summaryrefslogtreecommitdiffstats
path: root/Doc/library/ssl.rst
Commit message (Collapse)AuthorAgeFilesLines
* bpo-44740: Lowercase "internet" and "web" where appropriate. (#27378)Mariusz Felisiak2021-07-261-2/+2
| | | Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* Fix typo in ssl documentation (GH-27329)Anton Grübel2021-07-241-2/+2
|
* bpo-44362: ssl: improve deprecation warnings and docs (GH-26646)Christian Heimes2021-06-111-6/+10
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-38820: Add ssl, hashlib, and hmac changes to whatsnew 3.10 (GH-25817)Christian Heimes2021-05-021-0/+8
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)Christian Heimes2021-05-011-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The ssl module now has more secure default settings. Ciphers without forward secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits weak RSA, DH, and ECC keys with less than 112 bits of security. :class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2. Settings are based on Hynek Schlawack's research. ``` $ openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021 $ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 ``` Signed-off-by: Christian Heimes <christian@python.org>
* bpo-31870: Add a timeout parameter to ssl.get_server_certificate() (GH-22270)Zackery Spytz2021-04-241-2/+7
|
* bpo-40849: Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag (GH-20463)l0x2021-04-191-0/+11
| | | This short PR exposes an openssl flag that wasn't exposed. I've also updated to doc to reflect the change. It's heavily inspired by 990fcaac3c428569697f62a80fd95ab4d4b93151.
* bpo-43880: Show DeprecationWarnings for deprecated ssl module features ↵Christian Heimes2021-04-191-17/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | (GH-25455) * ssl.OP_NO_SSLv2 * ssl.OP_NO_SSLv3 * ssl.OP_NO_TLSv1 * ssl.OP_NO_TLSv1_1 * ssl.OP_NO_TLSv1_2 * ssl.OP_NO_TLSv1_3 * ssl.PROTOCOL_SSLv2 * ssl.PROTOCOL_SSLv3 * ssl.PROTOCOL_SSLv23 (alias for PROTOCOL_TLS) * ssl.PROTOCOL_TLS * ssl.PROTOCOL_TLSv1 * ssl.PROTOCOL_TLSv1_1 * ssl.PROTOCOL_TLSv1_2 * ssl.TLSVersion.SSLv3 * ssl.TLSVersion.TLSv1 * ssl.TLSVersion.TLSv1_1 * ssl.wrap_socket() * ssl.RAND_pseudo_bytes() * ssl.RAND_egd() (already removed since it's not supported by OpenSSL 1.1.1) * ssl.SSLContext() without a protocol argument * ssl.match_hostname() * hashlib.pbkdf2_hmac() (pure Python implementation, fast OpenSSL function will stay) Signed-off-by: Christian Heimes <christian@python.org>
* bpo-42854: Use SSL_read/write_ex() (GH-25468)Christian Heimes2021-04-191-0/+5
| | | | | | | | The ssl module now uses ``SSL_read_ex`` and ``SSL_write_ex`` internally. The functions support reading and writing of data larger than 2 GB. Writing zero-length data no longer fails with a protocol violation error. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43641: Stop stating that TLS 1.2 is the most modern version in docs ↵Illia Volochii2021-04-181-3/+2
| | | | | (GH-25041) Automerge-Triggered-By: GH:tiran
* bpo-43669: Remove OpenSSL 0.9 to 1.1.0 specific documentation (GH-25453)Christian Heimes2021-04-171-101/+11
|
* bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899)Christian Heimes2021-04-171-0/+5
| | | | | | Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)Christian Heimes2021-04-091-0/+8
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-40066: Enum: modify `repr()` and `str()` (GH-22392)Ethan Furman2021-03-311-2/+2
| | | | | | | | | * Enum: streamline repr() and str(); improve docs - repr() is now ``enum_class.member_name`` - stdlib global enums are ``module_name.member_name`` - str() is now ``member_name`` - add HOW-TO section for ``Enum`` - change main documentation to be an API reference
* bpo-39616: clarify SSLContext.check_hostname effect (GH-18484)Ville Skyttä2021-03-271-1/+1
| | | | | It doesn't actually affect whether match_hostname() is called (it never is in this context any longer), but whether hostname verification occurs in the first place.
