summaryrefslogtreecommitdiffstats
path: root/Modules/_ssl.c
Commit message (Collapse)AuthorAgeFilesLines
* bpo-30622: Fix backport of NPN fix (#6102)Christian Heimes2018-03-281-1/+1
| | | | | Fix backport a79591cf of bpo-30622 to 3.6 branch. Signed-off-by: Christian Heimes <christian@python.org>
* [3.6] bpo-30622: Fix NPN for OpenSSL 1.1.1-pre1 (GH-5876) (#5881)Christian Heimes2018-02-251-19/+24
| | | | | | Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 29eab55309b9f78b79074d26db16a44e7841c639) Co-authored-by: Christian Heimes <christian@python.org>
* [3.6] bpo-30622: Improve NPN support detection (GH-5859) (#5861)Christian Heimes2018-02-251-8/+21
| | | | | | | | | The ssl module now detects missing NPN support in LibreSSL. Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org> Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 6cdb7954b0a578d899e4b78b868ea59eef08480a) Co-authored-by: Christian Heimes <christian@python.org>
* bpo-32185: Don't send IP in SNI TLS extension (#5865)Christian Heimes2018-02-251-2/+40
| | | | | | The SSL module no longer sends IP addresses in SNI TLS extension on platforms with OpenSSL 1.0.2+ or inet_pton. Signed-off-by: Christian Heimes <christian@python.org>
* [3.6] completly -> completely (GH-3999) (closes bpo-31788) (#4008)Miss Islington (bot)2017-10-151-1/+1
| | | (cherry picked from commit 1295e11d397c6138427296d5f9653a9e7dd69062)
* [3.6] _ssl_: Fix compiler warning (GH-3559) (#3569)Christian Heimes2017-09-141-0/+6
| | | | | | | | Cast Py_buffer.len (Py_ssize_t, signed) to size_t (unsigned) to prevent the following warning: Modules/_ssl.c:3089:21: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]. (cherry picked from commit 5a61559fb0776a9a0f08294ec9003cea13940430)
* [3.6] bpo-31400: Improve SSL error handling on Windows (GH-3463) (#3466)Christian Heimes2017-09-091-10/+47
| | | | | | * bpo-31392: Improve SSL error handling on Windows * Remove unnecessary Windows mention in NEWS. (cherry picked from commit e6eb48c10dc389d1d70657593de6a6cb3087d3d1)
* [3.6] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (#3444)Christian Heimes2017-09-081-0/+13
| | | | | | | | | | | | | | | | * bpo-29136: Add TLS 1.3 support TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3 cipher suites don't overlap with cipher suites from TLS 1.2 and earlier. Since Python sets its own set of permitted ciphers, TLS 1.3 handshake will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common AES-GCM and ChaCha20 suites. Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3 now. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit cb5b68abdeb1b1d56c581d5b4d647018703d61e3)
* [3.6] bpo-28958: Improve SSLContext error reporting. (GH-3414) (#3432)Christian Heimes2017-09-071-2/+1
| | | | Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 17c9ac9)
* [3.6] bpo-29781: Fix SSLObject.version before handshake (GH-3364) (#3381)Christian Heimes2017-09-061-0/+4
| | | | | | | SSLObject.version() now correctly returns None when handshake over BIO has not been performed yet. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 6877111)
* [3.6] bpo-29334: Fix ssl.getpeercert for auto-handshake (GH-1769) (#1778)Christian Heimes2017-09-051-21/+12
| | | | | | | | | | | | | Drop handshake_done and peer_cert members from PySSLSocket struct. The peer certificate can be acquired from *SSL directly. SSL_get_peer_certificate() does not trigger any network activity. Instead of manually tracking the handshake state, simply use SSL_is_init_finished(). In combination these changes fix auto-handshake for non-blocking MemoryBIO connections. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 66dc33b6822be93f85d84d24d3f9159ff568fbbb)
* [3.6] bpo-30502: Fix handling of long oids in ssl. (GH-2909) (#3321)Christian Heimes2017-09-051-43/+47
| | | (cherry picked from commit e503ca52889bf66ac502702569e726caa7970299)
* [3.6] bpo-30102: Call OPENSSL_add_all_algorithms_noconf (GH-3112) (#3342)Christian Heimes2017-09-051-1/+5
