| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Store exceptions as string rather than object to prevent reference
cycles which cause leaking dangling threads.
(cherry picked from commit 868710158910fa38e285ce0e6d50026e1d0b2a8c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-29136: Add TLS 1.3 support
TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
AES-GCM and ChaCha20 suites.
Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
now.
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit cb5b68abdeb1b1d56c581d5b4d647018703d61e3)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-27340: Use memoryview in SSLSocket.sendall()
SSLSocket.sendall() now uses memoryview to create slices of data. This fix
support for all bytes-like object. It is also more efficient and avoids
costly copies.
Signed-off-by: Christian Heimes <christian@python.org>
* Cast view to bytes, fix typo
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 888bbdc192ec4db888a294ef758cf5510442dc9a)
|
| |
|
|
|
|
|
| |
SSLObject.version() now correctly returns None when handshake over BIO has
not been performed yet.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 6877111)
|
| |
|
|
|
|
|
|
| |
In case PROTOCOL_TLS_SERVER is used for both client context and server
context, the test thread dies with OSError. Catch OSError to avoid
traceback on sys.stderr
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 305e56c27afce605e5d2f71903a966cf0bb95038)
|
| |
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 002d64039b60c1a9289f981fe73a5cf91d082136)
|
| |
|
|
|
|
|
|
|
|
|
| |
OpenSSL 1.1.0 to 1.1.0e aborted the handshake when server and client
could not agree on a protocol using ALPN. OpenSSL 1.1.0f changed that.
The most recent version now behaves like OpenSSL 1.0.2 again. The ALPN
callback can pretend to not been set.
See https://github.com/openssl/openssl/pull/3158 for more details
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit a5c1bab352671e043645163ca50c5211aa657acd)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
AsyncoreEchoServer of test_ssl now calls
asyncore.close_all(ignore_all=True) to ensure that
asyncore.socket_map is cleared once the test completes, even if
ConnectionHandler was not correctly unregistered.
Fix the following warning:
Warning -- asyncore.socket_map was modified by test_ssl
Before: {}
After: {6: <test.test_ssl.AsyncoreEchoServer.EchoServer.ConnectionHandler>}
(cherry picked from commit 1dae7450c68bad498e57800387b24cb103c461fa)
|
| | |
|
| | |
|
| |\ |
|
| | |
| |
| |
| |
| | |
The later value of FOO is fine. The test just needs to verify that the server
converted it to lowercase.
|
| |\ \
| |/ |
|
| | | |
|
| | |
| |
| |
| | |
PROTOCOL_TLS_SERVER
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
The deprecation include manual creation of SSLSocket and certfile/keyfile
(or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib.
ssl.wrap_socket() is not marked as deprecated yet.
|
| | |
| |
| |
| | |
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
|
| | |
| |
| |
| |
| |
| |
| | |
And most of the tools.
Patch by Emanual Barry, reviewed by me, Serhiy Storchaka, and
Martin Panter.
|
| |\ \
| |/
| |
| | |
fields in X.509 certs.
|
| | |
| |
| |
| | |
fields in X.509 certs.
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
enabled ciphers.
|
| |\ \
| |/ |
|
| | | |
|
| |\ \
| |/ |
|
| | | |
|
| |\ \
| |/ |
|
| | | |
|
| | | |
|
| |\ \
| |/ |
|
| | | |
|
| |\ \
| |/ |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Move many tests from NetworkedTests and NetworkedBIOTests to a new Simple-
BackgroundTests class, using the existing ThreadedEchoServer and SIGNED_
CERTFILE infrastructure.
For tests that cause the server to crash by rejecting its certificate,
separate them into independent test methods.
Added custom root certificate to capath with the following commands:
cp Lib/test/{pycacert.pem,capath/}
# Edit copy to remove part before certificate
c_rehash -v Lib/test/capath/
c_rehash -v -old Lib/test/capath/
# Note the generated file names
cp Lib/test/capath/{pycacert.pem,b1930218.0}
mv Lib/test/capath/{pycacert.pem,ceff1710.0}
Change to pure PEM version of SIGNING_CA because PEM_cert_to_DER_cert() does
not like the extra text at the start.
Moved test_connect_ex_error() into BasicSocketTests and rewrote it to connect
to a reserved localhost port.
NetworkedTests.test_get_server_certificate_ipv6() split out because it needs
to connect to an IPv6 DNS address.
The only reference left to self-signed.pythontest.net is test_timeout_
connect_ex(), which needs a remote server to reliably time out the
connection, but does not rely on the server running SSL.
Made ThreadedEchoServer call unwrap() by default when it sees the client has
shut the connection down, so that the client can cleanly call unwrap().
|
| |/
|
|
|
|
| |
Issue #26590: support.check_warnings() stores warnins, but ResourceWarning now
comes with a reference to the socket object which indirectly keeps the socket
alive.
|
| |
|
|
|
|
|
|
|
| |
Test test_wrong_cert() runs a server that rejects the client's certificate,
so ECONNRESET is reasonable in addition to SSLError. On the other hand, the
other three tests don't even need to run a server because they are just
testing the parsing of invalid certificate files.
Also fix a ResourceWarning by closing the wrapped socket.
|
| |
|
|
|
|
| |
Testing for a non-existing certificate file is already done in test_errors().
Copy wrongcert.pem from Python 2 and use it to test the behaviour with a
mismatched certificate.
|
| |\ |
|
| | |\ |
|
| | | |\ |
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
Removed SSL_ERROR_SYSCALL checking from ssl_io_loop() so that the loop can
terminate when unwrap() raises that error.
|
| |\ \ \ \
| |/ / / |
|
| | | | | |
|
| | |\ \ \
| | |/ / |
|
| | | |\ \
| | | |/ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This is instead of svn.python.org, whose certificate recently expired, and
whose new certificate uses a different root certificate.
The certificate used at the pythontest server was modifed to set the "basic
constraints" CA flag. This flag seems to be required for test_get_ca_certs_
capath() to work (in Python 3.4+).
Added the new self-signed certificate to capath with the following commands:
cp Lib/test/{selfsigned_pythontestdotnet.pem,capath/}
c_rehash -v Lib/test/capath/
c_rehash -v -old Lib/test/capath/
# Note the generated file names
cp Lib/test/capath/{selfsigned_pythontestdotnet.pem,0e4015b9.0}
mv Lib/test/capath/{selfsigned_pythontestdotnet.pem,ce7b8643.0}
The new server responds with "No route to host" when connecting to port 444.
|
