1 files changed, 74 insertions, 12 deletions

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 01d86c8..3706a6e 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -49,6 +49,12 @@ For more sophisticated applications, the :class:`ssl.SSLContext` class
 helps manage settings and certificates, which can then be inherited
 by SSL sockets created through the :meth:`SSLContext.wrap_socket` method.
 
+.. versionchanged:: 3.6
+
+   OpenSSL 0.9.8, 1.0.0 and 1.0.1 are deprecated and no longer supported.
+   In the future the ssl module will require at least OpenSSL 1.0.2 or
+   1.1.0.
+
 
 Functions, Constants, and Exceptions
 ------------------------------------
@@ -279,7 +285,7 @@ purposes.
 
      RC4 was dropped from the default cipher string.
 
-   .. versionchanged:: 3.5.3
+   .. versionchanged:: 3.6
 
      ChaCha20/Poly1305 was added to the default cipher string.
 
@@ -322,7 +328,7 @@ Random generation
 
    .. versionadded:: 3.3
 
-   .. deprecated:: 3.5.3
+   .. deprecated:: 3.6
 
       OpenSSL has deprecated :func:`ssl.RAND_pseudo_bytes`, use
       :func:`ssl.RAND_bytes` instead.
@@ -587,13 +593,13 @@ Constants
    Selects the highest protocol version that both the client and server support.
    Despite the name, this option can select "TLS" protocols as well as "SSL".
 
-   .. versionadded:: 3.5.3
+   .. versionadded:: 3.6
 
 .. data:: PROTOCOL_SSLv23
 
    Alias for data:`PROTOCOL_TLS`.
 
-   .. deprecated:: 3.5.3
+   .. deprecated:: 3.6
 
       Use data:`PROTOCOL_TLS` instead.
 
@@ -608,7 +614,7 @@ Constants
 
       SSL version 2 is insecure.  Its use is highly discouraged.
 
-   .. deprecated:: 3.5.3
+   .. deprecated:: 3.6
 
       OpenSSL has removed support for SSLv2.
 
@@ -623,7 +629,7 @@ Constants
 
       SSL version 3 is insecure.  Its use is highly discouraged.
 
-   .. deprecated:: 3.5.3
+   .. deprecated:: 3.6
 
       OpenSSL has deprecated all version specific protocols. Use the default
       protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead.
@@ -632,7 +638,7 @@ Constants
 
    Selects TLS version 1.0 as the channel encryption protocol.
 
-   .. deprecated:: 3.5.3
+   .. deprecated:: 3.6
 
       OpenSSL has deprecated all version specific protocols. Use the default
       protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead.
@@ -644,7 +650,7 @@ Constants
 
    .. versionadded:: 3.4
 
-   .. deprecated:: 3.5.3
+   .. deprecated:: 3.6
 
       OpenSSL has deprecated all version specific protocols. Use the default
       protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead.
@@ -657,7 +663,7 @@ Constants
 
    .. versionadded:: 3.4
 
-   .. deprecated:: 3.5.3
+   .. deprecated:: 3.6
 
       OpenSSL has deprecated all version specific protocols. Use the default
       protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead.
@@ -678,7 +684,7 @@ Constants
 
    .. versionadded:: 3.2
 
-   .. deprecated:: 3.5.3
+   .. deprecated:: 3.6
 
       SSLv2 is deprecated
 
@@ -691,7 +697,7 @@ Constants
 
    .. versionadded:: 3.2
 
-   .. deprecated:: 3.5.3
+   .. deprecated:: 3.6
 
       SSLv3 is deprecated
 
@@ -1149,7 +1155,7 @@ to speed up repeated connections from the same clients.
       :func:`create_default_context` lets the :mod:`ssl` module choose
       security settings for a given purpose.
 
-   .. versionchanged:: 3.5.3
+   .. versionchanged:: 3.6
 
       :data:`PROTOCOL_TLS` is the default value.
 
@@ -1259,6 +1265,62 @@ to speed up repeated connections from the same clients.
 
    .. versionadded:: 3.4
 
+.. method:: SSLContext.get_ciphers()
+
+   Get a list of enabled ciphers. The list is in order of cipher priority.
+   See :meth:`SSLContext.set_ciphers`.
+
+   Example::
+
+       >>> ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+       >>> ctx.set_ciphers('ECDHE+AESGCM:!ECDSA')
+       >>> ctx.get_ciphers()  # OpenSSL 1.0.x
+       [{'alg_bits': 256,
+         'description': 'ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  '
+                        'Enc=AESGCM(256) Mac=AEAD',
+         'id': 50380848,
+         'name': 'ECDHE-RSA-AES256-GCM-SHA384',
+         'protocol': 'TLSv1/SSLv3',
+         'strength_bits': 256},
+        {'alg_bits': 128,
+         'description': 'ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  '
+                        'Enc=AESGCM(128) Mac=AEAD',
+         'id': 50380847,
+         'name': 'ECDHE-RSA-AES128-GCM-SHA256',
+         'protocol': 'TLSv1/SSLv3',
+         'strength_bits': 128}]
+
+   On OpenSSL 1.1 and newer the cipher dict contains additional fields::
+       >>> ctx.get_ciphers()  # OpenSSL 1.1+
+       [{'aead': True,
+         'alg_bits': 256,
+         'auth': 'auth-rsa',
+         'description': 'ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  '
+                        'Enc=AESGCM(256) Mac=AEAD',
+         'digest': None,
+         'id': 50380848,
+         'kea': 'kx-ecdhe',
+         'name': 'ECDHE-RSA-AES256-GCM-SHA384',
+         'protocol': 'TLSv1.2',
+         'strength_bits': 256,
+         'symmetric': 'aes-256-gcm'},
+        {'aead': True,
+         'alg_bits': 128,
+         'auth': 'auth-rsa',
+         'description': 'ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  '
+                        'Enc=AESGCM(128) Mac=AEAD',
+         'digest': None,
+         'id': 50380847,
+         'kea': 'kx-ecdhe',
+         'name': 'ECDHE-RSA-AES128-GCM-SHA256',
+         'protocol': 'TLSv1.2',
+         'strength_bits': 128,
+         'symmetric': 'aes-128-gcm'}]
+
+   Availability: OpenSSL 1.0.2+
+
+   .. versionadded:: 3.6
+
 .. method:: SSLContext.set_default_verify_paths()
 
    Load a set of default "certification authority" (CA) certificates from