Antoine Pitrou
0bebbc33fa
Issue #21015 : SSL contexts will now automatically select an elliptic curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to "prime256v1".
...
(should also fix a buildbot failure introduced by #20995 )
2014-03-22 18:13:50 +01:00
Gregory P. Smith
83fed26953
avoid a compiler warning about assigning const char * to char *.
2014-01-17 12:09:05 -08:00
Gregory P. Smith
f34890937b
avoid a compiler warning about assigning const char * to char *.
2014-01-17 12:08:49 -08:00
Antoine Pitrou
78ace81c93
Issue #20207 : Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
2014-01-09 20:09:03 +01:00
Antoine Pitrou
2f7c31678a
Remove conditional: it is useless at this point (OpenSSL headers are not yet included)
2014-01-09 20:07:41 +01:00
Antoine Pitrou
cd3d7cabef
Issue #20207 : Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
2014-01-09 20:02:20 +01:00
Victor Stinner
36e96b8716
(Merge 3.3) Issue #20025 : ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now
...
raise a ValueError if num is negative (instead of raising a SystemError).
2013-12-19 16:47:25 +01:00
Victor Stinner
1e81a399a2
Issue #20025 : ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now raise a
...
ValueError if num is negative (instead of raising a SystemError).
2013-12-19 16:47:04 +01:00
Christian Heimes
1aa9a75fbf
Issue #19509 : Add SSLContext.check_hostname to match the peer's certificate
...
with server_hostname on handshake.
2013-12-02 02:41:19 +01:00
Christian Heimes
470fba1f9f
SNI was added in OpenSSL 0.9.8f [11 Oct 2007], too
2013-11-28 15:12:15 +01:00
Christian Heimes
2427b50fdd
Issue #8813 : X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
...
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
2013-11-23 11:24:32 +01:00
Christian Heimes
5398e1a56e
Issue #19448 : report name / NID in exception message of ASN1Object
2013-11-22 16:20:53 +01:00
Christian Heimes
f22e8e5426
Issue #18147 : Add missing documentation for SSLContext.get_ca_certs().
...
Also change the argument name to the same name as getpeercert()
2013-11-22 02:22:51 +01:00
Christian Heimes
44109d7de7
Issue #17134 : Finalize interface to Windows' certificate store. Cert and
...
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
2013-11-22 01:51:30 +01:00
Christian Heimes
1dbf61fa46
downcast len to int. The code has already checked that len < INT_MAX
2013-11-22 00:34:18 +01:00
Christian Heimes
18fc7be80d
lst might be NULL here
...
CID 1130752: Dereference after null check (FORWARD_NULL)
2013-11-21 23:57:49 +01:00
Christian Heimes
225877917e
Issue #8813 : Add SSLContext.verify_flags to change the verification flags
...
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
2013-11-21 23:56:13 +01:00
Christian Heimes
949ec14209
Issue #19682 : Fix compatibility issue with old version of OpenSSL that
...
was introduced by Issue #18379 .
2013-11-21 16:26:51 +01:00
Christian Heimes
bd3a7f90b5
Issue #18379 : SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP
...
and CRL distribution points.
2013-11-21 03:40:15 +01:00
Christian Heimes
efff7060f8
Issue #18138 : Implement cadata argument of SSLContext.load_verify_location()
...
to load CA certificates and CRL from memory. It supports PEM and DER
encoded strings.
2013-11-21 03:35:02 +01:00
Christian Heimes
b08ff7dcb4
Safely downcast SOCKET_T to int in _ssl module
2013-11-18 10:04:07 +01:00
Christian Heimes
a6bc95aa02
Issue #19448 : Add private API to SSL module to lookup ASN.1 objects by OID, NID, short name and long name.
2013-11-17 19:59:14 +01:00
Victor Stinner
a9eb38f02a
Issue #19437 : Fix newPySSLSocket(), handle PyWeakref_NewRef() failure
2013-10-31 16:35:38 +01:00
Victor Stinner
ba9be477b0
Issue #19437 : Fix fill_and_set_sslerror() of _ssl, handle Py_BuildValue()
...
failure
Don't call PyObject_CallObject() with NULL parameters and an exception set.
2013-10-31 15:00:24 +01:00
Christian Heimes
ee0bac66b2
Issue #19227 / Issue #18747 : Remove pthread_atfork() handler to remove OpenSSL re-seeding
...
It is causing trouble like e.g. hanging processes.
