summaryrefslogtreecommitdiffstats
path: root/Lib/ssl.py
Commit message (Collapse)AuthorAgeFilesLines
* bpo-31429: Define TLS cipher suite on build time (#3532)Christian Heimes2018-01-291-46/+2
| | | | | | | | | | | | | Until now Python used a hard coded white list of default TLS cipher suites. The old approach has multiple downsides. OpenSSL's default selection was completely overruled. Python did neither benefit from new cipher suites (ChaCha20, TLS 1.3 suites) nor blacklisted cipher suites. For example we used to re-enable 3DES. Python now defaults to OpenSSL DEFAULT cipher suite selection and black lists all unwanted ciphers. Downstream vendors can override the default cipher list with --with-ssl-default-suites. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-31399: Let OpenSSL verify hostname and IP address (#3462)Christian Heimes2018-01-271-9/+20
| | | | | | | | | | | | | | | bpo-31399: Let OpenSSL verify hostname and IP The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses. * Remove match_hostname calls * Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host() * Add documentation for OpenSSL 1.0.2 requirement * Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform. * Add hostname_checks_common_name Signed-off-by: Christian Heimes <christian@python.org>
* bpo-31853: Replaced socket.method calls with super() in SSLSocket. (#4048)Mads Jensen2018-01-271-20/+19
|
* bpo-23033: Improve SSL Certificate handling (GH-937)Mandeep Singh2017-11-261-2/+7
| | | | Wildcard is now supported in hostname when it is one and only character in the leftmost segment.
* bpo-31659: Use simple slicing to format PEM cert (GH-3849)INADA Naoki2017-10-021-4/+4
| | | | | | | DER_cert_to_PEM_cert() used textwrap.fill() to format PEM. But it's library to wrap lines on word boundary, while PEM is base64 encoded string. Additionally, importing textwrap is little slow.
* bpo-31346: Use PROTOCOL_TLS_CLIENT/SERVER (#3058)Christian Heimes2017-09-151-2/+5
| | | | | | Replaces PROTOCOL_TLSv* and PROTOCOL_SSLv23 with PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-31386: Custom wrap_bio and wrap_socket type (#3426)Christian Heimes2017-09-151-8/+18
| | | | | | | | | SSLSocket.wrap_bio() and SSLSocket.wrap_socket() hard-code SSLObject and SSLSocket as return types. In the light of future deprecation of ssl.wrap_socket() module function and direct instantiation of SSLSocket, it is desirable to make the return type of SSLSocket.wrap_bio() and SSLSocket.wrap_socket() customizable. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-28182: Expose OpenSSL verification results (#3412)Christian Heimes2017-09-081-1/+1
| | | | | | | | | The SSL module now raises SSLCertVerificationError when OpenSSL fails to verify the peer's certificate. The exception contains more information about the error. Original patch by Chi Hsuan Yen Signed-off-by: Christian Heimes <christian@python.org>
* bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (#1363)Christian Heimes2017-09-081-1/+7
| | | | | | | | | | | | | | | | * bpo-29136: Add TLS 1.3 support TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3 cipher suites don't overlap with cipher suites from TLS 1.2 and earlier. Since Python sets its own set of permitted ciphers, TLS 1.3 handshake will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common AES-GCM and ChaCha20 suites. Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3 now. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-27340: Use memoryview in SSLSocket.sendall() (#3384)Christian Heimes2017-09-071-4/+5
| | | | | | | | | | | | | | * bpo-27340: Use memoryview in SSLSocket.sendall() SSLSocket.sendall() now uses memoryview to create slices of data. This fix support for all bytes-like object. It is also more efficient and avoids costly copies. Signed-off-by: Christian Heimes <christian@python.org> * Cast view to bytes, fix typo Signed-off-by: Christian Heimes <christian@python.org>
* Issue #28085: Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContextChristian Heimes2016-09-111-0/+2
|
* Issue #19500: Add client-side SSL session resumption to the ssl module.Christian Heimes2016-09-101-12/+53
|
* Issue #28022: Deprecate ssl-related arguments in favor of SSLContext.Christian Heimes2016-09-101-1/+0
| | | | | | | The deprecation include manual creation of SSLSocket and certfile/keyfile (or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib. ssl.wrap_socket() is not marked as deprecated yet.
* Issue 28043: SSLContext has improved default settingsChristian Heimes2016-09-101-24/+6
| | | | The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
* Issue #28025: Convert all ssl module constants to IntEnum and IntFlags.Christian Heimes2016-09-091-19/+61
|
* Issues #27850 and #27766: Remove 3DES from ssl default cipher list and add ↵Christian Heimes2016-09-061-15/+21
|\ | | | | | | ChaCha20 Poly1305.
| * Issues #27850 and #27766: Remove 3DES from ssl default cipher list and add ↵Christian Heimes2016-09-061-15/+21
| | | | | | | | ChaCha20 Poly1305.
* | Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.Christian Heimes2016-09-051-8/+10
|\ \ | |/
| * Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.Christian Heimes2016-09-051-8/+10
| |
* | Issue #27114: Fix SSLContext._load_windows_store_certs fails with ↵Steve Dower2016-05-261-5/+9
|\ \ | |/ | | | | PermissionError
| * Issue #27114: Fix SSLContext._load_windows_store_certs fails with ↵Steve Dower2016-05-261-5/+9
| | | | | | | | PermissionError
* | Issue #25951: Fix SSLSocket.sendall() to return None, by Aviv PalivodaMartin Panter2016-04-031-1/+0
|/
* Issue #23804: Fix SSL recv/read(0) to not return 1024 bytesMartin Panter2016-03-281-3/+3
|
* Issue #26313: ssl.py _load_windows_store_certs fails if windows cert store ↵Steve Dower2016-03-171-1/+2
| | | | is empty. Patch by Baji.
* issue23673Ethan Furman2015-03-191-4/+4
| | | | | | | | | add private method to enum to support replacing global constants with Enum members: - search for candidate constants via supplied filter - create new enum class and members - insert enum class and replace constants with members via supplied module name - replace __reduce_ex__ with function that returns member name, so previous Python versions can unpickle modify IntEnum classes to use new method
* merge 3.4Benjamin Peterson2015-03-051-2/+1
|\
| * use _import_symbols to import VERIFY_* constantsBenjamin Peterson2015-03-051-2/+1
| |
* | merge 3.4 (#23481)Benjamin Peterson2015-02-191-4/+2
|\ \ | |/
| * remove rc4 from the default client ciphers (closes #23481)Benjamin Peterson2015-02-191-4/+2
| |
| * Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. TheVictor Stinner2015-01-061-1/+6
| | | | | | | | | | availability of the function is checked during the compilation. Patch written by Bernard Spil.
| * Issue #20896, #22935: The ssl.get_server_certificate() function now uses theVictor Stinner2015-01-061-1/+1
| | | | | | | | | | | | ssl.PROTOCOL_SSLv23 protocol by default, not ssl.PROTOCOL_SSLv3, for maximum compatibility and support platforms where ssl.PROTOCOL_SSLv3 support is disabled.
| * Issue #22935: Fix ssl module when SSLv3 protocol is not supportedVictor Stinner2014-12-121-6/+2
| |
* | Issue #23239: ssl.match_hostname() now supports matching of IP addresses.Antoine Pitrou2015-02-151-1/+22
| |
* | add support for ALPN (closes #20188)Benjamin Peterson2015-01-231-1/+26
| |
* | remove extra definite articleBenjamin Peterson2015-01-111-2/+2
| |
* | explain None can be returnedBenjamin Peterson2015-01-071-1/+3
| |
* | expose the client's cipher suites from the handshake (closes #23186)Benjamin Peterson2015-01-071-0/+10
| |
* | Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. TheVictor Stinner2014-11-281-1/+6
| | | | | | | | | | | | availability of the function is checked during the compilation. Patch written by Bernard Spil.
* | merge 3.4 (#22921)Benjamin Peterson2014-11-231-6/+1
|\ \ | |/
| * don't require OpenSSL SNI to pass hostname to ssl functions (#22921)Benjamin Peterson2014-11-231-6/+1
| | | | | | | | Patch by Donald Stufft.
| * Issue #22638: SSLv3 is now disabled throughout the standard library.Antoine Pitrou2014-10-171-0/+3
| | | | | | | | It can still be enabled by instantiating a SSLContext manually.
* | merge 3.4 (#22417)Benjamin Peterson2014-11-031-2/+8
|\ \ | |/
| * PEP 476: enable HTTPS certificate verification by default (#22417)Benjamin Peterson2014-11-031-2/+9
| | | | | | | | Patch by Alex Gaynor with some modifications by me.
* | Issue #22186: Fix typos in Lib/.Berker Peksag2014-10-191-1/+1
|\ \ | |/ | | | | Patch by Févry Thibault.
| * Issue #22186: Fix typos in Lib/.Berker Peksag2014-10-191-1/+1
| | | | | | | | Patch by Févry Thibault.
* | Issue #22638: SSLv3 is now disabled throughout the standard library.Antoine Pitrou2014-10-171-0/+3
| | | | | | | | It can still be enabled by instantiating a SSLContext manually.
* | Remove unused "block" argument in SSLObject.do_handshake() (issue #21965)Antoine Pitrou2014-10-051-1/+1
| |
* | Issue #21965: Add support for in-memory SSL to the ssl module.Antoine Pitrou2014-10-051-24/+139
| | | | | | | | Patch by Geert Jansen.
* | merge 3.4 (#22449)Benjamin Peterson2014-10-031-2/+1
|\ \ | |/
| * also use openssl envvars to find certs on windows (closes #22449)Benjamin Peterson2014-10-031-2/+1
| | | | | | | | Patch by Christian Heimes and Alex Gaynor.
generated by cgit v0.12 at 2024-11-23 16:15:47 (GMT)