summaryrefslogtreecommitdiffstats
path: root/Modules/_ssl.c
Commit message (Collapse)AuthorAgeFilesLines
* [2.7] bpo-35264: Modules/_ssl.c: fix build with OpenSSL 1.1.0 (GH-10570)Alexandru Ardelean2019-09-111-2/+2
| | | | | | | | | | | | | | | Fixes a build error with OpenSSL 1.1.0. There is already code in the `_ssl.c` that handles all the weird cases of the NPN config macros (with various OpenSSL & LibreSSL versions). That code will provide a HAVE_NPN variable, which should be used in the rest of the code to check whether (or what) to compile regarding NPN. This change adds HAVE_NPN in the remaining places where it should have been placed. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com> https://bugs.python.org/issue35264
* [2.7] bpo-32947: Fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-8761) (GH-11876)stratakis2019-02-151-0/+4
| | | | | | | | | | | | | | | Backport of TLS 1.3 related fixes from 3.7. Misc fixes and workarounds for compatibility with OpenSSL 1.1.1 from git master and TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by default. Some test cases only apply to TLS 1.2. OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS 1.3. The feature is enabled by default for maximum compatibility with broken middle boxes. Users should be able to disable the hack and CPython's test suite needs it to verify default options Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826)
* [2.7] bpo-28043: improved default settings for SSLContext (GH-10608)stratakis2019-02-151-0/+31
| | | | | | | | | The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2). (cherry picked from commit 358cfd426ccc0fcd6a7940d306602138e76420ae)
* bpo-35746: Fix segfault in ssl's cert parser (GH-11569)Miss Islington (bot)2019-01-151-0/+4
| | | | | | | | | | | | Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue35746 (cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) Co-authored-by: Christian Heimes <christian@python.org>
* [2.7] bpo-34710: fix SSL module build (GH-9347) (GH-9353)Christian Heimes2018-09-171-0/+1
| | | | | | | | | | | | Include ``openssl/dh.h`` header file to fix implicit function declaration of ``DH_free()``. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>. (cherry picked from commit b3a271fc0ce3e13e427be8914decfc205a220ca8) Co-authored-by: Alexandru Ardelean <ardeleanalex@gmail.com> https://bugs.python.org/issue34710
* [2.7] bpo-33127: Compatibility patch for LibreSSL 2.7.0 (GH-6210) (GH-6215)Christian Heimes2018-03-241-8/+16
| | | | | | | | | | | | | LibreSSL 2.7 introduced OpenSSL 1.1.0 API. The ssl module now detects LibreSSL 2.7 and only provides API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7. Documentation updates and fixes for failing tests will be provided in another patch set. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 4ca0739c9d97ac7cd45499e0d31be68dc659d0e1) Co-authored-by: Christian Heimes <christian@python.org>
* [2.7] bpo-30622: Fix NPN for OpenSSL 1.1.1-pre1 (GH-5876) (#5882)Christian Heimes2018-02-251-21/+26
| | | | | | Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 29eab55309b9f78b79074d26db16a44e7841c639) Co-authored-by: Christian Heimes <christian@python.org>
* Fix ssl module, Python 2.7 doesn't have Py_MAX (#5878)Christian Heimes2018-02-251-1/+2
| | | Signed-off-by: Christian Heimes <christian@python.org>
* [2.7] bpo-30622: Improve NPN support detection (GH-5859) (#5863)Christian Heimes2018-02-251-7/+20
| | | | | | | | | The ssl module now detects missing NPN support in LibreSSL. Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org> Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 6cdb7954b0a578d899e4b78b868ea59eef08480a) Co-authored-by: Christian Heimes <christian@python.org>
* [2.7] bpo-32185: Don't send IP in SNI TLS extension (GH-5865) (#5871)Miss Islington (bot)2018-02-251-2/+40
| | | | | | | | | The SSL module no longer sends IP addresses in SNI TLS extension on platforms with OpenSSL 1.0.2+ or inet_pton. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit e9370a47389903bb72badc95032ec84a0ebbf8cc) Co-authored-by: Christian Heimes <christian@python.org>