2013-10-29 21:11:55 +01:00
Christian Heimes
fb6b44e830
Issue #19227 / Issue #18747 : Remove pthread_atfork() handler to remove OpenSSL re-seeding
...
It is causing trouble like e.g. hanging processes.
2013-10-29 20:50:01 +01:00
Georg Brandl
81be27d53e
Issue #19227 : Try to fix deadlocks caused by re-seeding then OpenSSL
...
pseudo-random number generator on fork().
2013-10-27 07:56:11 +01:00
Georg Brandl
fb404f528a
#19227 : merge with 3.3
2013-10-27 07:57:42 +01:00
Antoine Pitrou
b2201e1aa6
Properly initialize all fields of a SSL object after allocation.
2013-09-29 19:53:45 +02:00
Antoine Pitrou
860aee75b8
Properly initialize all fields of a SSL object after allocation.
2013-09-29 19:52:45 +02:00
Antoine Pitrou
20b85557f2
Issue #19095 : SSLSocket.getpeercert() now raises ValueError when the SSL handshake hasn't been done.
2013-09-29 19:50:53 +02:00
Christian Heimes
2d7aba3db1
Issue #18709 : GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
2013-09-05 16:04:50 +02:00
Christian Heimes
60bf2fc25b
Issue #18709 : GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
2013-09-05 16:04:35 +02:00
Victor Stinner
daf455554b
Issue #18571 : Implementation of the PEP 446: file descriptors and file handles
...
are now created non-inheritable; add functions os.get/set_inheritable(),
os.get/set_handle_inheritable() and socket.socket.get/set_inheritable().
2013-08-28 00:53:59 +02:00
Christian Heimes
cfa47962c2
Issue #18747 : Fix spelling errors in my commit message and comments,
...
thanks to Vajrasky Kok for proof-reading.
2013-08-25 14:19:29 +02:00
Christian Heimes
61636e7105
Issue #18747 : Fix spelling errors in my commit message and comments,
...
thanks to Vajrasky Kok for proof-reading.
2013-08-25 14:19:16 +02:00
Richard Oudkerk
cabbde9e1e
Fix compiler warning on Windows.
2013-08-24 23:46:27 +01:00
Christian Heimes
f54c24628b
Issue #18747 : Use a parent atfork handler instead of a child atfork handler.
...
fork() is suppose to be async-signal safe but the handler calls unsafe functions. A parent handler mitigates the issue.
2013-08-22 13:19:56 +02:00
Christian Heimes
80c5de93f9
Issue #18747 : Use a parent atfork handler instead of a child atfork handler.
...
fork() is suppose to be async-signal safe but the handler calls unsafe functions. A parent handler mitigates the issue.
2013-08-22 13:19:48 +02:00
Christian Heimes
6acbe2aaa3
Issue #18747 : Re-seed OpenSSL's pseudo-random number generator after fork.
...
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:34 +02:00
Christian Heimes
f77b4b20e9
Issue #18747 : Re-seed OpenSSL's pseudo-random number generator after fork.
...
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:05 +02:00
Christian Heimes
85532eb212
Issue #18777 : The ssl module now uses the new CRYPTO_THREADID API of
...
OpenSSL 1.0.0+ instead of the deprecated CRYPTO id callback function.
2013-08-19 17:36:39 +02:00
Christian Heimes
4d98ca9ff6
Issue #18777 : The ssl module now uses the new CRYPTO_THREADID API of
...
OpenSSL 1.0.0+ instead of the deprecated CRYPTO id callback function.
2013-08-19 17:36:29 +02:00
Christian Heimes
f920a1c1f1
Issue 18768: Correct doc string of RAND_edg(). Patch by Vajrasky Kok.
2013-08-17 17:25:27 +02:00
Christian Heimes
3c2593b2bb
Issue 18768: Correct doc string of RAND_edg(). Patch by Vajrasky Kok.
2013-08-17 17:25:18 +02:00
Christian Heimes
9b5907cbd5
Issue #18768 : coding style nitpick. Thanks to Vajrasky Kok
2013-08-17 17:19:03 +02:00
Christian Heimes
474afdda60
Issue #18768 : coding style nitpick. Thanks to Vajrasky Kok
2013-08-17 17:18:56 +02:00
Ezio Melotti
a7e7497d88
#18466 : merge with 3.3.
2013-08-17 16:58:13 +03:00
Ezio Melotti
85a8629d21
#18466 : fix more typos. Patch by Févry Thibault.
2013-08-17 16:57:41 +03:00
Christian Heimes
e06d47c70c
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:58:00 +02:00