mirror of https://github.com/python/cpython
bpo-41195: Add getter for Openssl security level (GH-21282)
Add an accessor under SSLContext.security_level as a wrapper around SSL_CTX_get_security_level, see: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html ------ This is my first time contributing, so please pull me up on all the things I missed or did incorrectly. Automerge-Triggered-By: @tiran
This commit is contained in:
parent
38d3864efe
commit
8e836bb21c
|
@ -2032,6 +2032,16 @@ to speed up repeated connections from the same clients.
|
|||
|
||||
.. versionadded:: 3.7
|
||||
|
||||
.. attribute:: SSLContext.security_level
|
||||
|
||||
An integer representing the `security level
|
||||
<https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html>`_
|
||||
for the context. This attribute is read-only.
|
||||
|
||||
.. availability:: OpenSSL 1.1.0 or newer
|
||||
|
||||
.. versionadded:: 3.10
|
||||
|
||||
.. attribute:: SSLContext.verify_flags
|
||||
|
||||
The flags for certificate verification operations. You can set flags like
|
||||
|
|
|
@ -1270,6 +1270,25 @@ class ContextTests(unittest.TestCase):
|
|||
ctx.maximum_version = ssl.TLSVersion.TLSv1
|
||||
|
||||
|
||||
@unittest.skipUnless(
|
||||
hasattr(ssl.SSLContext, 'security_level'),
|
||||
"requires OpenSSL >= 1.1.0"
|
||||
)
|
||||
def test_security_level(self):
|
||||
ctx = ssl.SSLContext()
|
||||
# The default security callback allows for levels between 0-5
|
||||
# with OpenSSL defaulting to 1, however some vendors override the
|
||||
# default value (e.g. Debian defaults to 2)
|
||||
security_level_range = {
|
||||
0,
|
||||
1, # OpenSSL default
|
||||
2, # Debian
|
||||
3,
|
||||
4,
|
||||
5,
|
||||
}
|
||||
self.assertIn(ctx.security_level, security_level_range)
|
||||
|
||||
@unittest.skipUnless(have_verify_flags(),
|
||||
"verify_flags need OpenSSL > 0.9.8")
|
||||
def test_verify_flags(self):
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
Add read-only ssl.SSLContext.security_level attribute to retrieve the
|
||||
context's security level.
|
|
@ -3746,6 +3746,15 @@ PyDoc_STRVAR(PySSLContext_num_tickets_doc,
|
|||
"Control the number of TLSv1.3 session tickets");
|
||||
#endif /* OpenSSL 1.1.1 */
|
||||
|
||||
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
static PyObject *
|
||||
get_security_level(PySSLContext *self, void *c)
|
||||
{
|
||||
return PyLong_FromLong(SSL_CTX_get_security_level(self->ctx));
|
||||
}
|
||||
PyDoc_STRVAR(PySSLContext_security_level_doc, "The current security level");
|
||||
#endif /* OpenSSL 1.1.0 */
|
||||
|
||||
static PyObject *
|
||||
get_options(PySSLContext *self, void *c)
|
||||
{
|
||||
|
@ -4793,6 +4802,10 @@ static PyGetSetDef context_getsetlist[] = {
|
|||
(setter) set_verify_flags, NULL},
|
||||
{"verify_mode", (getter) get_verify_mode,
|
||||
(setter) set_verify_mode, NULL},
|
||||
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
{"security_level", (getter) get_security_level,
|
||||
NULL, PySSLContext_security_level_doc},
|
||||
#endif
|
||||
{NULL}, /* sentinel */
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in New Issue