summaryrefslogtreecommitdiffstats
path: root/Doc/library/ssl.rst
Commit message (Collapse)AuthorAgeFilesLines
* gh-73580: Docs for tunnelling TLS through TLS (GH-22539)Carl Bordum Hansen2024-02-291-0/+3
|
* gh-87688: Amend SSLContext.hostname_checks_common_name docs (GH-100517)Rami2024-02-171-1/+1
|
* gh-104360: remove reference to removed module-level wrap_socket (GH-104361)Thomas Grainger2024-01-241-5/+1
| | | | * remove reference to removed module-level wrap_socket * drive by typo fix
* Docs: OpenSSL wording ambiguity (#113296)Jan Brasna2023-12-211-1/+1
|
* gh-112454: Disable TLS-PSK if OpenSSL was built without PSK support (#112491)Grant Ramsay2023-11-291-0/+12
| | | | | | If OpenSSL was built without PSK support, the python TLS-PSK methods will raise "NotImplementedError" if called. Add a constant "ssl.HAS_PSK" to check if TLS-PSK is supported
* gh-63284: Add support for TLS-PSK (pre-shared key) to the ssl module (#103181)Grant Ramsay2023-11-271-0/+88
| | | | | | | | Add support for TLS-PSK (pre-shared key) to the ssl module. --------- Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* gh-110631: Fix reST indentation in `Doc/library` (#110685)Ezio Melotti2023-10-111-12/+12
| | | Fix wrong indentation in the Doc/library dir.
* gh-109109: Expose retrieving certificate chains in SSL module (#109113)Mateusz Nowak2023-09-201-4/+25
| | | | | Adds APIs to get the TLS certificate chains, verified or full unverified, from SSLSocket and SSLObject. Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
* gh-107091: Fix some uses of :const: role (GH-107379)Serhiy Storchaka2023-07-281-1/+1
| | | It is for references, not for literals.
* gh-105090: Replace incorrect TLSv1.2 with TLSv1.3 (#105404)Jocelyn Castellano2023-07-221-1/+1
|
* gh-106909: Use role :const: for referencing module constants (GH-106910)Serhiy Storchaka2023-07-211-4/+4
|
* GH-103484: Fix redirected permanently URLs (#104001)Rafael Fontenelle2023-05-021-1/+1
| | | | | Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> Co-authored-by: Oleg Iarygin <dralife@yandex.ru>
* gh-96931: Fix incorrect results in ssl.SSLSocket.shared_ciphers (#96932)Benjamin Fogle2023-03-221-1/+1
|
* Fix minor typos in SSL documentation (#101158)Simon Robinson2023-01-201-8/+8
|
* gh-89051: Add ssl.OP_LEGACY_SERVER_CONNECT (#93927)Thomas Grainger2022-12-201-0/+7
| | | | | | Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Christian Heimes <christian@python.org> Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> Fixes https://github.com/python/cpython/issues/89051
* gh-96828: Add an `ssl.OP_ENABLE_KTLS` option (GH-96830)Illia Volochii2022-11-241-0/+16
| | | Expose the constant when OpenSSL defines it.
* gh-94199: Remove ssl.wrap_socket() documentation (#99023)Victor Stinner2022-11-031-51/+16
| | | | | | | The function has been removed. In the ssl documentation, replace references to the ssl.wrap_socket() function with references to the ssl.SSLContext.wrap_socket() method. Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
* gh-95451: Update docs for wasm32-emscripten and -wasi platforms (GH-95452)Christian Heimes2022-08-021-0/+1
| | | | | | Co-authored-by: Éric <merwok@netwok.org> Co-authored-by: Michael Droettboom <mdboom@gmail.com> Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> Co-authored-by: CAM Gerlach <CAM.Gerlach@Gerlach.CAM>
* gh-95415: Make availability directive consistent (GH-95416)Christian Heimes2022-07-291-3/+0
|
* gh-94172: Remove ssl.PROTOCOL_SSLv2 dead code (#94312)Victor Stinner2022-06-281-18/+2
| | | | | | | | Remove dead code related to ssl.PROTOCOL_SSLv2. ssl.PROTOCOL_SSLv2 was already removed in Python 3.10. In test_ssl, @requires_tls_version('SSLv2') always returned False. Extract of the removed code: "OpenSSL has removed support for SSLv2".
