summaryrefslogtreecommitdiffstats
path: root/Lib/ssl.py
Commit message (Collapse)AuthorAgeFilesLines
* Fix a typo ssl.py docstring (GH-9697)Matt Eaton2018-10-051-1/+1
|
* bpo-34670: Add TLS 1.3 post handshake auth (GH-9460)Christian Heimes2018-09-231-0/+9
| | | | | | | | | | Add SSLContext.post_handshake_auth and SSLSocket.verify_client_post_handshake for TLS 1.3 post-handshake authentication. Signed-off-by: Christian Heimes <christian@python.org>q https://bugs.python.org/issue34670
* bpo-34282: Fix Enum._convert shadowing members named _convert (GH-8568)orlnub1232018-09-121-6/+6
| | | | | * Fix enum members getting shadowed by parent attributes * Move Enum._convert to EnumMeta._convert_ * Deprecate _convert
* bpo-24334: Remove inaccurate match_hostname call (#6211)Christian Heimes2018-03-241-5/+0
| | | | | | Commit 141c5e8c re-added match_hostname() call. The resurrection of the function call was never intended and was solely a merge mistake. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-31453: Add setter for min/max protocol version (#5259)Christian Heimes2018-02-271-3/+34
| | | | | | | | | | | | OpenSSL 1.1 has introduced a new API to set the minimum and maximum supported protocol version. The API is easier to use than the old OP_NO_TLS1 option flags, too. Since OpenSSL has no call to set minimum version to highest supported, the implementation emulate maximum_version = MINIMUM_SUPPORTED and minimum_version = MAXIMUM_SUPPORTED by figuring out the minumum and maximum supported version at compile time. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-32951: Disable SSLSocket/SSLObject constructor (#5864)Christian Heimes2018-02-271-71/+67
| | | | | | | | | | | | | | | | Direct instantiation of SSLSocket and SSLObject objects is now prohibited. The constructors were never documented, tested, or designed as public constructors. The SSLSocket constructor had limitations. For example it was not possible to enabled hostname verification except was ssl_version=PROTOCOL_TLS_CLIENT with cert_reqs=CERT_REQUIRED. SSLContext.wrap_socket() and SSLContext.wrap_bio are the recommended API to construct SSLSocket and SSLObject instances. ssl.wrap_socket() is also deprecated. The only test case for direct instantiation was added a couple of days ago for IDNA testing. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-24334: Cleanup SSLSocket (#5252)Christian Heimes2018-02-241-54/+62
| | | | | | | | | | | | | * The SSLSocket is no longer implemented on top of SSLObject to avoid an extra level of indirection. * Owner and session are now handled in the internal constructor. * _ssl._SSLSocket now uses the same method names as SSLSocket and SSLObject. * Channel binding type check is now handled in C code. Channel binding is always available. The patch also changes the signature of SSLObject.__init__(). In my opinion it's fine. A SSLObject is not a user-constructable object. SSLContext.wrap_bio() is the only valid factory.
* bpo-32819: Simplify and improve ssl.match_hostname (#5620)Christian Heimes2018-02-241-41/+65
| | | | | | | ssl.match_hostname() has been simplified and no longer depends on re and ipaddress module for wildcard and IP addresses. Error reporting for invalid wildcards has been improved. Signed-off-by: Christian Heimes <christian@python.org>
* [bpo-28414] Make all hostnames in SSL module IDN A-labels (GH-5128)Christian Heimes2018-02-241-6/+34
| | | | | | | | | | | | Previously, the ssl module stored international domain names (IDNs) as U-labels. This is problematic for a number of reasons -- for example, it made it impossible for users to use a different version of IDNA than the one built into Python. After this change, we always convert to A-labels as soon as possible, and use them for all internal processing. In particular, server_hostname attribute is now an A-label, and on the server side there's a new sni_callback that receives the SNI servername as an A-label rather than a U-label.
