summaryrefslogtreecommitdiffstats
path: root/Lib/test/test_ssl.py
Commit message (Collapse)AuthorAgeFilesLines
* Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. TheVictor Stinner2015-01-061-2/+3
| | | | | availability of the function is checked during the compilation. Patch written by Bernard Spil.
* Issue #22935: Fix test_ssl when the SSLv3 protocol is not supportedVictor Stinner2014-12-121-1/+2
|
* allow ssl module to compile if openssl doesn't support SSL 3 (closes #22935)Benjamin Peterson2014-12-061-7/+16
| | | | Patch by Kurt Roeckx.
* don't require OpenSSL SNI to pass hostname to ssl functions (#22921)Benjamin Peterson2014-11-231-6/+2
| | | | Patch by Donald Stufft.
* test that keyfile can be NoneBenjamin Peterson2014-11-041-1/+1
|
* PEP 476: enable HTTPS certificate verification by default (#22417)Benjamin Peterson2014-11-031-3/+4
| | | | Patch by Alex Gaynor with some modifications by me.
* separate cert loading tests into Windows and non-Windows casesBenjamin Peterson2014-10-031-0/+15
|
* also use openssl envvars to find certs on windows (closes #22449)Benjamin Peterson2014-10-031-0/+8
| | | | Patch by Christian Heimes and Alex Gaynor.
* Issue #21976: Fix test_ssl to accept LibreSSL version strings.Antoine Pitrou2014-07-211-6/+10
| | | | Thanks to William Orr.
* Try to fix buildbot failures on old OpenSSLs (< 1.0.0) - followup to issue ↵Antoine Pitrou2014-04-161-1/+6
| | | | #21015
* Issue #21013: Enhance ssl.create_default_context() for server side contextsDonald Stufft2014-03-231-3/+23
| | | | | | | | | | | | | | | | | | | | Closes #21013 by modfying ssl.create_default_context() to: * Move the restricted ciphers to only apply when using ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not is the lack of RC4 in the restricted. However there are servers that exist that only expose RC4 still. * Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context will select TLS1.1 or TLS1.2 if it is available. * Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets * Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security of the perfect forward secrecy * Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side socket the context will prioritize our ciphers which have been carefully selected to maximize security and performance. * Documents the failure conditions when a SSL3.0 connection is required so that end users can more easily determine if they need to unset ssl.OP_NO_SSLv3.
* Issue #21015: SSL contexts will now automatically select an elliptic curve ↵Antoine Pitrou2014-03-221-0/+12
| | | | | | for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to "prime256v1". (should also fix a buildbot failure introduced by #20995)
* merge 3.3 (#20896)Benjamin Peterson2014-03-121-3/+8
|
* Try to fix test_ssl failures on some buildbotsAntoine Pitrou2014-01-091-2/+2
|\
| * Try to fix test_ssl failures on some buildbotsAntoine Pitrou2014-01-091-2/+2
| |
* | Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly ↵Antoine Pitrou2014-01-091-6/+4
|\ \ | |/ | | | | asked for.
| * Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly ↵Antoine Pitrou2014-01-091-6/+4
| | | | | | | | asked for.
* | Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, ↵Antoine Pitrou2013-12-281-0/+11
|\ \ | |/ | | | | rather than silently let them emit clear text data.
| * Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, ↵Antoine Pitrou2013-12-281-0/+12
| | | | | | | | rather than silently let them emit clear text data.
* | (Merge 3.3) Issue #20025: ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() nowVictor Stinner2013-12-191-0/+4
|\ \ | |/ | | | | raise a ValueError if num is negative (instead of raising a SystemError).
| * Issue #20025: ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now raise aVictor Stinner2013-12-191-0/+4
| | | | | | | | ValueError if num is negative (instead of raising a SystemError).
* | Issue #19919: Fix flacky SSL test. connect_ex() sometimes returnsChristian Heimes2013-12-161-2/+4
|\ \ | |/ | | | | EWOULDBLOCK on Windows or VMs hosted on Windows.
| * Issue #19919: Fix flacky SSL test. connect_ex() sometimes returnsChristian Heimes2013-12-161-2/+4
| | | | | | | | EWOULDBLOCK on Windows or VMs hosted on Windows.
* | test_ssl: skip tests when SNI is not availableChristian Heimes2013-12-151-0/+2
| |
* | Test SSLSock's context getter and setterChristian Heimes2013-12-051-0/+14
| |
* | add check_hostname arg to ssl._create_stdlib_context()Christian Heimes2013-12-021-1/+3
| |
* | Issue #19509: Add SSLContext.check_hostname to match the peer's certificateChristian Heimes2013-12-021-0/+62
| | | | | | | | with server_hostname on handshake.
