Commit Graph

331 Commits

Author SHA1 Message Date
mm-matthias 4f59f86382
gh-118596: Add thread-safety clarifications to the SSLContext documentation (#118597)
Add thread-safety clarifications to the SSLContext documentation. Per the issue:

This issue has also come up [here](https://github.com/psf/requests/pull/6667) where the matter was clarified by @tiran in [this comment](https://github.com/psf/requests/pull/6667):
> `SSLContext` is designed to be shared and used for multiple connections. It is thread safe as long as you don't reconfigure it once it is used by a connection. Adding new certs to the internal trust store is fine, but changing ciphers, verification settings, or mTLS certs can lead to surprising behavior. The problem is unrelated to threads and can even occur in a single-threaded program.
2024-06-16 13:27:44 -07:00
Ned Batchelder d25954dff5
docs: fix a few typos identified by codespell (#119516) 2024-05-25 18:13:31 -07:00
Ned Batchelder bcb435ee8f
docs: module page titles should not start with a link to themselves (#117099) 2024-05-08 20:34:40 +01:00
Hugo van Kemenade 94e9c35cd0
Fix version directive indents (#117719) 2024-04-12 13:30:42 +03:00
William Woodruff 0876b921b2
gh-107361: strengthen default SSL context flags (#112389)
This adds `VERIFY_X509_STRICT` to make the default
SSL context perform stricter (per RFC 5280) validation, as well
as `VERIFY_X509_PARTIAL_CHAIN` to enforce more standards-compliant
path-building behavior.

As part of this changeset, I had to tweak `make_ssl_certs.py`
slightly to emit 5280-conforming CA certs. This changeset includes
the regenerated certificates after that change.

Signed-off-by: William Woodruff <william@yossarian.net>
Co-authored-by: Victor Stinner <vstinner@python.org>
2024-03-06 13:44:58 -08:00
Serhiy Storchaka 0064dfa091
gh-115777: Fix double versionadded directives (GH-116269) 2024-03-05 17:41:53 +02:00
Carl Bordum Hansen 91c3c64237
gh-73580: Docs for tunnelling TLS through TLS (GH-22539) 2024-02-29 22:56:04 +02:00
Rami debb1386be
gh-87688: Amend SSLContext.hostname_checks_common_name docs (GH-100517) 2024-02-17 10:22:19 +00:00
Thomas Grainger 127a497852
gh-104360: remove reference to removed module-level wrap_socket (GH-104361)
* remove reference to removed module-level wrap_socket
* drive by typo fix
2024-01-24 15:24:00 +01:00
Jan Brasna 24f8ff28a3
Docs: OpenSSL wording ambiguity (#113296) 2023-12-21 00:50:25 -07:00
Grant Ramsay e413daf5f6
gh-112454: Disable TLS-PSK if OpenSSL was built without PSK support (#112491)
If OpenSSL was built without PSK support, the python TLS-PSK
methods will raise "NotImplementedError" if called.

Add a constant "ssl.HAS_PSK" to check if TLS-PSK is supported
2023-11-28 16:15:39 -08:00
Grant Ramsay e954ac7205
gh-63284: Add support for TLS-PSK (pre-shared key) to the ssl module (#103181)
Add support for TLS-PSK (pre-shared key) to the ssl module.

---------

Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
2023-11-27 04:01:44 +00:00
Ezio Melotti bb7923f556
gh-110631: Fix reST indentation in `Doc/library` (#110685)
Fix wrong indentation in the Doc/library dir.
2023-10-11 22:24:12 +02:00
Mateusz Nowak 5a740cd06e
gh-109109: Expose retrieving certificate chains in SSL module (#109113)
Adds APIs to get the TLS certificate chains, verified or full unverified, from SSLSocket and SSLObject.

Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
2023-09-20 01:20:54 +00:00
Serhiy Storchaka 0aa58fa7a6
gh-107091: Fix some uses of :const: role (GH-107379)
It is for references, not for literals.
2023-07-28 13:26:28 +03:00
Jocelyn Castellano e5252c6127
gh-105090: Replace incorrect TLSv1.2 with TLSv1.3 (#105404) 2023-07-22 14:29:08 +00:00
Serhiy Storchaka 4b9948617f
gh-106909: Use role :const: for referencing module constants (GH-106910) 2023-07-21 12:40:37 +03:00
Rafael Fontenelle 68ed2a2a3f
GH-103484: Fix redirected permanently URLs (#104001)
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Co-authored-by: Oleg Iarygin <dralife@yandex.ru>
2023-05-02 09:34:44 +03:00
Benjamin Fogle af9c34f6ef
gh-96931: Fix incorrect results in ssl.SSLSocket.shared_ciphers (#96932) 2023-03-22 15:08:41 +01:00
Simon Robinson 73497690b5
Fix minor typos in SSL documentation (#101158) 2023-01-20 23:08:45 +01:00
Thomas Grainger 79ccc03b62
gh-89051: Add ssl.OP_LEGACY_SERVER_CONNECT (#93927)
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Fixes https://github.com/python/cpython/issues/89051
2022-12-20 09:10:30 +02:00
Illia Volochii 9dc08361be
gh-96828: Add an `ssl.OP_ENABLE_KTLS` option (GH-96830)
Expose the constant when OpenSSL defines it.
2022-11-23 18:24:09 -08:00
Victor Stinner cff1c20667
gh-94199: Remove ssl.wrap_socket() documentation (#99023)
The function has been removed. In the ssl documentation, replace
references to the ssl.wrap_socket() function with references to the
ssl.SSLContext.wrap_socket() method.

Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
2022-11-03 13:33:33 +01:00
Christian Heimes e3b6ff19aa
gh-95451: Update docs for wasm32-emscripten and -wasi platforms (GH-95452)
Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Michael Droettboom <mdboom@gmail.com>
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
Co-authored-by: CAM Gerlach <CAM.Gerlach@Gerlach.CAM>
2022-08-02 21:00:41 +02:00
Christian Heimes f81a6c5fc7
gh-95415: Make availability directive consistent (GH-95416) 2022-07-29 16:42:09 +02:00
Victor Stinner 600c65c094
gh-94172: Remove ssl.PROTOCOL_SSLv2 dead code (#94312)
Remove dead code related to ssl.PROTOCOL_SSLv2. ssl.PROTOCOL_SSLv2
was already removed in Python 3.10.

In test_ssl, @requires_tls_version('SSLv2') always returned False.

Extract of the removed code: "OpenSSL has removed support for SSLv2".
2022-06-28 13:57:08 +02:00
Victor Stinner 944c7d8a85
gh-94199: Remove ssl.match_hostname() function (#94224) 2022-06-25 12:54:11 +02:00
Victor Stinner d435a18c53
gh-94199: Remove ssl.RAND_pseudo_bytes() function (#94202)
Remove the ssl.RAND_pseudo_bytes() function, deprecated in Python
3.6: use os.urandom() or ssl.RAND_bytes() instead.
2022-06-24 11:05:53 +02:00
Oleg Iarygin f62ff97f31
gh-93851: Fix all broken links in Doc/ (GH-93853) 2022-06-21 20:55:18 +02:00
Jan Brasna 41638967a0
Doc: amend ssl.PROTOCOL_SSLv2 and ssl.PROTOCOL_SSLv3 wording (#92634) 2022-05-19 11:22:16 +02:00
Motoki Naruse ea39246782
gh-91611: Use example.com for documentation, not mydomain.com (#91613)
example.com is reserved by the IANA as special-use domain name for documentation
purposes. The domain names are used widely in books, tutorials, sample network
configurations, and generally as examples for the use of domain name.

On the other hand, mydomain.com is real Domain Name Registration service.
2022-04-30 15:52:13 -06:00
Frederick 9ee2d3a939
ssl docs: Fix typo (GH-32336) 2022-04-07 09:29:23 -07:00
Frederick 1da9c38fd3
ssl docs: Fix typo (GH-32314) 2022-04-06 17:51:35 -07:00
Jörn Heissler f80a97b492
[docs] Correct typos in SSLContext.sni_callback (GH-30623)
Co-authored-by: Jörn Heissler <nosuchaddress@joern-heissler.de>
2022-02-18 17:49:04 -08:00
Ethan Furman 62a6594e66
bpo-40066: [Enum] fix tests (GH-30643)
- skip doctest that changes depending on target system
- skip doctest that only fails on CI
- substitute in values that change depending on target system
2022-01-17 08:52:42 -08:00
Kumar Aditya 83d544b929
bpo-40066: [Enum] skip failing doc test (GH-30637) 2022-01-17 07:18:13 -08:00
Victor Stinner 42a64c03ec
Revert "bpo-40066: [Enum] update str() and format() output (GH-30582)" (GH-30632)
This reverts commit acf7403f9b.
2022-01-17 13:58:40 +01:00
Ethan Furman acf7403f9b
bpo-40066: [Enum] update str() and format() output (GH-30582)
Undo rejected PEP-663 changes:

- restore `repr()` to its 3.10 status
- restore `str()` to its 3.10 status

New changes:

- `IntEnum` and `IntFlag` now leave `__str__` as the original `int.__str__` so that str() and format() return the same result
- zero-valued flags without a name have a slightly changed repr(), e.g. `repr(Color(0)) == '<Color: 0>'`
- update `dir()` for mixed-in types to return all the methods and attributes of the mixed-in type
- added `_numeric_repr_` to `Flag` to control display of unnamed values
- enums without doc strings have a more comprehensive doc string added
- `ReprEnum` added -- inheriting from this makes it so only `__repr__` is replaced, not `__str__` nor `__format__`; `IntEnum`, `IntFlag`, and `StrEnum` all inherit from `ReprEnum`
2022-01-15 22:41:43 -08:00
LincolnPuzey 3551bf16ee
bpo-45457: Minor fix to documentation for SSLContext.load_default_certs. (GH-28947)
Specify that SSLContext.set_default_verify_paths is called on ALL systems.

