Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. The | Victor Stinner | 2015-01-06 | 1 | -2/+3 |
| | | | | | availability of the function is checked during the compilation. Patch written by Bernard Spil. | ||||
* | Issue #22935: Fix test_ssl when the SSLv3 protocol is not supported | Victor Stinner | 2014-12-12 | 1 | -1/+2 |
| | |||||
* | allow ssl module to compile if openssl doesn't support SSL 3 (closes #22935) | Benjamin Peterson | 2014-12-06 | 1 | -7/+16 |
| | | | | Patch by Kurt Roeckx. | ||||
* | don't require OpenSSL SNI to pass hostname to ssl functions (#22921) | Benjamin Peterson | 2014-11-23 | 1 | -6/+2 |
| | | | | Patch by Donald Stufft. | ||||
* | test that keyfile can be None | Benjamin Peterson | 2014-11-04 | 1 | -1/+1 |
| | |||||
* | PEP 476: enable HTTPS certificate verification by default (#22417) | Benjamin Peterson | 2014-11-03 | 1 | -3/+4 |
| | | | | Patch by Alex Gaynor with some modifications by me. | ||||
* | separate cert loading tests into Windows and non-Windows cases | Benjamin Peterson | 2014-10-03 | 1 | -0/+15 |
| | |||||
* | also use openssl envvars to find certs on windows (closes #22449) | Benjamin Peterson | 2014-10-03 | 1 | -0/+8 |
| | | | | Patch by Christian Heimes and Alex Gaynor. | ||||
* | Issue #21976: Fix test_ssl to accept LibreSSL version strings. | Antoine Pitrou | 2014-07-21 | 1 | -6/+10 |
| | | | | Thanks to William Orr. | ||||
* | Try to fix buildbot failures on old OpenSSLs (< 1.0.0) - followup to issue ↵ | Antoine Pitrou | 2014-04-16 | 1 | -1/+6 |
| | | | | #21015 | ||||
* | Issue #21013: Enhance ssl.create_default_context() for server side contexts | Donald Stufft | 2014-03-23 | 1 | -3/+23 |
| | | | | | | | | | | | | | | | | | | | | Closes #21013 by modfying ssl.create_default_context() to: * Move the restricted ciphers to only apply when using ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not is the lack of RC4 in the restricted. However there are servers that exist that only expose RC4 still. * Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context will select TLS1.1 or TLS1.2 if it is available. * Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets * Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security of the perfect forward secrecy * Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side socket the context will prioritize our ciphers which have been carefully selected to maximize security and performance. * Documents the failure conditions when a SSL3.0 connection is required so that end users can more easily determine if they need to unset ssl.OP_NO_SSLv3. | ||||
* | Issue #21015: SSL contexts will now automatically select an elliptic curve ↵ | Antoine Pitrou | 2014-03-22 | 1 | -0/+12 |
| | | | | | | for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to "prime256v1". (should also fix a buildbot failure introduced by #20995) | ||||
* | merge 3.3 (#20896) | Benjamin Peterson | 2014-03-12 | 1 | -3/+8 |
| | |||||
* | Try to fix test_ssl failures on some buildbots | Antoine Pitrou | 2014-01-09 | 1 | -2/+2 |
|\ | |||||
| * | Try to fix test_ssl failures on some buildbots | Antoine Pitrou | 2014-01-09 | 1 | -2/+2 |
| | | |||||
* | | Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly ↵ | Antoine Pitrou | 2014-01-09 | 1 | -6/+4 |
|\ \ | |/ | | | | | asked for. | ||||
| * | Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly ↵ | Antoine Pitrou | 2014-01-09 | 1 | -6/+4 |
| | | | | | | | | asked for. | ||||
* | | Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, ↵ | Antoine Pitrou | 2013-12-28 | 1 | -0/+11 |
|\ \ | |/ | | | | | rather than silently let them emit clear text data. | ||||
| * | Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, ↵ | Antoine Pitrou | 2013-12-28 | 1 | -0/+12 |
| | | | | | | | | rather than silently let them emit clear text data. | ||||
* | | (Merge 3.3) Issue #20025: ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now | Victor Stinner | 2013-12-19 | 1 | -0/+4 |
|\ \ | |/ | | | | | raise a ValueError if num is negative (instead of raising a SystemError). | ||||
| * | Issue #20025: ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now raise a | Victor Stinner | 2013-12-19 | 1 | -0/+4 |
| | | | | | | | | ValueError if num is negative (instead of raising a SystemError). | ||||
* | | Issue #19919: Fix flacky SSL test. connect_ex() sometimes returns | Christian Heimes | 2013-12-16 | 1 | -2/+4 |
|\ \ | |/ | | | | | EWOULDBLOCK on Windows or VMs hosted on Windows. | ||||
| * | Issue #19919: Fix flacky SSL test. connect_ex() sometimes returns | Christian Heimes | 2013-12-16 | 1 | -2/+4 |
| | | | | | | | | EWOULDBLOCK on Windows or VMs hosted on Windows. | ||||
* | | test_ssl: skip tests when SNI is not available | Christian Heimes | 2013-12-15 | 1 | -0/+2 |
| | | |||||
* | | Test SSLSock's context getter and setter | Christian Heimes | 2013-12-05 | 1 | -0/+14 |
| | | |||||
