summaryrefslogtreecommitdiffstats
path: root/Doc/library/ssl.rst
Commit message (Collapse)AuthorAgeFilesLines
* gh-95451: Update docs for wasm32-emscripten and -wasi platforms (GH-95452)Christian Heimes2022-08-021-0/+1
| | | | | | Co-authored-by: Éric <merwok@netwok.org> Co-authored-by: Michael Droettboom <mdboom@gmail.com> Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> Co-authored-by: CAM Gerlach <CAM.Gerlach@Gerlach.CAM>
* gh-95415: Make availability directive consistent (GH-95416)Christian Heimes2022-07-291-3/+0
|
* gh-94172: Remove ssl.PROTOCOL_SSLv2 dead code (#94312)Victor Stinner2022-06-281-18/+2
| | | | | | | | Remove dead code related to ssl.PROTOCOL_SSLv2. ssl.PROTOCOL_SSLv2 was already removed in Python 3.10. In test_ssl, @requires_tls_version('SSLv2') always returned False. Extract of the removed code: "OpenSSL has removed support for SSLv2".
* gh-94199: Remove ssl.match_hostname() function (#94224)Victor Stinner2022-06-251-52/+5
|
* gh-94199: Remove ssl.RAND_pseudo_bytes() function (#94202)Victor Stinner2022-06-241-23/+2
| | | | Remove the ssl.RAND_pseudo_bytes() function, deprecated in Python 3.6: use os.urandom() or ssl.RAND_bytes() instead.
* gh-93851: Fix all broken links in Doc/ (GH-93853)Oleg Iarygin2022-06-211-2/+2
|
* Doc: amend ssl.PROTOCOL_SSLv2 and ssl.PROTOCOL_SSLv3 wording (#92634)Jan Brasna2022-05-191-3/+3
|
* gh-91611: Use example.com for documentation, not mydomain.com (#91613)Motoki Naruse2022-04-301-1/+1
| | | | | | | example.com is reserved by the IANA as special-use domain name for documentation purposes. The domain names are used widely in books, tutorials, sample network configurations, and generally as examples for the use of domain name. On the other hand, mydomain.com is real Domain Name Registration service.
* ssl docs: Fix typo (GH-32336)Frederick2022-04-071-1/+1
|
* ssl docs: Fix typo (GH-32314)Frederick2022-04-071-1/+1
|
* [docs] Correct typos in SSLContext.sni_callback (GH-30623)Jörn Heissler2022-02-191-3/+3
| | | Co-authored-by: Jörn Heissler <nosuchaddress@joern-heissler.de>
* bpo-40066: [Enum] fix tests (GH-30643)Ethan Furman2022-01-171-1/+1
| | | | | - skip doctest that changes depending on target system - skip doctest that only fails on CI - substitute in values that change depending on target system
* bpo-40066: [Enum] skip failing doc test (GH-30637)Kumar Aditya2022-01-171-2/+2
|
* Revert "bpo-40066: [Enum] update str() and format() output (GH-30582)" ↵Victor Stinner2022-01-171-2/+2
| | | | | (GH-30632) This reverts commit acf7403f9baea3ae1119fc6b4a3298522188bf96.
* bpo-40066: [Enum] update str() and format() output (GH-30582)Ethan Furman2022-01-161-2/+2
| | | | | | | | | | | | | | | Undo rejected PEP-663 changes: - restore `repr()` to its 3.10 status - restore `str()` to its 3.10 status New changes: - `IntEnum` and `IntFlag` now leave `__str__` as the original `int.__str__` so that str() and format() return the same result - zero-valued flags without a name have a slightly changed repr(), e.g. `repr(Color(0)) == '<Color: 0>'` - update `dir()` for mixed-in types to return all the methods and attributes of the mixed-in type - added `_numeric_repr_` to `Flag` to control display of unnamed values - enums without doc strings have a more comprehensive doc string added - `ReprEnum` added -- inheriting from this makes it so only `__repr__` is replaced, not `__str__` nor `__format__`; `IntEnum`, `IntFlag`, and `StrEnum` all inherit from `ReprEnum`
* bpo-45457: Minor fix to documentation for SSLContext.load_default_certs. ↵LincolnPuzey2021-11-021-1/+1
| | | | | | | | (GH-28947) Specify that SSLContext.set_default_verify_paths is called on ALL systems. The code of SSLContext.load_default_certs was changed in bpo-22449 to do this, this fix corrects the documentation to match that change.
