Commit Graph

124 Commits

Author SHA1 Message Date
Antoine Pitrou e6d2f159fc Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. 2013-12-28 17:30:51 +01:00
Antoine Pitrou 3e86ba4e32 Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. 2013-12-28 17:26:33 +01:00
R David Murray 748bad2cd0 Tidy up ssl whatsnew references, make ssl section formatting consistent.
Also remove some extra blank lines in the ssl doc acctions for tls1.1/1.2,
and reflow a paragraph.
2013-12-20 17:08:39 -05:00
Christian Heimes 1aa9a75fbf Issue #19509: Add SSLContext.check_hostname to match the peer's certificate
with server_hostname on handshake.
2013-12-02 02:41:19 +01:00
Serhiy Storchaka 0e90e99188 Issue #19795: Improved markup of True/False constants. 2013-11-29 12:19:53 +02:00
Serhiy Storchaka fbc1c26803 Issue #19795: Improved markup of True/False constants. 2013-11-29 12:17:13 +02:00
Antoine Pitrou 5bef410471 Tweak ssl docs 2013-11-23 16:16:29 +01:00
Christian Heimes 4c05b472dd Issue #19689: Add ssl.create_default_context() factory function. It creates
a new SSLContext object with secure default settings.
2013-11-23 15:58:30 +01:00
Christian Heimes 6b2ff98df4 Correct documentation clientAuth -> CLIENT_AUTH 2013-11-23 14:42:01 +01:00
Christian Heimes 72d28500b3 Issue #19292: Add SSLContext.load_default_certs() to load default root CA
certificates from default stores or system stores. By default the method
loads CA certs for authentication of server certs.
2013-11-23 13:56:58 +01:00
Christian Heimes 2427b50fdd Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
2013-11-23 11:24:32 +01:00
Christian Heimes f22e8e5426 Issue #18147: Add missing documentation for SSLContext.get_ca_certs().
Also change the argument name to the same name as getpeercert()
2013-11-22 02:22:51 +01:00
Christian Heimes 44109d7de7 Issue #17134: Finalize interface to Windows' certificate store. Cert and
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
2013-11-22 01:51:30 +01:00
Christian Heimes 225877917e Issue #8813: Add SSLContext.verify_flags to change the verification flags
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
2013-11-21 23:56:13 +01:00
Christian Heimes bd3a7f90b5 Issue #18379: SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP
and CRL distribution points.
2013-11-21 03:40:15 +01:00
Christian Heimes efff7060f8 Issue #18138: Implement cadata argument of SSLContext.load_verify_location()
to load CA certificates and CRL from memory. It supports PEM and DER
encoded strings.
2013-11-21 03:35:02 +01:00
Antoine Pitrou 6b2b084192 Issue #19508: direct the user to read the security considerations for the ssl module 2013-11-17 15:36:03 +01:00
Antoine Pitrou 9eefe91fc2 Issue #19508: direct the user to read the security considerations for the ssl module 2013-11-17 15:35:33 +01:00
Christian Heimes 9f09120b83 merge 2013-10-29 22:21:16 +01:00
Christian Heimes 47674bc470 fix language 2013-10-29 22:19:39 +01:00
Christian Heimes ee0bac66b2 Issue #19227 / Issue #18747: Remove pthread_atfork() handler to remove OpenSSL re-seeding
It is causing trouble like e.g. hanging processes.
2013-10-29 21:11:55 +01:00
Christian Heimes 3046fe4c03 Issue #18747: document issue with OpenSSL's CPRNG state and fork 2013-10-29 21:08:56 +01:00
Georg Brandl 72c98d3a76 Issue #17997: Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,
for security reasons.  It now doesn't match multiple wildcards nor wildcards
inside IDN fragments.
2013-10-27 07:16:53 +01:00
Georg Brandl b89b5df9c9 merge with 3.3 2013-10-27 07:46:09 +01:00
Georg Brandl 99b1a12f2f merge with 3.3 2013-10-06 18:20:39 +02:00
Georg Brandl 4a6cf6c9d1 Closes #19177: replace dead link to SSL/TLS introduction with the version from Apache. 2013-10-06 18:20:31 +02:00
Antoine Pitrou 20b85557f2 Issue #19095: SSLSocket.getpeercert() now raises ValueError when the SSL handshake hasn't been done. 2013-09-29 19:50:53 +02:00
Larry Hastings d36fc4307e Fix minor documentation markup error. 2013-08-03 02:49:53 -07:00
R David Murray fe3ae3cdc7 Merge #18311: fix typo. 2013-06-26 15:11:32 -04:00
R David Murray c7f7579855 #18311: fix typo. 2013-06-26 15:11:12 -04:00
Christian Heimes 9a5395ae2b Issue #18147: Add diagnostic functions to ssl.SSLContext().
get_ca_list() lists all loaded CA certificates and cert_store_stats() returns
amount of loaded X.509 certs, X.509 CA certs and CRLs.
2013-06-17 15:44:12 +02:00
Christian Heimes 46bebee25f Issue #17134: Add ssl.enum_cert_store() as interface to Windows' cert store. 2013-06-09 19:03:31 +02:00
Christian Heimes 3e738f97f8 removed accidental new line 2013-06-09 18:07:16 +02:00
Christian Heimes 6d7ad13a45 Issue #18143: Implement ssl.get_default_verify_paths() in order to debug
the default locations for cafile and capath.
2013-06-09 18:02:55 +02:00
Antoine Pitrou 9b42128e2c Issue #17739: fix the description of SSLSocket.getpeercert(binary_form=True) for server sockets.
Thanks to David D Lowe for reporting.
2013-04-16 20:28:15 +02:00
Antoine Pitrou d34941ad4e Issue #17739: fix the description of SSLSocket.getpeercert(binary_form=True) for server sockets.
Thanks to David D Lowe for reporting.
2013-04-16 20:27:17 +02:00
Antoine Pitrou 50b24d0d7c Fix a crash when setting a servername callback on a SSL server socket and the client doesn't send a server name.
Patch by Kazuhiro Yoshida.
(originally issue #8109)
2013-04-11 20:48:42 +02:00
Antoine Pitrou 2463e5fee4 Issue #16692: The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù. 2013-03-28 22:24:43 +01:00
Terry Jan Reedy 8e7586bd44 Issue #17047: remove doubled words added in 3.4,
as reported by Serhiy Storchaka and Matthew Barnett.
2013-03-11 18:38:13 -04:00
Antoine Pitrou 58ddc9d743 Issue #8109: The ssl module now has support for server-side SNI, thanks to a :meth:`SSLContext.set_servername_callback` method.
Patch by Daniel Black.
2013-01-05 21:20:29 +01:00
Antoine Pitrou d9a7e70939 Update the getpeercert() example with a real-world cert showing non-trivial issuer, subject and subjectAltName. 2012-08-16 22:18:37 +02:00
Antoine Pitrou b7c6c8105e Update the getpeercert() example with a real-world cert showing non-trivial issuer, subject and subjectAltName. 2012-08-16 22:14:43 +02:00
Antoine Pitrou 3b36fb1f53 Issue #14837: SSL errors now have `library` and `reason` attributes describing precisely what happened and in which OpenSSL submodule.
The str() of a SSLError is also enhanced accordingly.

