summaryrefslogtreecommitdiffstats
path: root/Doc/library/ssl.rst
Commit message (Collapse)AuthorAgeFilesLines
* bpo-40066: [Enum] fix tests (GH-30643)Ethan Furman2022-01-171-1/+1
| | | | | - skip doctest that changes depending on target system - skip doctest that only fails on CI - substitute in values that change depending on target system
* bpo-40066: [Enum] skip failing doc test (GH-30637)Kumar Aditya2022-01-171-2/+2
|
* Revert "bpo-40066: [Enum] update str() and format() output (GH-30582)" ↵Victor Stinner2022-01-171-2/+2
| | | | | (GH-30632) This reverts commit acf7403f9baea3ae1119fc6b4a3298522188bf96.
* bpo-40066: [Enum] update str() and format() output (GH-30582)Ethan Furman2022-01-161-2/+2
| | | | | | | | | | | | | | | Undo rejected PEP-663 changes: - restore `repr()` to its 3.10 status - restore `str()` to its 3.10 status New changes: - `IntEnum` and `IntFlag` now leave `__str__` as the original `int.__str__` so that str() and format() return the same result - zero-valued flags without a name have a slightly changed repr(), e.g. `repr(Color(0)) == '<Color: 0>'` - update `dir()` for mixed-in types to return all the methods and attributes of the mixed-in type - added `_numeric_repr_` to `Flag` to control display of unnamed values - enums without doc strings have a more comprehensive doc string added - `ReprEnum` added -- inheriting from this makes it so only `__repr__` is replaced, not `__str__` nor `__format__`; `IntEnum`, `IntFlag`, and `StrEnum` all inherit from `ReprEnum`
* bpo-45457: Minor fix to documentation for SSLContext.load_default_certs. ↵LincolnPuzey2021-11-021-1/+1
| | | | | | | | (GH-28947) Specify that SSLContext.set_default_verify_paths is called on ALL systems. The code of SSLContext.load_default_certs was changed in bpo-22449 to do this, this fix corrects the documentation to match that change.
* bpo-41203: Replace Mac OS X and OS X with macOS (GH-28515)Serhiy Storchaka2021-09-221-1/+1
| | | | | | | Replace old names when they refer to actual versions of macOS. Keep historical names in references to older versions. Co-authored-by: Patrick Reader <_@pxeger.com>
* bpo-44740: Lowercase "internet" and "web" where appropriate. (#27378)Mariusz Felisiak2021-07-261-2/+2
| | | Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* Fix typo in ssl documentation (GH-27329)Anton Grübel2021-07-241-2/+2
|
* bpo-44362: ssl: improve deprecation warnings and docs (GH-26646)Christian Heimes2021-06-111-6/+10
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-38820: Add ssl, hashlib, and hmac changes to whatsnew 3.10 (GH-25817)Christian Heimes2021-05-021-0/+8
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)Christian Heimes2021-05-011-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The ssl module now has more secure default settings. Ciphers without forward secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits weak RSA, DH, and ECC keys with less than 112 bits of security. :class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2. Settings are based on Hynek Schlawack's research. ``` $ openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021 $ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 ``` Signed-off-by: Christian Heimes <christian@python.org>
* bpo-31870: Add a timeout parameter to ssl.get_server_certificate() (GH-22270)Zackery Spytz2021-04-241-2/+7
|
* bpo-40849: Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag (GH-20463)l0x2021-04-191-0/+11
| | | This short PR exposes an openssl flag that wasn't exposed. I've also updated to doc to reflect the change. It's heavily inspired by 990fcaac3c428569697f62a80fd95ab4d4b93151.