The code of SSLContext.load_default_certs was changed in bpo-22449 to do this,
this fix corrects the documentation to match that change.
2021-11-02 22:27:44 +01:00
Serhiy Storchaka 36122e1814
bpo-41203: Replace Mac OS X and OS X with macOS (GH-28515)
Replace old names when they refer to actual versions of macOS.
Keep historical names in references to older versions.

Co-authored-by: Patrick Reader <_@pxeger.com>
2021-09-22 20:33:36 +03:00
Mariusz Felisiak 11749e2dc2
bpo-44740: Lowercase "internet" and "web" where appropriate. (#27378)
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
2021-07-27 00:11:55 +02:00
Anton Grübel 717f608c4a
Fix typo in ssl documentation (GH-27329) 2021-07-24 18:54:51 -03:00
Christian Heimes e26014f1c4
bpo-44362: ssl: improve deprecation warnings and docs (GH-26646)
Signed-off-by: Christian Heimes <christian@python.org>
2021-06-11 09:15:48 +02:00
Christian Heimes d8389e3e50
bpo-38820: Add ssl, hashlib, and hmac changes to whatsnew 3.10 (GH-25817)
Signed-off-by: Christian Heimes <christian@python.org>
2021-05-02 16:38:02 +02:00
Christian Heimes e983252b51
bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)
The ssl module now has more secure default settings. Ciphers without forward
secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits
weak RSA, DH, and ECC keys with less than 112 bits of security.
:class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2.
Settings are based on Hynek Schlawack's research.

```
$ openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021
$ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
```

Signed-off-by: Christian Heimes <christian@python.org>
2021-05-01 20:53:10 +02:00
Zackery Spytz b2fac1afaa
bpo-31870: Add a timeout parameter to ssl.get_server_certificate() (GH-22270) 2021-04-23 21:46:01 -07:00
l0x 64d975202f
bpo-40849: Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag (GH-20463)
This short PR exposes an openssl flag that  wasn't exposed. I've also updated to doc to reflect the change. It's heavily inspired by 990fcaac3c.
2021-04-19 04:51:18 -07:00
Christian Heimes 2875c603b2
bpo-43880: Show DeprecationWarnings for deprecated ssl module features (GH-25455)
* ssl.OP_NO_SSLv2
* ssl.OP_NO_SSLv3
* ssl.OP_NO_TLSv1
* ssl.OP_NO_TLSv1_1
* ssl.OP_NO_TLSv1_2
* ssl.OP_NO_TLSv1_3
* ssl.PROTOCOL_SSLv2
* ssl.PROTOCOL_SSLv3
* ssl.PROTOCOL_SSLv23 (alias for PROTOCOL_TLS)
* ssl.PROTOCOL_TLS
* ssl.PROTOCOL_TLSv1
* ssl.PROTOCOL_TLSv1_1
* ssl.PROTOCOL_TLSv1_2
* ssl.TLSVersion.SSLv3
* ssl.TLSVersion.TLSv1
* ssl.TLSVersion.TLSv1_1
* ssl.wrap_socket()
* ssl.RAND_pseudo_bytes()
* ssl.RAND_egd() (already removed since it's not supported by OpenSSL 1.1.1)
* ssl.SSLContext() without a protocol argument
* ssl.match_hostname()
* hashlib.pbkdf2_hmac() (pure Python implementation, fast OpenSSL
  function will stay)

Signed-off-by: Christian Heimes <christian@python.org>
2021-04-19 07:27:10 +02:00
Christian Heimes 89d1550d14
bpo-42854: Use SSL_read/write_ex() (GH-25468)
The ssl module now uses ``SSL_read_ex`` and ``SSL_write_ex``
internally. The functions support reading and writing of data larger
than 2 GB. Writing zero-length data no longer fails with a protocol
violation error.

Signed-off-by: Christian Heimes <christian@python.org>
2021-04-19 06:55:30 +02:00
Illia Volochii 2798f247c0
bpo-43641: Stop stating that TLS 1.2 is the most modern version in docs (GH-25041)
Automerge-Triggered-By: GH:tiran
2021-04-18 00:10:53 -07:00