* | Issue #19735: Implement private function ssl._create_stdlib_context() toChristian Heimes2013-11-231-0/+21
| | | | | | | | | | create SSLContext objects in Python's stdlib module. It provides a single configuration point and makes use of SSLContext.load_default_certs().
* | Issue #19689: Add ssl.create_default_context() factory function. It createsChristian Heimes2013-11-231-0/+20
| | | | | | | | a new SSLContext object with secure default settings.
* | Issue #19292: Add SSLContext.load_default_certs() to load default root CAChristian Heimes2013-11-231-0/+32
| | | | | | | | | | certificates from default stores or system stores. By default the method loads CA certs for authentication of server certs.
* | Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+Christian Heimes2013-11-231-0/+8
| | | | | | | | The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
* | Issue #19448: report name / NID in exception message of ASN1ObjectChristian Heimes2013-11-221-2/+4
| |
* | Issue #17134: check certs of CA and ROOT system storeChristian Heimes2013-11-221-13/+14
| |
* | or VERIFY_CRL_CHECK_LEAF to verify_flagsChristian Heimes2013-11-221-2/+2
| |
* | Issue #17134: Finalize interface to Windows' certificate store. Cert andChristian Heimes2013-11-221-21/+36
| | | | | | | | | | CRL enumeration are now two functions. enum_certificates() also returns purpose flags as set of OIDs.
* | one CERT_REQUIRED is enoughChristian Heimes2013-11-211-1/+0
| |
* | Issue #8813: Add SSLContext.verify_flags to change the verification flagsChristian Heimes2013-11-211-1/+62
| | | | | | | | | | of the context in order to enable certification revocation list (CRL) checks or strict X509 rules.
* | Issue #18379: SSLSocket.getpeercert() returns CA issuer AIA fields, OCSPChristian Heimes2013-11-211-1/+7
| | | | | | | | and CRL distribution points.
* | Issue #18138: Implement cadata argument of SSLContext.load_verify_location()Christian Heimes2013-11-211-2/+86
| | | | | | | | | | to load CA certificates and CRL from memory. It supports PEM and DER encoded strings.
* | Issue #19448: Add private API to SSL module to lookup ASN.1 objects by OID, ↵Christian Heimes2013-11-171-0/+38
| | | | | | | | NID, short name and long name.
* | merge with 3.3Georg Brandl2013-10-271-6/+32
|\ \ | |/
| * Issue #17997: Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,Georg Brandl2013-10-271-6/+32
| | | | | | | | | | for security reasons. It now doesn't match multiple wildcards nor wildcards inside IDN fragments.
* | Issue #19095: SSLSocket.getpeercert() now raises ValueError when the SSL ↵Antoine Pitrou2013-09-291-1/+7
| | | | | | | | handshake hasn't been done.
* | Issue #18709: Fix issue with IPv6 address in subjectAltName on Mac OS X TigerChristian Heimes2013-08-251-7/+15
|\ \ | |/
| * Issue #18709: Fix issue with IPv6 address in subjectAltName on Mac OS X TigerChristian Heimes2013-08-251-7/+15
| |
* | Issue #18747: Re-seed OpenSSL's pseudo-random number generator after fork.Christian Heimes2013-08-211-0/+32
|\ \ | |/ | | | | | | A pthread_atfork() child handler is used to seeded the PRNG with pid, time and some stack data.
| * Issue #18747: Re-seed OpenSSL's pseudo-random number generator after fork.Christian Heimes2013-08-211-0/+32
| | | | | | | | | | A pthread_atfork() child handler is used to seeded the PRNG with pid, time and some stack data.
* | Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytesChristian Heimes2013-08-161-0/+29
|\ \ | |/ | | | | | | | | | | inside subjectAltName correctly. Formerly the module has used OpenSSL's GENERAL_NAME_print() function to get the string represention of ASN.1 strings for rfc822Name (email), dNSName (DNS) and uniformResourceIdentifier (URI).
| * Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytesChristian Heimes2013-08-161-0/+29
| | | | | | | | | | | | | | inside subjectAltName correctly. Formerly the module has used OpenSSL's GENERAL_NAME_print() function to get the string represention of ASN.1 strings for rfc822Name (email), dNSName (DNS) and uniformResourceIdentifier (URI).
* | test_ssl: use a bytestring hereAntoine Pitrou2013-07-201-1/+1
| |