diff options
| -rw-r--r-- | Doc/library/ssl.rst | 14 | ||||
| -rw-r--r-- | Lib/test/test_ssl.py | 5 | ||||
| -rw-r--r-- | Modules/_ssl.c | 4 |
3 files changed, 18 insertions, 5 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 254fc1f..7846cad 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -520,9 +520,9 @@ Constants .. data:: VERIFY_DEFAULT - Possible value for :attr:`SSLContext.verify_flags`. In this mode, - certificate revocation lists (CRLs) are not checked. By default OpenSSL - does neither require nor verify CRLs. + Possible value for :attr:`SSLContext.verify_flags`. In this mode, certificate + revocation lists (CRLs) are not checked. By default OpenSSL does neither + require nor verify CRLs. .. versionadded:: 3.4 @@ -550,6 +550,14 @@ Constants .. versionadded:: 3.4 +.. data:: VERIFY_X509_TRUSTED_FIRST + + Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to + prefer trusted certificates when building the trust chain to validate a + certificate. This flag is enabled by default. + + .. versionadded:: 3.4.5 + .. data:: PROTOCOL_SSLv23 Selects the highest protocol version that both the client and server support. diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index ce427b4..596652a 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -818,8 +818,9 @@ class ContextTests(unittest.TestCase): "verify_flags need OpenSSL > 0.9.8") def test_verify_flags(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) - # default value by OpenSSL - self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT) + # default value + tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0) + self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf) ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF) ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN diff --git a/Modules/_ssl.c b/Modules/_ssl.c index af68b94..8596225 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4458,6 +4458,10 @@ PyInit__ssl(void) X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); PyModule_AddIntConstant(m, "VERIFY_X509_STRICT", X509_V_FLAG_X509_STRICT); +#ifdef X509_V_FLAG_TRUSTED_FIRST + PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST", + X509_V_FLAG_TRUSTED_FIRST); +#endif /* Alert Descriptions from ssl.h */ /* note RESERVED constants no longer intended for use have been removed */ |