* bpo-39342: Expose X509_V_FLAG_ALLOW_PROXY_CERTS in ssl module (GH-18011)Chris Burr2021-03-181-0/+7
| | | Exposes the `X509_V_FLAG_ALLOW_PROXY_CERTS` constant as `ssl.VERIFY_ALLOW_PROXY_CERTS` to allow for proxy certificate validation as described in: https://www.openssl.org/docs/man1.1.1/man7/proxy-certificates.html
* bpo-41195: Add getter for Openssl security level (GH-21282)matthewhughes9342020-07-171-0/+10
| | | | | | | | | | | Add an accessor under SSLContext.security_level as a wrapper around SSL_CTX_get_security_level, see: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html ------ This is my first time contributing, so please pull me up on all the things I missed or did incorrectly. Automerge-Triggered-By: @tiran
* Remove duplicated words words (GH-20413)Serhiy Storchaka2020-05-261-1/+1
|
* Document missing methods of ssl.SSLObject (#19400)Rémi Lapeyre2020-04-071-0/+3
| | | Co-authored-by: Rémi Lapeyre <remi.lapeyre@lenstra.fr>
* fix comma location in various places (GH-19233)Mathieu Dupuy2020-03-301-2/+2
|
* bpo-38820: OpenSSL 3.0.0 compatibility. (GH-17190)Christian Heimes2019-12-071-0/+3
| | | | | | | | | | test_openssl_version now accepts version 3.0.0. getpeercert() no longer returns IPv6 addresses with a trailing new line. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue38820
* bpo-38738: Fix formatting of True and False. (GH-17083)Serhiy Storchaka2019-11-121-2/+2
| | | | | | | | | * "Return true/false" is replaced with "Return ``True``/``False``" if the function actually returns a bool. * Fixed formatting of some True and False literals (now in monospace). * Replaced "True/False" with "true/false" if it can be not only bool. * Replaced some 1/0 with True/False if it corresponds the code. * "Returns <bool>" is replaced with "Return <bool>".
* Doc: Fix grammar/spelling in ssl.VERIFY_CRL_CHECK_LEAF docs (GH-16221)Jörn Heissler2019-09-171-2/+2
|
* bpo-32008: Prefer client or TLSv1_2 in examples (GH-5797)Christian Heimes2019-09-121-8/+14
| | | | | Prefer client or TLSv1_2 in examples Signed-off-by: Christian Heimes <christian@python.org>
* Fix typo in ssl.RAND_bytes documentation (GH-14791)Zach Thompson2019-09-101-1/+1
| | | | | It looks like "cryptographically strong" is the preferred phrase from the surrounding documentation. Automerge-Triggered-By: @tiran
* bpo-37120: Add SSLContext.num_tickets (GH-13719)Christian Heimes2019-06-031-0/+13
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-34271: Add ssl debugging helpers (GH-10031)Christian Heimes2019-05-311-0/+23
| | | | | | | | | | | The ssl module now can dump key material to a keylog file and trace TLS protocol messages with a tracing callback. The default and stdlib contexts also support SSLKEYLOGFILE env var. The msg_callback and related enums are private members. The feature is designed for internal debugging and not for end users. Signed-off-by: Christian Heimes <christian@python.org>
* Fix rst formatting for several links in ssl documentation (GH-13133)Toshio Kuratomi2019-05-061-3/+3
|
* Add versionadded directives to ssl.minimum_version and ssl.maximum_version ↵Zhiming Wang2019-02-281-6/+10
| | | | | | (GH-11894)
* bpo-35044, doc: Use the :exc: role for the exceptions (GH-10037)Stéphane Wirtel2018-10-261-1/+1
|
* bpo-11233: Create availability directive for documentation (GH-9692)Cheryl Sabella2018-10-121-6/+6
| | | | | | Replace "Availability: xxx" with ".. availability:: xxx" in the doc. Original patch by Georg Brandl. Co-Authored-By: Georg Brandl <georg@python.org>
* bpo-34906: Doc: Fix typos (GH-9712)Stéphane Wirtel2018-10-051-1/+1
|
* bpo-34670: Add TLS 1.3 post handshake auth (GH-9460)Christian Heimes2018-09-231-0/+42
| | | | | | | | | | Add SSLContext.post_handshake_auth and SSLSocket.verify_client_post_handshake for TLS 1.3 post-handshake authentication. Signed-off-by: Christian Heimes <christian@python.org>q https://bugs.python.org/issue34670
* closes bpo-34050: Fix link in SSL docs (GH-8173)Marcin Niemira2018-07-071-1/+1
|
* bpo-33892: Doc: Use gender neutral words (GH-7770)Andrés Delfino2018-06-181-1/+1
|
* bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530)Christian Heimes2018-06-111-13/+25
| | | | | | | | | The documentation for CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED were misleading and partly wrong. It fails to explain that OpenSSL behaves differently in client and server mode. Also OpenSSL does validate the cert chain everytime. With SSL_VERIFY_NONE a validation error is not fatal in client mode and does not request a client cert in server mode. Also discourage people from using CERT_OPTIONAL in client mode.