* bpo-43880: Show DeprecationWarnings for deprecated ssl module features ↵Christian Heimes2021-04-191-17/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | (GH-25455) * ssl.OP_NO_SSLv2 * ssl.OP_NO_SSLv3 * ssl.OP_NO_TLSv1 * ssl.OP_NO_TLSv1_1 * ssl.OP_NO_TLSv1_2 * ssl.OP_NO_TLSv1_3 * ssl.PROTOCOL_SSLv2 * ssl.PROTOCOL_SSLv3 * ssl.PROTOCOL_SSLv23 (alias for PROTOCOL_TLS) * ssl.PROTOCOL_TLS * ssl.PROTOCOL_TLSv1 * ssl.PROTOCOL_TLSv1_1 * ssl.PROTOCOL_TLSv1_2 * ssl.TLSVersion.SSLv3 * ssl.TLSVersion.TLSv1 * ssl.TLSVersion.TLSv1_1 * ssl.wrap_socket() * ssl.RAND_pseudo_bytes() * ssl.RAND_egd() (already removed since it's not supported by OpenSSL 1.1.1) * ssl.SSLContext() without a protocol argument * ssl.match_hostname() * hashlib.pbkdf2_hmac() (pure Python implementation, fast OpenSSL function will stay) Signed-off-by: Christian Heimes <christian@python.org>
* bpo-42854: Use SSL_read/write_ex() (GH-25468)Christian Heimes2021-04-191-0/+5
| | | | | | | | The ssl module now uses ``SSL_read_ex`` and ``SSL_write_ex`` internally. The functions support reading and writing of data larger than 2 GB. Writing zero-length data no longer fails with a protocol violation error. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43641: Stop stating that TLS 1.2 is the most modern version in docs ↵Illia Volochii2021-04-181-3/+2
| | | | | (GH-25041) Automerge-Triggered-By: GH:tiran
* bpo-43669: Remove OpenSSL 0.9 to 1.1.0 specific documentation (GH-25453)Christian Heimes2021-04-171-101/+11
|
* bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899)Christian Heimes2021-04-171-0/+5
| | | | | | Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)Christian Heimes2021-04-091-0/+8
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-40066: Enum: modify `repr()` and `str()` (GH-22392)Ethan Furman2021-03-311-2/+2
| | | | | | | | | * Enum: streamline repr() and str(); improve docs - repr() is now ``enum_class.member_name`` - stdlib global enums are ``module_name.member_name`` - str() is now ``member_name`` - add HOW-TO section for ``Enum`` - change main documentation to be an API reference
* bpo-39616: clarify SSLContext.check_hostname effect (GH-18484)Ville Skyttä2021-03-271-1/+1
| | | | | It doesn't actually affect whether match_hostname() is called (it never is in this context any longer), but whether hostname verification occurs in the first place.
* bpo-39342: Expose X509_V_FLAG_ALLOW_PROXY_CERTS in ssl module (GH-18011)Chris Burr2021-03-181-0/+7
| | | Exposes the `X509_V_FLAG_ALLOW_PROXY_CERTS` constant as `ssl.VERIFY_ALLOW_PROXY_CERTS` to allow for proxy certificate validation as described in: https://www.openssl.org/docs/man1.1.1/man7/proxy-certificates.html
* bpo-41195: Add getter for Openssl security level (GH-21282)matthewhughes9342020-07-171-0/+10
| | | | | | | | | | | Add an accessor under SSLContext.security_level as a wrapper around SSL_CTX_get_security_level, see: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html ------ This is my first time contributing, so please pull me up on all the things I missed or did incorrectly. Automerge-Triggered-By: @tiran
* Remove duplicated words words (GH-20413)Serhiy Storchaka2020-05-261-1/+1
|
* Document missing methods of ssl.SSLObject (#19400)Rémi Lapeyre2020-04-071-0/+3
| | | Co-authored-by: Rémi Lapeyre <remi.lapeyre@lenstra.fr>
* fix comma location in various places (GH-19233)Mathieu Dupuy2020-03-301-2/+2
|
* bpo-38820: OpenSSL 3.0.0 compatibility. (GH-17190)Christian Heimes2019-12-071-0/+3
| | | | | | | | | | test_openssl_version now accepts version 3.0.0. getpeercert() no longer returns IPv6 addresses with a trailing new line. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue38820
* bpo-38738: Fix formatting of True and False. (GH-17083)Serhiy Storchaka2019-11-121-2/+2
| | | | | | | | | * "Return true/false" is replaced with "Return ``True``/``False``" if the function actually returns a bool. * Fixed formatting of some True and False literals (now in monospace). * Replaced "True/False" with "true/false" if it can be not only bool. * Replaced some 1/0 with True/False if it corresponds the code. * "Returns <bool>" is replaced with "Return <bool>".