* bpo-31429: Define TLS cipher suite on build time (#3532)Christian Heimes2018-01-291-46/+2
| | | | | | | | | | | | | Until now Python used a hard coded white list of default TLS cipher suites. The old approach has multiple downsides. OpenSSL's default selection was completely overruled. Python did neither benefit from new cipher suites (ChaCha20, TLS 1.3 suites) nor blacklisted cipher suites. For example we used to re-enable 3DES. Python now defaults to OpenSSL DEFAULT cipher suite selection and black lists all unwanted ciphers. Downstream vendors can override the default cipher list with --with-ssl-default-suites. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-31399: Let OpenSSL verify hostname and IP address (#3462)Christian Heimes2018-01-271-9/+20
| | | | | | | | | | | | | | | bpo-31399: Let OpenSSL verify hostname and IP The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses. * Remove match_hostname calls * Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host() * Add documentation for OpenSSL 1.0.2 requirement * Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform. * Add hostname_checks_common_name Signed-off-by: Christian Heimes <christian@python.org>
* bpo-31853: Replaced socket.method calls with super() in SSLSocket. (#4048)Mads Jensen2018-01-271-20/+19
|
* bpo-23033: Improve SSL Certificate handling (GH-937)Mandeep Singh2017-11-261-2/+7
| | | | Wildcard is now supported in hostname when it is one and only character in the leftmost segment.
* bpo-31659: Use simple slicing to format PEM cert (GH-3849)INADA Naoki2017-10-021-4/+4
| | | | | | | DER_cert_to_PEM_cert() used textwrap.fill() to format PEM. But it's library to wrap lines on word boundary, while PEM is base64 encoded string. Additionally, importing textwrap is little slow.
* bpo-31346: Use PROTOCOL_TLS_CLIENT/SERVER (#3058)Christian Heimes2017-09-151-2/+5
| | | | | | Replaces PROTOCOL_TLSv* and PROTOCOL_SSLv23 with PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-31386: Custom wrap_bio and wrap_socket type (#3426)Christian Heimes2017-09-151-8/+18
| | | | | | | | | SSLSocket.wrap_bio() and SSLSocket.wrap_socket() hard-code SSLObject and SSLSocket as return types. In the light of future deprecation of ssl.wrap_socket() module function and direct instantiation of SSLSocket, it is desirable to make the return type of SSLSocket.wrap_bio() and SSLSocket.wrap_socket() customizable. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-28182: Expose OpenSSL verification results (#3412)Christian Heimes2017-09-081-1/+1
| | | | | | | | | The SSL module now raises SSLCertVerificationError when OpenSSL fails to verify the peer's certificate. The exception contains more information about the error. Original patch by Chi Hsuan Yen Signed-off-by: Christian Heimes <christian@python.org>
* bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (#1363)Christian Heimes2017-09-081-1/+7
| | | | | | | | | | | | | | | | * bpo-29136: Add TLS 1.3 support TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3 cipher suites don't overlap with cipher suites from TLS 1.2 and earlier. Since Python sets its own set of permitted ciphers, TLS 1.3 handshake will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common AES-GCM and ChaCha20 suites. Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3 now. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-27340: Use memoryview in SSLSocket.sendall() (#3384)Christian Heimes2017-09-071-4/+5
| | | | | | | | | | | | | | * bpo-27340: Use memoryview in SSLSocket.sendall() SSLSocket.sendall() now uses memoryview to create slices of data. This fix support for all bytes-like object. It is also more efficient and avoids costly copies. Signed-off-by: Christian Heimes <christian@python.org> * Cast view to bytes, fix typo Signed-off-by: Christian Heimes <christian@python.org>
* Issue #28085: Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContextChristian Heimes2016-09-111-0/+2
|
* Issue #19500: Add client-side SSL session resumption to the ssl module.Christian Heimes2016-09-101-12/+53
|
* Issue #28022: Deprecate ssl-related arguments in favor of SSLContext.Christian Heimes2016-09-101-1/+0
| | | | | | | The deprecation include manual creation of SSLSocket and certfile/keyfile (or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib. ssl.wrap_socket() is not marked as deprecated yet.
