mirror of https://github.com/python/cpython
bpo-38820: Add ssl, hashlib, and hmac changes to whatsnew 3.10 (GH-25817)
Signed-off-by: Christian Heimes <christian@python.org>
This commit is contained in:
parent
60ce8f0be6
commit
d8389e3e50
|
@ -1358,6 +1358,10 @@ SSL sockets also have the following additional methods and attributes:
|
|||
|
||||
.. versionadded:: 3.3
|
||||
|
||||
.. deprecated:: 3.10
|
||||
|
||||
NPN has been superseded by ALPN
|
||||
|
||||
.. method:: SSLSocket.unwrap()
|
||||
|
||||
Performs the SSL shutdown handshake, which removes the TLS layer from the
|
||||
|
@ -1714,6 +1718,10 @@ to speed up repeated connections from the same clients.
|
|||
|
||||
.. versionadded:: 3.3
|
||||
|
||||
.. deprecated:: 3.10
|
||||
|
||||
NPN has been superseded by ALPN
|
||||
|
||||
.. attribute:: SSLContext.sni_callback
|
||||
|
||||
Register a callback function that will be called after the TLS Client Hello
|
||||
|
|
|
@ -974,6 +974,26 @@ Added the *root_dir* and *dir_fd* parameters in :func:`~glob.glob` and
|
|||
:func:`~glob.iglob` which allow to specify the root directory for searching.
|
||||
(Contributed by Serhiy Storchaka in :issue:`38144`.)
|
||||
|
||||
hashlib
|
||||
-------
|
||||
|
||||
The hashlib module requires OpenSSL 1.1.1 or newer.
|
||||
(Contributed by Christian Heimes in :pep:`644` and :issue:`43669`.)
|
||||
|
||||
The hashlib module has preliminary support for OpenSSL 3.0.0.
|
||||
(Contributed by Christian Heimes in :issue:`38820` and other issues.)
|
||||
|
||||
The pure-Python fallback of :func:`~hashlib.pbkdf2_hmac` is deprecated. In
|
||||
the future PBKDF2-HMAC will only be available when Python has been built with
|
||||
OpenSSL support.
|
||||
(Contributed by Christian Heimes in :issue:`43880`.)
|
||||
|
||||
hmac
|
||||
----
|
||||
|
||||
The hmac module now uses OpenSSL's HMAC implementation internally.
|
||||
(Contributed by Christian Heimes in :issue:`40645`.)
|
||||
|
||||
importlib.metadata
|
||||
------------------
|
||||
|
||||
|
@ -1109,6 +1129,30 @@ Added option to create MPTCP sockets with ``IPPROTO_MPTCP``
|
|||
ssl
|
||||
---
|
||||
|
||||
The ssl module requires OpenSSL 1.1.1 or newer.
|
||||
(Contributed by Christian Heimes in :pep:`644` and :issue:`43669`.)
|
||||
|
||||
The ssl module has preliminary support for OpenSSL 3.0.0 and new option
|
||||
:data:`~ssl.OP_IGNORE_UNEXPECTED_EOF`.
|
||||
(Contributed by Christian Heimes in :issue:`38820`, :issue:`43794`,
|
||||
:issue:`43788`, :issue:`43791`, :issue:`43799`, :issue:`43920`,
|
||||
:issue:`43789`, and :issue:`43811`.)
|
||||
|
||||
Deprecated function and use of deprecated constants now result in
|
||||
a :exc:`DeprecationWarning`. The following features have been deprecated
|
||||
since Python 3.6, Python 3.7, or OpenSSL 1.1.0:
|
||||
:data:`~ssl.OP_NO_SSLv2`, :data:`~ssl.OP_NO_SSLv3`, :data:`~ssl.OP_NO_TLSv1`,
|
||||
:data:`~ssl.OP_NO_TLSv1_1`, :data:`~ssl.OP_NO_TLSv1_2`,
|
||||
:data:`~ssl.OP_NO_TLSv1_3`, :data:`~ssl.PROTOCOL_SSLv2`,
|
||||
:data:`~ssl.PROTOCOL_SSLv3`, :data:`~ssl.PROTOCOL_SSLv23`,
|
||||
:data:`~ssl.PROTOCOL_TLSv1`, :data:`~ssl.PROTOCOL_TLSv1_1`,
|
||||
:data:`~ssl.PROTOCOL_TLSv1_2`, :data:`~ssl.PROTOCOL_TLS`,
|
||||
:func:`~ssl.wrap_socket`, :func:`~ssl.match_hostname`,
|
||||
:func:`~ssl.RAND_pseudo_bytes`, :func:`~ssl.RAND_egd`,
|
||||
:meth:`ssl.SSLSocket.selected_npn_protocol`,
|
||||
:meth:`ssl.SSLContext.set_npn_protocols`.
|
||||
(Contributed by Christian Heimes in :issue:`43880`.)
|
||||
|
||||
The ssl module now has more secure default settings. Ciphers without forward
|
||||
secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits
|
||||
weak RSA, DH, and ECC keys with less than 112 bits of security.
|
||||
|
@ -1116,9 +1160,20 @@ weak RSA, DH, and ECC keys with less than 112 bits of security.
|
|||
Settings are based on Hynek Schlawack's research.
|
||||
(Contributed by Christian Heimes in :issue:`43998`.)
|
||||
|
||||
The deprecated protocols SSL 3.0, TLS 1.0, and TLS 1.1 are no longer
|
||||
officially supported. Python does not block them actively. However
|
||||
OpenSSL build options, distro configurations, vendor patches, and cipher
|
||||
suites may prevent a successful handshake.
|
||||
|
||||
Add a *timeout* parameter to the :func:`ssl.get_server_certificate` function.
|
||||
(Contributed by Zackery Spytz in :issue:`31870`.)
|
||||
|
||||
The ssl module uses heap-types and multi-phase initialization.
|
||||
(Contributed by Christian Heimes in :issue:`42333`.)
|
||||
|
||||
A new verify flag :data:`~ssl.VERIFY_X509_PARTIAL_CHAIN` has been added.
|
||||
(Contributed by l0x in :issue:`40849`.)
|
||||
|
||||
sqlite3
|
||||
-------
|
||||
|
||||
|
|
Loading…
Reference in New Issue