* bpo-31215: Add version changed notes for OpenSSL 1.1.0 compatibility (GH-7346)Mayank Singhal2018-06-051-0/+3
|
* bpo-33641: Convert RFC references into links. (GH-7103)Serhiy Storchaka2018-05-311-6/+6
| | | | 85% of them are already links.
* bpo-33618: Enable TLS 1.3 in tests (GH-7079)Christian Heimes2018-05-231-1/+27
| | | | | | | | | | | | TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS client cert auth are now handled after the initialy handshake. Tests now either send/recv data to trigger session and client certs. Or tests ignore ConnectionResetError / BrokenPipeError on the server side to handle clients that force-close the socket fd. To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR https://github.com/openssl/openssl/pull/6340) is required. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)Christian Heimes2018-05-221-5/+3
| | | | | | | | | | Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests and Travis config to test with latest OpenSSL. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-32257: Add ssl.OP_NO_RENEGOTIATION (GH-5904)Christian Heimes2018-05-151-0/+9
| | | | | | | | The ssl module now contains OP_NO_RENEGOTIATION constant, available with OpenSSL 1.1.0h or 1.1.1. Note, OpenSSL 1.1.0h hasn't been released yet. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-33503: Fix the broken pypi link in the source and the documentation ↵Stéphane Wirtel2018-05-151-2/+2
| | | | (GH-6814)
* bpo-33045: Fix typos in SSL documentation (GH-6065)Matt Eaton2018-03-111-2/+2
|
* bpo-31453: Add setter for min/max protocol version (#5259)Christian Heimes2018-02-271-2/+99
| | | | | | | | | | | | OpenSSL 1.1 has introduced a new API to set the minimum and maximum supported protocol version. The API is easier to use than the old OP_NO_TLS1 option flags, too. Since OpenSSL has no call to set minimum version to highest supported, the implementation emulate maximum_version = MINIMUM_SUPPORTED and minimum_version = MAXIMUM_SUPPORTED by figuring out the minumum and maximum supported version at compile time. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-32951: Disable SSLSocket/SSLObject constructor (#5864)Christian Heimes2018-02-271-6/+18
| | | | | | | | | | | | | | | | Direct instantiation of SSLSocket and SSLObject objects is now prohibited. The constructors were never documented, tested, or designed as public constructors. The SSLSocket constructor had limitations. For example it was not possible to enabled hostname verification except was ssl_version=PROTOCOL_TLS_CLIENT with cert_reqs=CERT_REQUIRED. SSLContext.wrap_socket() and SSLContext.wrap_bio are the recommended API to construct SSLSocket and SSLObject instances. ssl.wrap_socket() is also deprecated. The only test case for direct instantiation was added a couple of days ago for IDNA testing. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-28124: deprecate ssl.wrap_socket() (#5888)Christian Heimes2018-02-271-182/+210
| | | | | | | The ssl module function ssl.wrap_socket() has been de-emphasized and deprecated in favor of the more secure and efficient SSLContext.wrap_socket() method. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes (#5663)Christian Heimes2018-02-271-0/+9
| | | | | | | | | | | | | | | | | | * bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by default. Some test cases only apply to TLS 1.2. Other tests currently fail because the threaded or async test servers stop after failure. I'm going to address these issues when OpenSSL 1.1.1 reaches beta. OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS 1.3. The feature is enabled by default for maximum compatibility with broken middle boxes. Users should be able to disable the hack and CPython's test suite needs it to verify default options. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-30622: Improve NPN support detection (#5859)Christian Heimes2018-02-241-0/+17
| | | | | | The ssl module now detects missing NPN support in LibreSSL. Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org> Signed-off-by: Christian Heimes <christian@python.org>
* [bpo-28414] Make all hostnames in SSL module IDN A-labels (GH-5128)Christian Heimes2018-02-241-11/+28
| | | | | | | | | | | | Previously, the ssl module stored international domain names (IDNs) as U-labels. This is problematic for a number of reasons -- for example, it made it impossible for users to use a different version of IDNA than the one built into Python. After this change, we always convert to A-labels as soon as possible, and use them for all internal processing. In particular, server_hostname attribute is now an A-label, and on the server side there's a new sni_callback that receives the SNI servername as an A-label rather than a U-label.
* bpo-32008: don't use PROTOCOL_TLSv1 in example (GH-5789)Benjamin Peterson2018-02-211-2/+2
| | | | It's bad form to pin to an old version of TLS. ssl.SSLContext has the right protocol default, so let's not pass anyway.
generated by cgit v0.12 at 2025-02-28 21:23:07 (GMT)