NOTE: this commit creates a reference leak.  The leak seems tied to the
use of PyType_FromSpec() to create the SSLError type.  The leak is on the
type object when it is instantiated:

>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
35
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
36
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
37
2012-06-22 21:11:52 +02:00
Antoine Pitrou d5d17eb653 Issue #14204: The ssl module now has support for the Next Protocol Negotiation extension, if available in the underlying OpenSSL library.
Patch by Colin Marc.
2012-03-22 00:23:03 +01:00
Antoine Pitrou e10ae8871a Clarify that ssl.OP_ALL can be different from OpenSSL's SSL_OP_ALL. 2012-01-27 10:03:23 +01:00
Antoine Pitrou 9f6b02ecde Clarify that ssl.OP_ALL can be different from OpenSSL's SSL_OP_ALL. 2012-01-27 10:02:55 +01:00
Antoine Pitrou ac8bfcacfc Issue #13747: fix SSL compatibility table. 2012-01-09 21:43:18 +01:00
Antoine Pitrou 84a2edcdf7 Issue #13747: fix documentation error about the default SSL version. 2012-01-09 21:35:11 +01:00
Antoine Pitrou 441ae043df Update printout of SSL certificate examples for 3.2+. 2012-01-06 20:06:15 +01:00
Antoine Pitrou b7ffed8a50 Add a subsection explaning cipher selection. 2012-01-04 02:53:44 +01:00