f7fee33104
Issue #22251 : Fix ReST markup to avoid errors building docs.
2014-09-27 23:22:35 +03:00
3749404ba5
Issue #22251 : Fix ReST markup to avoid errors building docs.
2014-09-27 23:21:35 +03:00
47e40429fb
Issue #20421 : Add a .version() method to SSL sockets exposing the actual protocol version in use.
2014-09-04 21:00:10 +02:00
b27d3a2d21
Closes #22072 : Merge typo fixes from 3.4
2014-07-25 13:31:36 -05:00
88a1977a08
Issue #22072 : Fix a couple of SSL doc typos. Patch by Alex Gaynor.
2014-07-25 13:30:50 -05:00
68f411670e
Issue #21994 : Merge with 3.4.
2014-07-17 05:02:02 +03:00
38bf87c7f2
Issue #21994 : Fix SyntaxError in the SSLContext.check_hostname documentation.
2014-07-17 05:00:36 +03:00
ba9fb0d83f
Fix doc build warning
2014-06-11 15:02:25 -05:00
915d14190e
fix issue #17552 : add socket.sendfile() method allowing to send a file over a socket by using high-performance os.sendfile() on UNIX. Patch by Giampaolo Rodola'·
2014-06-11 03:54:30 +02:00
8b852f111e
Fix Issue #21528 - Fix documentation typos
2014-05-20 12:58:38 -04:00
f48ff0dd6c
Issue #21430 : additions to the description of non-blocking SSL sockets
2014-05-18 00:56:53 +02:00
75e03388d8
Issue #21430 : additions to the description of non-blocking SSL sockets
2014-05-18 00:55:13 +02:00
b4bebdafe3
Issue #20951 : SSLSocket.send() now raises either SSLWantReadError or SSLWantWriteError on a non-blocking socket if the operation would block. Previously, it would return 0.
...
Patch by Nikolaus Rath.
2014-04-29 10:03:28 +02:00
c695c95626
Issue #19940 : ssl.cert_time_to_seconds() now interprets the given time string in the UTC timezone (as specified in RFC 5280), not the local timezone.
...
Patch by Akira.
2014-04-28 20:57:36 +02:00
94a5b663bf
Issue #20896 : ssl.get_server_certificate() now uses PROTOCOL_SSLv23, not PROTOCOL_SSLv3, for maximum compatibility.
2014-04-16 18:56:28 +02:00
4137465bf5
Issue #21043 : Remove the recommendation for specific CA organizations
...
Closes #21043 by updating the documentation to remove specific CA
organizations and update the text to no longer need to tell you to
download root certificates, but instead use the OS certificates
avaialble through SSLContext.load_default_certs.
2014-03-24 19:26:03 -04:00
6a2ba94908
Issue #21013 : Enhance ssl.create_default_context() for server side contexts
...
Closes #21013 by modfying ssl.create_default_context() to:
* Move the restricted ciphers to only apply when using
ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
is the lack of RC4 in the restricted. However there are servers that exist
that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
socket the context will prioritize our ciphers which have been carefully
selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
that end users can more easily determine if they need to unset
ssl.OP_NO_SSLv3.
2014-03-23 19:05:28 -04:00
f8cbbbb652
Issue #20913 : make it clear that create_default_context() also enables hostname checking
2014-03-23 16:31:08 +01:00
c5e075ff03
Issue #20913 : improve the SSL security considerations to first advocate using create_default_context().
2014-03-22 18:19:11 +01:00
79ccaa2cad
Issue #20995 : Enhance default ciphers used by the ssl module
...
Closes #20995 by Enabling better security by prioritizing ciphers
such that:
* Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
* Prefer ECDHE over DHE for better performance
* Prefer any AES-GCM over any AES-CBC for better performance and security
* Then Use HIGH cipher suites as a fallback
* Then Use 3DES as fallback which is secure but slow
* Finally use RC4 as a fallback which is problematic but needed for
compatibility some times.
* Disable NULL authentication, NULL encryption, and MD5 MACs for security
reasons
2014-03-21 21:33:34 -04:00
3732ed2414
Merge in all documentation changes since branching 3.4.0rc1.
