Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity

Issue #20896: ssl.get_server_certificate() now uses PROTOCOL_SSLv23, not PROTOCOL_SSLv3, for maximum compatibility.

This commit is contained in:
Antoine Pitrou 2014-04-16 18:56:28 +02:00
parent 0fba0c3ebf
commit 94a5b663bf
4 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Doc/library/ssl.rst
View File

@ -387,7 +387,7 @@ Certificate handling
>>> time.ctime(ssl.cert_time_to_seconds("May 9 00:00:00 2007 GMT")) >>> time.ctime(ssl.cert_time_to_seconds("May 9 00:00:00 2007 GMT"))
'Wed May 9 00:00:00 2007' 'Wed May 9 00:00:00 2007'
.. function:: get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None) .. function:: get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None)
Given the address ``addr`` of an SSL-protected server, as a (*hostname*, Given the address ``addr`` of an SSL-protected server, as a (*hostname*,
*port-number*) pair, fetches the server's certificate, and returns it as a *port-number*) pair, fetches the server's certificate, and returns it as a
@ -401,6 +401,10 @@ Certificate handling
.. versionchanged:: 3.3 .. versionchanged:: 3.3
This function is now IPv6-compatible. This function is now IPv6-compatible.
.. versionchanged:: 3.5
The default *ssl_version* is changed from :data:`PROTOCOL_SSLv3` to
:data:`PROTOCOL_SSLv23` for maximum compatibility with modern servers.
.. function:: DER_cert_to_PEM_cert(DER_cert_bytes) .. function:: DER_cert_to_PEM_cert(DER_cert_bytes)
Given a certificate as a DER-encoded blob of bytes, returns a PEM-encoded Given a certificate as a DER-encoded blob of bytes, returns a PEM-encoded

2
Lib/ssl.py
View File

@ -922,7 +922,7 @@ def PEM_cert_to_DER_cert(pem_cert_string):
d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)] d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)]
return base64.decodebytes(d.encode('ASCII', 'strict')) return base64.decodebytes(d.encode('ASCII', 'strict'))
def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None): def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None):
"""Retrieve the certificate from the server at the specified address, """Retrieve the certificate from the server at the specified address,
and return it as a PEM-encoded string. and return it as a PEM-encoded string.
If 'ca_certs' is specified, validate the server cert against it. If 'ca_certs' is specified, validate the server cert against it.

5
Lib/test/test_ssl.py
View File

@ -1371,14 +1371,12 @@ class NetworkedTests(unittest.TestCase):
def test_get_server_certificate(self): def test_get_server_certificate(self):
def _test_get_server_certificate(host, port, cert=None): def _test_get_server_certificate(host, port, cert=None):
with support.transient_internet(host): with support.transient_internet(host):
pem = ssl.get_server_certificate((host, port), pem = ssl.get_server_certificate((host, port))
ssl.PROTOCOL_SSLv23)
if not pem: if not pem:
self.fail("No server certificate on %s:%s!" % (host, port)) self.fail("No server certificate on %s:%s!" % (host, port))
try: try:
pem = ssl.get_server_certificate((host, port), pem = ssl.get_server_certificate((host, port),
ssl.PROTOCOL_SSLv23,
ca_certs=CERTFILE) ca_certs=CERTFILE)
except ssl.SSLError as x: except ssl.SSLError as x:
#should fail #should fail
@ -1388,7 +1386,6 @@ class NetworkedTests(unittest.TestCase):
self.fail("Got server certificate %s for %s:%s!" % (pem, host, port)) self.fail("Got server certificate %s for %s:%s!" % (pem, host, port))
pem = ssl.get_server_certificate((host, port), pem = ssl.get_server_certificate((host, port),
ssl.PROTOCOL_SSLv23,
ca_certs=cert) ca_certs=cert)
if not pem: if not pem:
self.fail("No server certificate on %s:%s!" % (host, port)) self.fail("No server certificate on %s:%s!" % (host, port))

3
Misc/NEWS
View File

@ -50,6 +50,9 @@ Core and Builtins
Library Library
------- -------
- Issue #20896: ssl.get_server_certificate() now uses PROTOCOL_SSLv23, not
PROTOCOL_SSLv3, for maximum compatibility.
- Issue #21239: patch.stopall() didn't work deterministically when the same - Issue #21239: patch.stopall() didn't work deterministically when the same
name was patched more than once. name was patched more than once.