* bpo-41203: Replace Mac OS X and OS X with macOS (GH-28515)Serhiy Storchaka2021-09-221-1/+1
| | | | | | | Replace old names when they refer to actual versions of macOS. Keep historical names in references to older versions. Co-authored-by: Patrick Reader <_@pxeger.com>
* bpo-44740: Lowercase "internet" and "web" where appropriate. (#27378)Mariusz Felisiak2021-07-261-2/+2
| | | Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* Fix typo in ssl documentation (GH-27329)Anton Grübel2021-07-241-2/+2
|
* bpo-44362: ssl: improve deprecation warnings and docs (GH-26646)Christian Heimes2021-06-111-6/+10
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-38820: Add ssl, hashlib, and hmac changes to whatsnew 3.10 (GH-25817)Christian Heimes2021-05-021-0/+8
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)Christian Heimes2021-05-011-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The ssl module now has more secure default settings. Ciphers without forward secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits weak RSA, DH, and ECC keys with less than 112 bits of security. :class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2. Settings are based on Hynek Schlawack's research. ``` $ openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021 $ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 ``` Signed-off-by: Christian Heimes <christian@python.org>
* bpo-31870: Add a timeout parameter to ssl.get_server_certificate() (GH-22270)Zackery Spytz2021-04-241-2/+7
|
* bpo-40849: Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag (GH-20463)l0x2021-04-191-0/+11
| | | This short PR exposes an openssl flag that wasn't exposed. I've also updated to doc to reflect the change. It's heavily inspired by 990fcaac3c428569697f62a80fd95ab4d4b93151.
* bpo-43880: Show DeprecationWarnings for deprecated ssl module features ↵Christian Heimes2021-04-191-17/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | (GH-25455) * ssl.OP_NO_SSLv2 * ssl.OP_NO_SSLv3 * ssl.OP_NO_TLSv1 * ssl.OP_NO_TLSv1_1 * ssl.OP_NO_TLSv1_2 * ssl.OP_NO_TLSv1_3 * ssl.PROTOCOL_SSLv2 * ssl.PROTOCOL_SSLv3 * ssl.PROTOCOL_SSLv23 (alias for PROTOCOL_TLS) * ssl.PROTOCOL_TLS * ssl.PROTOCOL_TLSv1 * ssl.PROTOCOL_TLSv1_1 * ssl.PROTOCOL_TLSv1_2 * ssl.TLSVersion.SSLv3 * ssl.TLSVersion.TLSv1 * ssl.TLSVersion.TLSv1_1 * ssl.wrap_socket() * ssl.RAND_pseudo_bytes() * ssl.RAND_egd() (already removed since it's not supported by OpenSSL 1.1.1) * ssl.SSLContext() without a protocol argument * ssl.match_hostname() * hashlib.pbkdf2_hmac() (pure Python implementation, fast OpenSSL function will stay) Signed-off-by: Christian Heimes <christian@python.org>
* bpo-42854: Use SSL_read/write_ex() (GH-25468)Christian Heimes2021-04-191-0/+5
| | | | | | | | The ssl module now uses ``SSL_read_ex`` and ``SSL_write_ex`` internally. The functions support reading and writing of data larger than 2 GB. Writing zero-length data no longer fails with a protocol violation error. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43641: Stop stating that TLS 1.2 is the most modern version in docs ↵Illia Volochii2021-04-181-3/+2
| | | | | (GH-25041) Automerge-Triggered-By: GH:tiran
* bpo-43669: Remove OpenSSL 0.9 to 1.1.0 specific documentation (GH-25453)Christian Heimes2021-04-171-101/+11
|
* bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899)Christian Heimes2021-04-171-0/+5
| | | | | | Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)Christian Heimes2021-04-091-0/+8
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-40066: Enum: modify `repr()` and `str()` (GH-22392)Ethan Furman2021-03-311-2/+2
| | | | | | | | | * Enum: streamline repr() and str(); improve docs - repr() is now ``enum_class.member_name`` - stdlib global enums are ``module_name.member_name`` - str() is now ``member_name`` - add HOW-TO section for ``Enum`` - change main documentation to be an API reference
* bpo-39616: clarify SSLContext.check_hostname effect (GH-18484)Ville Skyttä2021-03-271-1/+1
| | | | | It doesn't actually affect whether match_hostname() is called (it never is in this context any longer), but whether hostname verification occurs in the first place.