* | | add check_hostname arg to ssl._create_stdlib_context() | Christian Heimes | 2013-12-02 | 1 | -1/+3 |
| | | |||||
* | | Issue #19509: Add SSLContext.check_hostname to match the peer's certificate | Christian Heimes | 2013-12-02 | 1 | -0/+62 |
| | | | | | | | | with server_hostname on handshake. | ||||
* | | Issue #19735: Implement private function ssl._create_stdlib_context() to | Christian Heimes | 2013-11-23 | 1 | -0/+21 |
| | | | | | | | | | | create SSLContext objects in Python's stdlib module. It provides a single configuration point and makes use of SSLContext.load_default_certs(). | ||||
* | | Issue #19689: Add ssl.create_default_context() factory function. It creates | Christian Heimes | 2013-11-23 | 1 | -0/+20 |
| | | | | | | | | a new SSLContext object with secure default settings. | ||||
* | | Issue #19292: Add SSLContext.load_default_certs() to load default root CA | Christian Heimes | 2013-11-23 | 1 | -0/+32 |
| | | | | | | | | | | certificates from default stores or system stores. By default the method loads CA certs for authentication of server certs. | ||||
* | | Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+ | Christian Heimes | 2013-11-23 | 1 | -0/+8 |
| | | | | | | | | The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006. | ||||
* | | Issue #19448: report name / NID in exception message of ASN1Object | Christian Heimes | 2013-11-22 | 1 | -2/+4 |
| | | |||||
* | | Issue #17134: check certs of CA and ROOT system store | Christian Heimes | 2013-11-22 | 1 | -13/+14 |
| | | |||||
* | | or VERIFY_CRL_CHECK_LEAF to verify_flags | Christian Heimes | 2013-11-22 | 1 | -2/+2 |
| | | |||||
* | | Issue #17134: Finalize interface to Windows' certificate store. Cert and | Christian Heimes | 2013-11-22 | 1 | -21/+36 |
| | | | | | | | | | | CRL enumeration are now two functions. enum_certificates() also returns purpose flags as set of OIDs. | ||||
* | | one CERT_REQUIRED is enough | Christian Heimes | 2013-11-21 | 1 | -1/+0 |
| | | |||||
* | | Issue #8813: Add SSLContext.verify_flags to change the verification flags | Christian Heimes | 2013-11-21 | 1 | -1/+62 |
| | | | | | | | | | | of the context in order to enable certification revocation list (CRL) checks or strict X509 rules. | ||||
* | | Issue #18379: SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP | Christian Heimes | 2013-11-21 | 1 | -1/+7 |
| | | | | | | | | and CRL distribution points. | ||||
* | | Issue #18138: Implement cadata argument of SSLContext.load_verify_location() | Christian Heimes | 2013-11-21 | 1 | -2/+86 |
| | | | | | | | | | | to load CA certificates and CRL from memory. It supports PEM and DER encoded strings. | ||||
* | | Issue #19448: Add private API to SSL module to lookup ASN.1 objects by OID, ↵ | Christian Heimes | 2013-11-17 | 1 | -0/+38 |
| | | | | | | | | NID, short name and long name. | ||||
* | | merge with 3.3 | Georg Brandl | 2013-10-27 | 1 | -6/+32 |
|\ \ | |/ | |||||
| * | Issue #17997: Change behavior of ``ssl.match_hostname()`` to follow RFC 6125, | Georg Brandl | 2013-10-27 | 1 | -6/+32 |
| | | | | | | | | | | for security reasons. It now doesn't match multiple wildcards nor wildcards inside IDN fragments. | ||||
* | | Issue #19095: SSLSocket.getpeercert() now raises ValueError when the SSL ↵ | Antoine Pitrou | 2013-09-29 | 1 | -1/+7 |
| | | | | | | | | handshake hasn't been done. | ||||
* | | Issue #18709: Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger | Christian Heimes | 2013-08-25 | 1 | -7/+15 |
|\ \ | |/ | |||||
| * | Issue #18709: Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger | Christian Heimes | 2013-08-25 | 1 | -7/+15 |
| | | |||||
* | | Issue #18747: Re-seed OpenSSL's pseudo-random number generator after fork. | Christian Heimes | 2013-08-21 | 1 | -0/+32 |
|\ \ | |/ | | | | | | | A pthread_atfork() child handler is used to seeded the PRNG with pid, time and some stack data. | ||||
| * | Issue #18747: Re-seed OpenSSL's pseudo-random number generator after fork. | Christian Heimes | 2013-08-21 | 1 | -0/+32 |
| | | | | | | | | | | A pthread_atfork() child handler is used to seeded the PRNG with pid, time and some stack data. | ||||
* | | Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes | Christian Heimes | 2013-08-16 | 1 | -0/+29 |
|\ \ | |/ | | | | | | | | | | | inside subjectAltName correctly. Formerly the module has used OpenSSL's GENERAL_NAME_print() function to get the string represention of ASN.1 strings for rfc822Name (email), dNSName (DNS) and uniformResourceIdentifier (URI). | ||||
| * | Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes | Christian Heimes | 2013-08-16 | 1 | -0/+29 |
| | | | | | | | | | | | | | | inside subjectAltName correctly. Formerly the module has used OpenSSL's GENERAL_NAME_print() function to get the string represention of ASN.1 strings for rfc822Name (email), dNSName (DNS) and uniformResourceIdentifier (URI). | ||||
* | | test_ssl: use a bytestring here | Antoine Pitrou | 2013-07-20 | 1 | -1/+1 |
| | |