* Issue 28043: SSLContext has improved default settingsChristian Heimes2016-09-101-24/+6
| | | | The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
* Issue #28025: Convert all ssl module constants to IntEnum and IntFlags.Christian Heimes2016-09-091-19/+61
|
* Issues #27850 and #27766: Remove 3DES from ssl default cipher list and add ↵Christian Heimes2016-09-061-15/+21
|\ | | | | | | ChaCha20 Poly1305.
| * Issues #27850 and #27766: Remove 3DES from ssl default cipher list and add ↵Christian Heimes2016-09-061-15/+21
| | | | | | | | ChaCha20 Poly1305.
* | Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.Christian Heimes2016-09-051-8/+10
|\ \ | |/
| * Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.Christian Heimes2016-09-051-8/+10
| |
* | Issue #27114: Fix SSLContext._load_windows_store_certs fails with ↵Steve Dower2016-05-261-5/+9
|\ \ | |/ | | | | PermissionError
| * Issue #27114: Fix SSLContext._load_windows_store_certs fails with ↵Steve Dower2016-05-261-5/+9
| | | | | | | | PermissionError
* | Issue #25951: Fix SSLSocket.sendall() to return None, by Aviv PalivodaMartin Panter2016-04-031-1/+0
|/
* Issue #23804: Fix SSL recv/read(0) to not return 1024 bytesMartin Panter2016-03-281-3/+3
|
* Issue #26313: ssl.py _load_windows_store_certs fails if windows cert store ↵Steve Dower2016-03-171-1/+2
| | | | is empty. Patch by Baji.
* issue23673Ethan Furman2015-03-191-4/+4
| | | | | | | | | add private method to enum to support replacing global constants with Enum members: - search for candidate constants via supplied filter - create new enum class and members - insert enum class and replace constants with members via supplied module name - replace __reduce_ex__ with function that returns member name, so previous Python versions can unpickle modify IntEnum classes to use new method
* merge 3.4Benjamin Peterson2015-03-051-2/+1
|\
| * use _import_symbols to import VERIFY_* constantsBenjamin Peterson2015-03-051-2/+1
| |
* | merge 3.4 (#23481)Benjamin Peterson2015-02-191-4/+2
|\ \ | |/
| * remove rc4 from the default client ciphers (closes #23481)Benjamin Peterson2015-02-191-4/+2
| |
| * Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. TheVictor Stinner2015-01-061-1/+6
| | | | | | | | | | availability of the function is checked during the compilation. Patch written by Bernard Spil.
| * Issue #20896, #22935: The ssl.get_server_certificate() function now uses theVictor Stinner2015-01-061-1/+1
| | | | | | | | | | | | ssl.PROTOCOL_SSLv23 protocol by default, not ssl.PROTOCOL_SSLv3, for maximum compatibility and support platforms where ssl.PROTOCOL_SSLv3 support is disabled.
| * Issue #22935: Fix ssl module when SSLv3 protocol is not supportedVictor Stinner2014-12-121-6/+2
| |
* | Issue #23239: ssl.match_hostname() now supports matching of IP addresses.Antoine Pitrou2015-02-151-1/+22
| |
* | add support for ALPN (closes #20188)Benjamin Peterson2015-01-231-1/+26
| |
* | remove extra definite articleBenjamin Peterson2015-01-111-2/+2
| |
* | explain None can be returnedBenjamin Peterson2015-01-071-1/+3
| |
* | expose the client's cipher suites from the handshake (closes #23186)Benjamin Peterson2015-01-071-0/+10
| |
* | Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. TheVictor Stinner2014-11-281-1/+6
| | | | | | | | | | | | availability of the function is checked during the compilation. Patch written by Bernard Spil.
* | merge 3.4 (#22921)Benjamin Peterson2014-11-231-6/+1
|\ \ | |/
| * don't require OpenSSL SNI to pass hostname to ssl functions (#22921)Benjamin Peterson2014-11-231-6/+1
| | | | | | | | Patch by Donald Stufft.
| * Issue #22638: SSLv3 is now disabled throughout the standard library.Antoine Pitrou2014-10-171-0/+3
| | | | | | | | It can still be enabled by instantiating a SSLContext manually.