* bpo-39342: Expose X509_V_FLAG_ALLOW_PROXY_CERTS in ssl module (GH-18011)Chris Burr2021-03-181-0/+7
| | | Exposes the `X509_V_FLAG_ALLOW_PROXY_CERTS` constant as `ssl.VERIFY_ALLOW_PROXY_CERTS` to allow for proxy certificate validation as described in: https://www.openssl.org/docs/man1.1.1/man7/proxy-certificates.html
* bpo-41195: Add getter for Openssl security level (GH-21282)matthewhughes9342020-07-171-0/+10
| | | | | | | | | | | Add an accessor under SSLContext.security_level as a wrapper around SSL_CTX_get_security_level, see: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html ------ This is my first time contributing, so please pull me up on all the things I missed or did incorrectly. Automerge-Triggered-By: @tiran
* Remove duplicated words words (GH-20413)Serhiy Storchaka2020-05-261-1/+1
|
* Document missing methods of ssl.SSLObject (#19400)Rémi Lapeyre2020-04-071-0/+3
| | | Co-authored-by: Rémi Lapeyre <remi.lapeyre@lenstra.fr>
* fix comma location in various places (GH-19233)Mathieu Dupuy2020-03-301-2/+2
|
* bpo-38820: OpenSSL 3.0.0 compatibility. (GH-17190)Christian Heimes2019-12-071-0/+3
| | | | | | | | | | test_openssl_version now accepts version 3.0.0. getpeercert() no longer returns IPv6 addresses with a trailing new line. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue38820
* bpo-38738: Fix formatting of True and False. (GH-17083)Serhiy Storchaka2019-11-121-2/+2
| | | | | | | | | * "Return true/false" is replaced with "Return ``True``/``False``" if the function actually returns a bool. * Fixed formatting of some True and False literals (now in monospace). * Replaced "True/False" with "true/false" if it can be not only bool. * Replaced some 1/0 with True/False if it corresponds the code. * "Returns <bool>" is replaced with "Return <bool>".
* Doc: Fix grammar/spelling in ssl.VERIFY_CRL_CHECK_LEAF docs (GH-16221)Jörn Heissler2019-09-171-2/+2
|
* bpo-32008: Prefer client or TLSv1_2 in examples (GH-5797)Christian Heimes2019-09-121-8/+14
| | | | | Prefer client or TLSv1_2 in examples Signed-off-by: Christian Heimes <christian@python.org>
* Fix typo in ssl.RAND_bytes documentation (GH-14791)Zach Thompson2019-09-101-1/+1
| | | | | It looks like "cryptographically strong" is the preferred phrase from the surrounding documentation. Automerge-Triggered-By: @tiran
* bpo-37120: Add SSLContext.num_tickets (GH-13719)Christian Heimes2019-06-031-0/+13
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-34271: Add ssl debugging helpers (GH-10031)Christian Heimes2019-05-311-0/+23
| | | | | | | | | | | The ssl module now can dump key material to a keylog file and trace TLS protocol messages with a tracing callback. The default and stdlib contexts also support SSLKEYLOGFILE env var. The msg_callback and related enums are private members. The feature is designed for internal debugging and not for end users. Signed-off-by: Christian Heimes <christian@python.org>
* Fix rst formatting for several links in ssl documentation (GH-13133)Toshio Kuratomi2019-05-061-3/+3
|
* Add versionadded directives to ssl.minimum_version and ssl.maximum_version ↵Zhiming Wang2019-02-281-6/+10
| | | | | | (GH-11894)
* bpo-35044, doc: Use the :exc: role for the exceptions (GH-10037)Stéphane Wirtel2018-10-261-1/+1
|
* bpo-11233: Create availability directive for documentation (GH-9692)Cheryl Sabella2018-10-121-6/+6
| | | | | | Replace "Availability: xxx" with ".. availability:: xxx" in the doc. Original patch by Georg Brandl. Co-Authored-By: Georg Brandl <georg@python.org>
* bpo-34906: Doc: Fix typos (GH-9712)Stéphane Wirtel2018-10-051-1/+1
|
* bpo-34670: Add TLS 1.3 post handshake auth (GH-9460)Christian Heimes2018-09-231-0/+42
| | | | | | | | | | Add SSLContext.post_handshake_auth and SSLSocket.verify_client_post_handshake for TLS 1.3 post-handshake authentication. Signed-off-by: Christian Heimes <christian@python.org>q https://bugs.python.org/issue34670
generated by cgit v0.12 at 2024-12-02 15:57:07 (GMT)