +++ b/Modules/clinic/_ssl.c.h @@ -1105,40 +1105,6 @@ _ssl_RAND_status(PyObject *module, PyObject *Py_UNUSED(ignored)) return _ssl_RAND_status_impl(module); } -#if !defined(OPENSSL_NO_EGD) - -PyDoc_STRVAR(_ssl_RAND_egd__doc__, -"RAND_egd($module, path, /)\n" -"--\n" -"\n" -"Queries the entropy gather daemon (EGD) on the socket named by \'path\'.\n" -"\n" -"Returns number of bytes read. Raises SSLError if connection to EGD\n" -"fails or if it does not provide enough data to seed PRNG."); - -#define _SSL_RAND_EGD_METHODDEF \ - {"RAND_egd", (PyCFunction)_ssl_RAND_egd, METH_O, _ssl_RAND_egd__doc__}, - -static PyObject * -_ssl_RAND_egd_impl(PyObject *module, PyObject *path); - -static PyObject * -_ssl_RAND_egd(PyObject *module, PyObject *arg) -{ - PyObject *return_value = NULL; - PyObject *path; - - if (!PyUnicode_FSConverter(arg, &path)) { - goto exit; - } - return_value = _ssl_RAND_egd_impl(module, path); - -exit: - return return_value; -} - -#endif /* !defined(OPENSSL_NO_EGD) */ - PyDoc_STRVAR(_ssl_get_default_verify_paths__doc__, "get_default_verify_paths($module, /)\n" "--\n" @@ -1351,10 +1317,6 @@ exit: #endif /* defined(_MSC_VER) */ -#ifndef _SSL_RAND_EGD_METHODDEF - #define _SSL_RAND_EGD_METHODDEF -#endif /* !defined(_SSL_RAND_EGD_METHODDEF) */ - #ifndef _SSL_ENUM_CERTIFICATES_METHODDEF #define _SSL_ENUM_CERTIFICATES_METHODDEF #endif /* !defined(_SSL_ENUM_CERTIFICATES_METHODDEF) */ @@ -1362,4 +1324,4 @@ exit: #ifndef _SSL_ENUM_CRLS_METHODDEF #define _SSL_ENUM_CRLS_METHODDEF #endif /* !defined(_SSL_ENUM_CRLS_METHODDEF) */ -/*[clinic end generated code: output=9468e58904a565a2 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=ae3d1851daba6562 input=a9049054013a1b77]*/ |