summaryrefslogtreecommitdiffstats
path: root/Doc/library/ssl.rst
Commit message (Collapse)AuthorAgeFilesLines
* Issue #21043: Remove the recommendation for specific CA organizationsDonald Stufft2014-03-241-14/+3
| | | | | | | Closes #21043 by updating the documentation to remove specific CA organizations and update the text to no longer need to tell you to download root certificates, but instead use the OS certificates avaialble through SSLContext.load_default_certs.
* Issue #21013: Enhance ssl.create_default_context() for server side contextsDonald Stufft2014-03-231-7/+20
| | | | | | | | | | | | | | | | | | | | Closes #21013 by modfying ssl.create_default_context() to: * Move the restricted ciphers to only apply when using ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not is the lack of RC4 in the restricted. However there are servers that exist that only expose RC4 still. * Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context will select TLS1.1 or TLS1.2 if it is available. * Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets * Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security of the perfect forward secrecy * Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side socket the context will prioritize our ciphers which have been carefully selected to maximize security and performance. * Documents the failure conditions when a SSL3.0 connection is required so that end users can more easily determine if they need to unset ssl.OP_NO_SSLv3.
* Issue #20913: make it clear that create_default_context() also enables ↵Antoine Pitrou2014-03-231-4/+5
| | | | hostname checking
* Issue #20913: improve the SSL security considerations to first advocate ↵Antoine Pitrou2014-03-221-6/+36
| | | | using create_default_context().
* Issue #20995: Enhance default ciphers used by the ssl moduleDonald Stufft2014-03-221-11/+4
| | | | | | | | | | | | | | | Closes #20995 by Enabling better security by prioritizing ciphers such that: * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE) * Prefer ECDHE over DHE for better performance * Prefer any AES-GCM over any AES-CBC for better performance and security * Then Use HIGH cipher suites as a fallback * Then Use 3DES as fallback which is secure but slow * Finally use RC4 as a fallback which is problematic but needed for compatibility some times. * Disable NULL authentication, NULL encryption, and MD5 MACs for security reasons
* Merge in all documentation changes since branching 3.4.0rc1.Larry Hastings2014-03-161-3/+2
|
* Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, ↵Antoine Pitrou2013-12-281-8/+14
|\ | | | | | | rather than silently let them emit clear text data.
| * Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, ↵Antoine Pitrou2013-12-281-8/+14
| | | | | | | | rather than silently let them emit clear text data.
* | Tidy up ssl whatsnew references, make ssl section formatting consistent.R David Murray2013-12-201-4/+1
| | | | | | | | | | Also remove some extra blank lines in the ssl doc acctions for tls1.1/1.2, and reflow a paragraph.
* | Issue #19509: Add SSLContext.check_hostname to match the peer's certificateChristian Heimes2013-12-021-1/+35
| | | | | | | | with server_hostname on handshake.
* | Issue #19795: Improved markup of True/False constants.Serhiy Storchaka2013-11-291-4/+4
|\ \ | |/
| * Issue #19795: Improved markup of True/False constants.Serhiy Storchaka2013-11-291-3/+3
| |
* | Tweak ssl docsAntoine Pitrou2013-11-231-23/+53
| |
* | Issue #19689: Add ssl.create_default_context() factory function. It createsChristian Heimes2013-11-231-0/+18
| | | | | | | | a new SSLContext object with secure default settings.
* | Correct documentation clientAuth -> CLIENT_AUTHChristian Heimes2013-11-231-2/+2
| |
* | Issue #19292: Add SSLContext.load_default_certs() to load default root CAChristian Heimes2013-11-231-1/+30
| | | | | | | | | | certificates from default stores or system stores. By default the method loads CA certs for authentication of server certs.
* | Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+Christian Heimes2013-11-231-0/+1
| | | | | | | | The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
* | Issue #18147: Add missing documentation for SSLContext.get_ca_certs().Christian Heimes2013-11-221-0/+12
| | | | | | | | Also change the argument name to the same name as getpeercert()
* | Issue #17134: Finalize interface to Windows' certificate store. Cert andChristian Heimes2013-11-221-15/+30
| | | | | | | | | | CRL enumeration are now two functions. enum_certificates() also returns purpose flags as set of OIDs.
* | Issue #8813: Add SSLContext.verify_flags to change the verification flagsChristian Heimes2013-11-211-0/+45
| | | | | | | | | | of the context in order to enable certification revocation list (CRL) checks or strict X509 rules.
* | Issue #18379: SSLSocket.getpeercert() returns CA issuer AIA fields, OCSPChristian Heimes2013-11-211-0/+4
| | | | | | | | and CRL distribution points.
* | Issue #18138: Implement cadata argument of SSLContext.load_verify_location()Christian Heimes2013-11-211-1/+10
| | | | | | | | | | to load CA certificates and CRL from memory. It supports PEM and DER encoded strings.