| | | | | | | | | The ssl and hashlib modules now call OPENSSL_add_all_algorithms_noconf() on OpenSSL < 1.1.0. The function detects CPU features and enables optimizations on some CPU architectures such as POWER8. Patch is based on research from Gustavo Serra Scalet. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit c941e62)
* [3.6] bpo-30622: Change NPN detection: (GH-2079) (#3314)Christian Heimes2017-09-051-7/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Change NPN detection: Version breakdown, support disabled (pre-patch/post-patch): - pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will be defined -> True/False Version breakdown support enabled (pre-patch/post-patch): - pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True - 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True * Refine NPN guard: - If NPN is disabled, but ALPN is available we need our callback - Make clinic's ssl behave the same way This created a working ssl module for me, with NPN disabled and ALPN enabled for OpenSSL 1.1.0f. Concerns to address: The initial commit for NPN support into OpenSSL [1], had the OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG guard. The question is if that ever made it into a release. This would need an ugly hack, something like: GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \ !defined(OPENSSL_NPN_NEGOTIATED) GH- define OPENSSL_NPN_UNSUPPORTED 0 GH- define OPENSSL_NPN_NEGOTIATED 1 GH- define OPENSSL_NPN_NO_OVERLAP 2 GH-endif [1] https://github.com/openssl/openssl/commit/68b33cc5c7 (cherry picked from commit b2d096b)
* bpo-31095: fix potential crash during GC (GH-3195)INADA Naoki2017-09-041-0/+3
| | | (cherry picked from commit a6296d34a478b4f697ea9db798146195075d496c)
* [3.6] Regenerate Argument Clinic code for bpo-19180. (GH-2073). (#2077)Serhiy Storchaka2017-06-101-1/+1
| | | | (cherry picked from commit 5f31d5cf6efa8c304d352e34f9f2a1ed0074298e)
* [3.6] bpo-19180: Updated references for RFC 1750, RFC 3280 & RFC 4366Nick Coghlan2017-06-091-1/+1
| | | | | | * RFC 1750 has been been obsoleted by RFC 4086. * RFC 3280 has been obsoleted by RFC 5280. * RFC 4366 has been obsoleted by RFC 6066. (cherry picked from commit 63c2c8ac17750ba2be2cfc4e339cae1f4edee54f)
* [3.6] bpo-30594: Fixed refcounting in newPySSLSocket (GH-1992) (#1994)Nathaniel J. Smith2017-06-081-2/+1
| | | | If pass a server_hostname= that fails IDNA decoding to SSLContext.wrap_socket or SSLContext.wrap_bio, then the SSLContext object had a spurious Py_DECREF called on it, eventually leading to segfaults. (cherry picked from commit 65ece7ca2366308fa91a39a8dfa255e6bdce3cca)
* [3.6] bpo-29738: Fix memory leak in _get_crl_dp (GH-526) (GH-1142)Mariatta2017-04-151-7/+1
| | | | | | | | | * Remove conditional on free of `dps`, since `dps` is now allocated for all versions of OpenSSL * Remove call to `x509_check_ca` since it was only used to cache the `crldp` field of the certificate CRL_DIST_POINTS_free is available in all supported versions of OpenSSL (recent 0.9.8+) and LibreSSL. (cherry picked from commit 2849cc34a8db93d448a62d69c462402347b50dcb)
* bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (#397)Donald Stufft2017-03-021-2/+2
|
* TypoChristian Heimes2016-09-241-1/+1
|
* Finish GC code for SSLSession and increase test coverageChristian Heimes2016-09-241-4/+9
|
* Issue #28188: Use PyMem_Calloc() to get rid of a type-limits warning and an ↵Christian Heimes2016-09-131-3/+2
| | | | extra memset() call in _ssl.c.
* Issue #27866: Fix refleak in cipher_to_dict()Victor Stinner2016-09-121-12/+1
|
* Issue #28085: Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContextChristian Heimes2016-09-111-21/+59
|
* Issue #19500: Add client-side SSL session resumption to the ssl module.Christian Heimes2016-09-101-2/+370
|
* Issue 28043: SSLContext has improved default settingsChristian Heimes2016-09-101-0/+31
| | | | The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
* Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name ↵Christian Heimes2016-09-061-1/+34
|\ | | | | | | fields in X.509 certs.
| * Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name ↵Christian Heimes2016-09-061-1/+34
| | | | | | | | fields in X.509 certs.