* gh-94199: Remove ssl.match_hostname() function (#94224)Victor Stinner2022-06-251-52/+5
|
* gh-94199: Remove ssl.RAND_pseudo_bytes() function (#94202)Victor Stinner2022-06-241-23/+2
| | | | Remove the ssl.RAND_pseudo_bytes() function, deprecated in Python 3.6: use os.urandom() or ssl.RAND_bytes() instead.
* gh-93851: Fix all broken links in Doc/ (GH-93853)Oleg Iarygin2022-06-211-2/+2
|
* Doc: amend ssl.PROTOCOL_SSLv2 and ssl.PROTOCOL_SSLv3 wording (#92634)Jan Brasna2022-05-191-3/+3
|
* gh-91611: Use example.com for documentation, not mydomain.com (#91613)Motoki Naruse2022-04-301-1/+1
| | | | | | | example.com is reserved by the IANA as special-use domain name for documentation purposes. The domain names are used widely in books, tutorials, sample network configurations, and generally as examples for the use of domain name. On the other hand, mydomain.com is real Domain Name Registration service.
* ssl docs: Fix typo (GH-32336)Frederick2022-04-071-1/+1
|
* ssl docs: Fix typo (GH-32314)Frederick2022-04-071-1/+1
|
* [docs] Correct typos in SSLContext.sni_callback (GH-30623)Jörn Heissler2022-02-191-3/+3
| | | Co-authored-by: Jörn Heissler <nosuchaddress@joern-heissler.de>
* bpo-40066: [Enum] fix tests (GH-30643)Ethan Furman2022-01-171-1/+1
| | | | | - skip doctest that changes depending on target system - skip doctest that only fails on CI - substitute in values that change depending on target system
* bpo-40066: [Enum] skip failing doc test (GH-30637)Kumar Aditya2022-01-171-2/+2
|
* Revert "bpo-40066: [Enum] update str() and format() output (GH-30582)" ↵Victor Stinner2022-01-171-2/+2
| | | | | (GH-30632) This reverts commit acf7403f9baea3ae1119fc6b4a3298522188bf96.
* bpo-40066: [Enum] update str() and format() output (GH-30582)Ethan Furman2022-01-161-2/+2
| | | | | | | | | | | | | | | Undo rejected PEP-663 changes: - restore `repr()` to its 3.10 status - restore `str()` to its 3.10 status New changes: - `IntEnum` and `IntFlag` now leave `__str__` as the original `int.__str__` so that str() and format() return the same result - zero-valued flags without a name have a slightly changed repr(), e.g. `repr(Color(0)) == '<Color: 0>'` - update `dir()` for mixed-in types to return all the methods and attributes of the mixed-in type - added `_numeric_repr_` to `Flag` to control display of unnamed values - enums without doc strings have a more comprehensive doc string added - `ReprEnum` added -- inheriting from this makes it so only `__repr__` is replaced, not `__str__` nor `__format__`; `IntEnum`, `IntFlag`, and `StrEnum` all inherit from `ReprEnum`
* bpo-45457: Minor fix to documentation for SSLContext.load_default_certs. ↵LincolnPuzey2021-11-021-1/+1
| | | | | | | | (GH-28947) Specify that SSLContext.set_default_verify_paths is called on ALL systems. The code of SSLContext.load_default_certs was changed in bpo-22449 to do this, this fix corrects the documentation to match that change.