* | Issue #19508: direct the user to read the security considerations for the ↵Antoine Pitrou2013-11-171-5/+14
|\ \ | |/ | | | | ssl module
| * Issue #19508: direct the user to read the security considerations for the ↵Antoine Pitrou2013-11-171-5/+14
| | | | | | | | ssl module
* | mergeChristian Heimes2013-10-291-1/+1
|\ \ | |/
| * fix languageChristian Heimes2013-10-291-1/+1
| |
* | Issue #19227 / Issue #18747: Remove pthread_atfork() handler to remove ↵Christian Heimes2013-10-291-0/+8
|\ \ | |/ | | | | | | | | OpenSSL re-seeding It is causing trouble like e.g. hanging processes.
| * Issue #18747: document issue with OpenSSL's CPRNG state and forkChristian Heimes2013-10-291-0/+8
| |
* | merge with 3.3Georg Brandl2013-10-271-4/+11
|\ \ | |/
| * Issue #17997: Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,Georg Brandl2013-10-271-4/+11
| | | | | | | | | | for security reasons. It now doesn't match multiple wildcards nor wildcards inside IDN fragments.
* | merge with 3.3Georg Brandl2013-10-061-3/+3
|\ \ | |/
| * Closes #19177: replace dead link to SSL/TLS introduction with the version ↵Georg Brandl2013-10-061-3/+3
| | | | | | | | from Apache.
* | Issue #19095: SSLSocket.getpeercert() now raises ValueError when the SSL ↵Antoine Pitrou2013-09-291-1/+5
| | | | | | | | handshake hasn't been done.
* | Fix minor documentation markup error.Larry Hastings2013-08-031-1/+1
| |
* | Merge #18311: fix typo.R David Murray2013-06-261-1/+1
|\ \ | |/
| * #18311: fix typo.R David Murray2013-06-261-1/+1
| |
* | Issue #18147: Add diagnostic functions to ssl.SSLContext().Christian Heimes2013-06-171-0/+24
| | | | | | | | | | get_ca_list() lists all loaded CA certificates and cert_store_stats() returns amount of loaded X.509 certs, X.509 CA certs and CRLs.
* | Issue #17134: Add ssl.enum_cert_store() as interface to Windows' cert store.Christian Heimes2013-06-091-0/+23
| |
* | removed accidental new lineChristian Heimes2013-06-091-2/+1
| |
* | Issue #18143: Implement ssl.get_default_verify_paths() in order to debugChristian Heimes2013-06-091-1/+19
| | | | | | | | the default locations for cafile and capath.
* | Issue #17739: fix the description of SSLSocket.getpeercert(binary_form=True) ↵Antoine Pitrou2013-04-161-5/+11
|\ \ | |/ | | | | | | | | for server sockets. Thanks to David D Lowe for reporting.
| * Issue #17739: fix the description of SSLSocket.getpeercert(binary_form=True) ↵Antoine Pitrou2013-04-161-5/+11
| | | | | | | | | | | | for server sockets. Thanks to David D Lowe for reporting.
* | Fix a crash when setting a servername callback on a SSL server socket and ↵Antoine Pitrou2013-04-111-0/+1
| | | | | | | | | | | | | | the client doesn't send a server name. Patch by Kazuhiro Yoshida. (originally issue #8109)
* | Issue #16692: The ssl module now supports TLS 1.1 and TLS 1.2. Initial ↵Antoine Pitrou2013-03-281-10/+45
| | | | | | | | patch by Michele Orrù.
* | Issue #17047: remove doubled words added in 3.4,Terry Jan Reedy2013-03-111-1/+1
| | | | | | | | as reported by Serhiy Storchaka and Matthew Barnett.
* | Issue #8109: The ssl module now has support for server-side SNI, thanks to a ↵Antoine Pitrou2013-01-051-0/+71
|/ | | | | | :meth:`SSLContext.set_servername_callback` method. Patch by Daniel Black.
* Update the getpeercert() example with a real-world cert showing non-trivial ↵Antoine Pitrou2012-08-161-17/+33
|\ | | | | | | issuer, subject and subjectAltName.
| * Update the getpeercert() example with a real-world cert showing non-trivial ↵Antoine Pitrou2012-08-161-17/+33
| | | | | | | | issuer, subject and subjectAltName.
* | Issue #14837: SSL errors now have `library` and `reason` attributes ↵Antoine Pitrou2012-06-221-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | describing precisely what happened and in which OpenSSL submodule. The str() of a SSLError is also enhanced accordingly. NOTE: this commit creates a reference leak. The leak seems tied to the use of PyType_FromSpec() to create the SSLError type. The leak is on the type object when it is instantiated: >>> e = ssl.SSLError() >>> sys.getrefcount(ssl.SSLError) 35 >>> e = ssl.SSLError() >>> sys.getrefcount(ssl.SSLError) 36 >>> e = ssl.SSLError() >>> sys.getrefcount(ssl.SSLError) 37
* | Issue #14204: The ssl module now has support for the Next Protocol ↵Antoine Pitrou2012-03-211-1/+34
| | | | | | | | | | | | Negotiation extension, if available in the underlying OpenSSL library. Patch by Colin Marc.
generated by cgit v0.12 at 2025-01-09 08:21:20 (GMT)