* | Issue #26470: Use short name rather than name for compression name to fix ↵Christian Heimes2016-09-051-6/+1
|\ \ | |/ | | | | #27958.
| * Issue #26470: Use short name rather than name for compression name to fix ↵Christian Heimes2016-09-051-6/+1
| | | | | | | | #27958.
* | Issue #27866: Add SSLContext.get_ciphers() method to get a list of all ↵Christian Heimes2016-09-051-0/+117
| | | | | | | | enabled ciphers.
* | Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.Christian Heimes2016-09-051-45/+136
|\ \ | |/
| * Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.Christian Heimes2016-09-051-45/+136
| |
* | merge 3.5 (#27773)Benjamin Peterson2016-08-161-6/+4
|\ \ | |/
| * fix corner cases in the management of server_hostname (closes #27773)Benjamin Peterson2016-08-161-6/+4
| |
* | Merge 3.5 (INVALID_SOCKET)Victor Stinner2016-07-221-2/+6
|\ \ | |/
| * socket: use INVALID_SOCKETVictor Stinner2016-07-221-2/+6
| | | | | | | | | | | | | | | | * Replace "fd = -1" with "fd = INVALID_SOCKET" * Replace "fd < 0" with "fd == INVALID_SOCKET": SOCKET_T is unsigned on Windows Bug found by Pavel Belikov ("Fragment N1"): http://www.viva64.com/en/b/0414/#ID0ECDAE
* | Issue #23804: Merge SSL recv() fix from 3.5Martin Panter2016-07-111-0/+8
|\ \ | |/
| * Issue #23804: Fix SSL zero-length recv() calls to not block and raise EOFMartin Panter2016-07-111-0/+8
| |
* | - Issue #27332: Fixed the type of the first argument of module-level functionsSerhiy Storchaka2016-07-071-22/+22
|\ \ | |/ | | | | generated by Argument Clinic. Patch by Petr Viktorin.
| * Issue #27332: Fixed the type of the first argument of module-level functionsSerhiy Storchaka2016-07-071-22/+22
| | | | | | | | generated by Argument Clinic. Patch by Petr Viktorin.
* | merge 3.5 (#24557)Benjamin Peterson2016-07-071-2/+2
|\ \ | |/
| * assume egd unless OPENSSL_NO_EGD is defined—remove configure check (closes ↵Benjamin Peterson2016-07-071-2/+2
| | | | | | | | #24557)
* | Fix unused variable 'libver' warning in Modules/_ssl.cBerker Peksag2016-04-141-0/+2
|\ \ | |/ | | | | | | | | | | | | | | It can be seen on various buildbots like 3.x.cea-indiana-amd64 and 3.x.murray-snowleopard: /export/home/buildbot/64bits/3.x.cea-indiana-amd64/build/Modules/_ssl.c:2227: warning: unused variable 'libver' /Users/buildbot/buildarea/3.x.murray-snowleopard/build/Modules/_ssl.c:2227: warning: unused variable ‘libver’
| * Fix unused variable 'libver' warning in Modules/_ssl.cBerker Peksag2016-04-141-0/+2
| | | | | | | | | | | | | | | | | | It can be seen on various buildbots like 3.x.cea-indiana-amd64 and 3.x.murray-snowleopard: /export/home/buildbot/64bits/3.x.cea-indiana-amd64/build/Modules/_ssl.c:2227: warning: unused variable 'libver' /Users/buildbot/buildarea/3.x.murray-snowleopard/build/Modules/_ssl.c:2227: warning: unused variable ‘libver’
* | Issue #26200: Added Py_SETREF and replaced Py_XSETREF with Py_SETREFSerhiy Storchaka2016-04-101-1/+1
|\ \ | |/ | | | | in places where Py_DECREF was used.
| * Issue #26200: Added Py_SETREF and replaced Py_XSETREF with Py_SETREFSerhiy Storchaka2016-04-101-1/+1
| | | | | | | | in places where Py_DECREF was used.
* | Issue #22570: Renamed Py_SETREF to Py_XSETREF.Serhiy Storchaka2016-04-061-2/+2
|\ \ | |/
| * Issue #22570: Renamed Py_SETREF to Py_XSETREF.Serhiy Storchaka2016-04-061-2/+2
| |
generated by cgit v0.12 at 2025-09-04 13:56:53 (GMT)