* Doc: Fix grammar/spelling in ssl.VERIFY_CRL_CHECK_LEAF docs (GH-16221)Jörn Heissler2019-09-171-2/+2
|
* bpo-32008: Prefer client or TLSv1_2 in examples (GH-5797)Christian Heimes2019-09-121-8/+14
| | | | | Prefer client or TLSv1_2 in examples Signed-off-by: Christian Heimes <christian@python.org>
* Fix typo in ssl.RAND_bytes documentation (GH-14791)Zach Thompson2019-09-101-1/+1
| | | | | It looks like "cryptographically strong" is the preferred phrase from the surrounding documentation. Automerge-Triggered-By: @tiran
* bpo-37120: Add SSLContext.num_tickets (GH-13719)Christian Heimes2019-06-031-0/+13
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-34271: Add ssl debugging helpers (GH-10031)Christian Heimes2019-05-311-0/+23
| | | | | | | | | | | The ssl module now can dump key material to a keylog file and trace TLS protocol messages with a tracing callback. The default and stdlib contexts also support SSLKEYLOGFILE env var. The msg_callback and related enums are private members. The feature is designed for internal debugging and not for end users. Signed-off-by: Christian Heimes <christian@python.org>
* Fix rst formatting for several links in ssl documentation (GH-13133)Toshio Kuratomi2019-05-061-3/+3
|
* Add versionadded directives to ssl.minimum_version and ssl.maximum_version ↵Zhiming Wang2019-02-281-6/+10
| | | | | | (GH-11894)
* bpo-35044, doc: Use the :exc: role for the exceptions (GH-10037)Stéphane Wirtel2018-10-261-1/+1
|
* bpo-11233: Create availability directive for documentation (GH-9692)Cheryl Sabella2018-10-121-6/+6
| | | | | | Replace "Availability: xxx" with ".. availability:: xxx" in the doc. Original patch by Georg Brandl. Co-Authored-By: Georg Brandl <georg@python.org>
* bpo-34906: Doc: Fix typos (GH-9712)Stéphane Wirtel2018-10-051-1/+1
|
* bpo-34670: Add TLS 1.3 post handshake auth (GH-9460)Christian Heimes2018-09-231-0/+42
| | | | | | | | | | Add SSLContext.post_handshake_auth and SSLSocket.verify_client_post_handshake for TLS 1.3 post-handshake authentication. Signed-off-by: Christian Heimes <christian@python.org>q https://bugs.python.org/issue34670
* closes bpo-34050: Fix link in SSL docs (GH-8173)Marcin Niemira2018-07-071-1/+1
|
* bpo-33892: Doc: Use gender neutral words (GH-7770)Andrés Delfino2018-06-181-1/+1
|
* bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530)Christian Heimes2018-06-111-13/+25
| | | | | | | | | The documentation for CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED were misleading and partly wrong. It fails to explain that OpenSSL behaves differently in client and server mode. Also OpenSSL does validate the cert chain everytime. With SSL_VERIFY_NONE a validation error is not fatal in client mode and does not request a client cert in server mode. Also discourage people from using CERT_OPTIONAL in client mode.
* bpo-31215: Add version changed notes for OpenSSL 1.1.0 compatibility (GH-7346)Mayank Singhal2018-06-051-0/+3
|
* bpo-33641: Convert RFC references into links. (GH-7103)Serhiy Storchaka2018-05-311-6/+6
| | | | 85% of them are already links.
* bpo-33618: Enable TLS 1.3 in tests (GH-7079)Christian Heimes2018-05-231-1/+27
| | | | | | | | | | | | TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS client cert auth are now handled after the initialy handshake. Tests now either send/recv data to trigger session and client certs. Or tests ignore ConnectionResetError / BrokenPipeError on the server side to handle clients that force-close the socket fd. To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR https://github.com/openssl/openssl/pull/6340) is required. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)Christian Heimes2018-05-221-5/+3
| | | | | | | | | | Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests and Travis config to test with latest OpenSSL. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-32257: Add ssl.OP_NO_RENEGOTIATION (GH-5904)Christian Heimes2018-05-151-0/+9
| | | | | | | | The ssl module now contains OP_NO_RENEGOTIATION constant, available with OpenSSL 1.1.0h or 1.1.1. Note, OpenSSL 1.1.0h hasn't been released yet. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-33503: Fix the broken pypi link in the source and the documentation ↵Stéphane Wirtel2018-05-151-2/+2
| | | | (GH-6814)
* bpo-33045: Fix typos in SSL documentation (GH-6065)Matt Eaton2018-03-111-2/+2
|
* bpo-31453: Add setter for min/max protocol version (#5259)Christian Heimes2018-02-271-2/+99
| | | | | | | | | | | | OpenSSL 1.1 has introduced a new API to set the minimum and maximum supported protocol version. The API is easier to use than the old OP_NO_TLS1 option flags, too. Since OpenSSL has no call to set minimum version to highest supported, the implementation emulate maximum_version = MINIMUM_SUPPORTED and minimum_version = MAXIMUM_SUPPORTED by figuring out the minumum and maximum supported version at compile time. Signed-off-by: Christian Heimes <christian@python.org>
generated by cgit v0.12 at 2024-12-05 00:21:36 (GMT)