* bpo-25404: SSLContext.load_dh_params() non-ASCII path (GH-3459)Christian Heimes2018-02-251-4/+17
| | | | | SSLContext.load_dh_params() now supports non-ASCII path. Signed-off-by: Christian Heimes <christian@python.org>
* [2.7] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (#3446)Christian Heimes2017-09-081-0/+13
| | | | | | | | | | | | | | | | * bpo-29136: Add TLS 1.3 support TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3 cipher suites don't overlap with cipher suites from TLS 1.2 and earlier. Since Python sets its own set of permitted ciphers, TLS 1.3 handshake will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common AES-GCM and ChaCha20 suites. Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3 now. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit cb5b68abdeb1b1d56c581d5b4d647018703d61e3)
* [2.7] bpo-28958: Improve SSLContext error reporting. (GH-3414) (#3433)Christian Heimes2017-09-071-2/+1
| | | | Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 17c9ac9)
* [2.7] bpo-30502: Fix handling of long oids in ssl. (GH-2909). (#3322)Christian Heimes2017-09-051-41/+48
| | | (cherry picked from commit e503ca52889bf66ac502702569e726caa7970299)
* [2.7] bpo-30102: Call OPENSSL_add_all_algorithms_noconf (GH-3112) (#3343)Christian Heimes2017-09-051-1/+5
| | | | | | | | | The ssl and hashlib modules now call OPENSSL_add_all_algorithms_noconf() on OpenSSL < 1.1.0. The function detects CPU features and enables optimizations on some CPU architectures such as POWER8. Patch is based on research from Gustavo Serra Scalet. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit c941e62)
* [2.7] bpo-30622: Change NPN detection: (GH-2079) (#3316)Christian Heimes2017-09-041-7/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Change NPN detection: Version breakdown, support disabled (pre-patch/post-patch): - pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will be defined -> True/False Version breakdown support enabled (pre-patch/post-patch): - pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True - 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True * Refine NPN guard: - If NPN is disabled, but ALPN is available we need our callback - Make clinic's ssl behave the same way This created a working ssl module for me, with NPN disabled and ALPN enabled for OpenSSL 1.1.0f. Concerns to address: The initial commit for NPN support into OpenSSL [1], had the OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG guard. The question is if that ever made it into a release. This would need an ugly hack, something like: GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \ !defined(OPENSSL_NPN_NEGOTIATED) GH- define OPENSSL_NPN_UNSUPPORTED 0 GH- define OPENSSL_NPN_NEGOTIATED 1 GH- define OPENSSL_NPN_NO_OVERLAP 2 GH-endif [1] https://github.com/openssl/openssl/commit/68b33cc5c7. (cherry picked from commit b2d096bd2a5ff86e53c25d00ee5fa097b36bf1d8)
* bpo-31095: Fix potential crash during GC (GH-3197)INADA Naoki2017-09-041-0/+2
| | | (cherry picked from commit a6296d34a478b4f697ea9db798146195075d496c)
* [2.7] bpo-29738: Fix memory leak in _get_crl_dp (GH-526) (GH-1144)Mariatta2017-04-151-7/+1
| | | | | | | | | * Remove conditional on free of `dps`, since `dps` is now allocated for all versions of OpenSSL * Remove call to `x509_check_ca` since it was only used to cache the `crldp` field of the certificate CRL_DIST_POINTS_free is available in all supported versions of OpenSSL (recent 0.9.8+) and LibreSSL. (cherry picked from commit 2849cc34a8db93d448a62d69c462402347b50dcb)
* bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-399)Donald Stufft2017-03-021-2/+2
|
* Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name ↵Christian Heimes2016-09-061-1/+34
| | | | fields in X.509 certs.
* Issue #26470: Use short name rather than name for compression name to fix ↵Christian Heimes2016-09-051-6/+1
| | | | #27958.
* Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.Christian Heimes2016-09-051-41/+131
|
* Issue #23804: Fix SSL zero-length recv() calls to not block and raise EOFMartin Panter2016-07-111-0/+8
|
* assume egd unless OPENSSL_NO_EGD is defined—remove configure check (closes ↵Benjamin Peterson2016-07-071-3/+3
| | | | #24557)
* fix leak of keyfile_bytesBenjamin Peterson2016-06-091-0/+1
|
* stop leaking certfile_bytes (closes #27267)Benjamin Peterson2016-06-091-0/+1
|
* Issue #26200: Added Py_SETREF and replaced Py_XSETREF with Py_SETREFSerhiy Storchaka2016-04-101-1/+1
| | | | in places where Py_DECREF was used.
* Issue #22570: Renamed Py_SETREF to Py_XSETREF.Serhiy Storchaka2016-04-061-1/+1
|
* Issue #26644: Raise ValueError for negative SSLSocket.recv() and read()Martin Panter2016-03-271-0/+4
|
* open the cert store readonlyBenjamin Peterson2016-02-181-2/+6
| | | | Patch from Chi Hsuan Yen.
* Issue #20440: Massive replacing unsafe attribute setting code with specialSerhiy Storchaka2015-12-241-2/+1
| | | | macro Py_SETREF.
* rm trailing wsBenjamin Peterson2015-11-141-1/+1
|
* fix possible memory lea k in _get_aia_uri (closes #25578)Benjamin Peterson2015-11-141-1/+4
|
* fix build with older openssl (#25569)Benjamin Peterson2015-11-141-1/+1
|
* always set OP_NO_SSLv3 by default (closes #25530)Benjamin Peterson2015-11-121-0/+2
|
* fix memory leak in _get_crl_dp (closes #25569)Benjamin Peterson2015-11-121-28/+24
| | | | Patch started by Stéphane Wirtel.
* Issue #25523: Backported a-to-an corrections.Serhiy Storchaka2015-11-021-1/+1
|
* improve style of the convert macro (#24655)Benjamin Peterson2015-07-181-7/+7
| | | | Patch by Brian Cain.
* remove extra arguments in arg parsing format codes (closes #23875)Benjamin Peterson2015-04-061-2/+2
|
* expose X509_V_FLAG_TRUSTED_FIRSTBenjamin Peterson2015-03-051-0/+4
|
* enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476)Benjamin Peterson2015-03-051-0/+9
|
* Issue #23576: Avoid stalling in SSL reads when EOF has been reached in the ↵Antoine Pitrou2015-03-041-20/+0
| | | | SSL layer but the underlying connection hasn't been closed.
* Issue #23446: Use PyMem_New instead of PyMem_Malloc to avoid possible integerSerhiy Storchaka2015-02-161-3/+4
| | | | overflows. Added few missed PyErr_NoMemory().
* ifdef our way to compatibility with old openssl (closes #23335)Benjamin Peterson2015-01-281-1/+1
|
* disable ALPN on LibreSSL, which has a large version number, but not ALPN ↵Benjamin Peterson2015-01-271-1/+1
| | | | support (closes #23329)
* prefer server alpn ordering over the client'sBenjamin Peterson2015-01-231-13/+20
|
* pep 466 backport of alpn (#20188)Benjamin Peterson2015-01-231-22/+110
|
* Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. TheVictor Stinner2015-01-061-3/+10
| | | | | availability of the function is checked during the compilation. Patch written by Bernard Spil.
* allow ssl module to compile if openssl doesn't support SSL 3 (closes #22935)Benjamin Peterson2014-12-061-0/+4
| | | | Patch by Kurt Roeckx.
* allow hostname to be passed to SSLContext even if OpenSSL doesn't support ↵Benjamin Peterson2014-11-241-6/+0
| | | | | | SNI (closes #22921) Patch from Donald Stufft.
generated by cgit v0.12 at 2026-01-04 02:47:52 (GMT)