* bpo-41203: Replace Mac OS X and OS X with macOS (GH-28515)Serhiy Storchaka2021-09-221-1/+1
| | | | | | | Replace old names when they refer to actual versions of macOS. Keep historical names in references to older versions. Co-authored-by: Patrick Reader <_@pxeger.com>
* bpo-44740: Lowercase "internet" and "web" where appropriate. (#27378)Mariusz Felisiak2021-07-261-2/+2
| | | Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* Fix typo in ssl documentation (GH-27329)Anton Grübel2021-07-241-2/+2
|
* bpo-44362: ssl: improve deprecation warnings and docs (GH-26646)Christian Heimes2021-06-111-6/+10
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-38820: Add ssl, hashlib, and hmac changes to whatsnew 3.10 (GH-25817)Christian Heimes2021-05-021-0/+8
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)Christian Heimes2021-05-011-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The ssl module now has more secure default settings. Ciphers without forward secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits weak RSA, DH, and ECC keys with less than 112 bits of security. :class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2. Settings are based on Hynek Schlawack's research. ``` $ openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021 $ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 ``` Signed-off-by: Christian Heimes <christian@python.org>
* bpo-31870: Add a timeout parameter to ssl.get_server_certificate() (GH-22270)Zackery Spytz2021-04-241-2/+7
|
* bpo-40849: Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag (GH-20463)l0x2021-04-191-0/+11
| | | This short PR exposes an openssl flag that wasn't exposed. I've also updated to doc to reflect the change. It's heavily inspired by 990fcaac3c428569697f62a80fd95ab4d4b93151.
* bpo-43880: Show DeprecationWarnings for deprecated ssl module features ↵Christian Heimes2021-04-191-17/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | (GH-25455) * ssl.OP_NO_SSLv2 * ssl.OP_NO_SSLv3 * ssl.OP_NO_TLSv1 * ssl.OP_NO_TLSv1_1 * ssl.OP_NO_TLSv1_2 * ssl.OP_NO_TLSv1_3 * ssl.PROTOCOL_SSLv2 * ssl.PROTOCOL_SSLv3 * ssl.PROTOCOL_SSLv23 (alias for PROTOCOL_TLS) * ssl.PROTOCOL_TLS * ssl.PROTOCOL_TLSv1 * ssl.PROTOCOL_TLSv1_1 * ssl.PROTOCOL_TLSv1_2 * ssl.TLSVersion.SSLv3 * ssl.TLSVersion.TLSv1 * ssl.TLSVersion.TLSv1_1 * ssl.wrap_socket() * ssl.RAND_pseudo_bytes() * ssl.RAND_egd() (already removed since it's not supported by OpenSSL 1.1.1) * ssl.SSLContext() without a protocol argument * ssl.match_hostname() * hashlib.pbkdf2_hmac() (pure Python implementation, fast OpenSSL function will stay) Signed-off-by: Christian Heimes <christian@python.org>
* bpo-42854: Use SSL_read/write_ex() (GH-25468)Christian Heimes2021-04-191-0/+5
| | | | | | | | The ssl module now uses ``SSL_read_ex`` and ``SSL_write_ex`` internally. The functions support reading and writing of data larger than 2 GB. Writing zero-length data no longer fails with a protocol violation error. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43641: Stop stating that TLS 1.2 is the most modern version in docs ↵Illia Volochii2021-04-181-3/+2
| | | | | (GH-25041) Automerge-Triggered-By: GH:tiran
* bpo-43669: Remove OpenSSL 0.9 to 1.1.0 specific documentation (GH-25453)Christian Heimes2021-04-171-101/+11
|
* bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899)Christian Heimes2021-04-171-0/+5
| | | | | | Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)Christian Heimes2021-04-091-0/+8
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-40066: Enum: modify `repr()` and `str()` (GH-22392)Ethan Furman2021-03-311-2/+2
| | | | | | | | | * Enum: streamline repr() and str(); improve docs - repr() is now ``enum_class.member_name`` - stdlib global enums are ``module_name.member_name`` - str() is now ``member_name`` - add HOW-TO section for ``Enum`` - change main documentation to be an API reference
* bpo-39616: clarify SSLContext.check_hostname effect (GH-18484)Ville Skyttä2021-03-271-1/+1
| | | | | It doesn't actually affect whether match_hostname() is called (it never is in this context any longer), but whether hostname verification occurs in the first place.
* bpo-39342: Expose X509_V_FLAG_ALLOW_PROXY_CERTS in ssl module (GH-18011)Chris Burr2021-03-181-0/+7
| | | Exposes the `X509_V_FLAG_ALLOW_PROXY_CERTS` constant as `ssl.VERIFY_ALLOW_PROXY_CERTS` to allow for proxy certificate validation as described in: https://www.openssl.org/docs/man1.1.1/man7/proxy-certificates.html
generated by cgit v0.12 at 2024-12-11 14:33:54 (GMT)