2014-03-15 21:13:56 -07:00
e6d2f159fc
Issue #19422 : Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
2013-12-28 17:30:51 +01:00
3e86ba4e32
Issue #19422 : Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
2013-12-28 17:26:33 +01:00
748bad2cd0
Tidy up ssl whatsnew references, make ssl section formatting consistent.
...
Also remove some extra blank lines in the ssl doc acctions for tls1.1/1.2,
and reflow a paragraph.
2013-12-20 17:08:39 -05:00
1aa9a75fbf
Issue #19509 : Add SSLContext.check_hostname to match the peer's certificate
...
with server_hostname on handshake.
2013-12-02 02:41:19 +01:00
0e90e99188
Issue #19795 : Improved markup of True/False constants.
2013-11-29 12:19:53 +02:00
fbc1c26803
Issue #19795 : Improved markup of True/False constants.
2013-11-29 12:17:13 +02:00
5bef410471
Tweak ssl docs
2013-11-23 16:16:29 +01:00
4c05b472dd
Issue #19689 : Add ssl.create_default_context() factory function. It creates
...
a new SSLContext object with secure default settings.
2013-11-23 15:58:30 +01:00
6b2ff98df4
Correct documentation clientAuth -> CLIENT_AUTH
2013-11-23 14:42:01 +01:00
72d28500b3
Issue #19292 : Add SSLContext.load_default_certs() to load default root CA
...
certificates from default stores or system stores. By default the method
loads CA certs for authentication of server certs.
2013-11-23 13:56:58 +01:00
2427b50fdd
Issue #8813 : X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
...
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
2013-11-23 11:24:32 +01:00
f22e8e5426
Issue #18147 : Add missing documentation for SSLContext.get_ca_certs().
...
Also change the argument name to the same name as getpeercert()
2013-11-22 02:22:51 +01:00
44109d7de7
Issue #17134 : Finalize interface to Windows' certificate store. Cert and
...
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
2013-11-22 01:51:30 +01:00
225877917e
Issue #8813 : Add SSLContext.verify_flags to change the verification flags
...
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
2013-11-21 23:56:13 +01:00
bd3a7f90b5
Issue #18379 : SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP
...
and CRL distribution points.
2013-11-21 03:40:15 +01:00
efff7060f8
Issue #18138 : Implement cadata argument of SSLContext.load_verify_location()
...
to load CA certificates and CRL from memory. It supports PEM and DER
encoded strings.
2013-11-21 03:35:02 +01:00
6b2b084192
Issue #19508 : direct the user to read the security considerations for the ssl module
2013-11-17 15:36:03 +01:00
9eefe91fc2
Issue #19508 : direct the user to read the security considerations for the ssl module
2013-11-17 15:35:33 +01:00
9f09120b83
merge
2013-10-29 22:21:16 +01:00
47674bc470
fix language
2013-10-29 22:19:39 +01:00
ee0bac66b2
Issue #19227 / Issue #18747 : Remove pthread_atfork() handler to remove OpenSSL re-seeding
...
It is causing trouble like e.g. hanging processes.
2013-10-29 21:11:55 +01:00
3046fe4c03
Issue #18747 : document issue with OpenSSL's CPRNG state and fork
2013-10-29 21:08:56 +01:00
72c98d3a76
Issue #17997 : Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,
...
for security reasons. It now doesn't match multiple wildcards nor wildcards
inside IDN fragments.
2013-10-27 07:16:53 +01:00
b89b5df9c9
merge with 3.3
2013-10-27 07:46:09 +01:00
99b1a12f2f
merge with 3.3
2013-10-06 18:20:39 +02:00
4a6cf6c9d1
Closes #19177 : replace dead link to SSL/TLS introduction with the version from Apache.
2013-10-06 18:20:31 +02:00
20b85557f2
Issue #19095 : SSLSocket.getpeercert() now raises ValueError when the SSL handshake hasn't been done.
2013-09-29 19:50:53 +02:00
d36fc4307e
Fix minor documentation markup error.
2013-08-03 02:49:53 -07:00
fe3ae3cdc7
Merge #18311 : fix typo.
2013-06-26 15:11:32 -04:00
c7f7579855
#18311 : fix typo.
2013-06-26 15:11:12 -04:00
9a5395ae2b
Issue #18147 : Add diagnostic functions to ssl.SSLContext().
...
get_ca_list() lists all loaded CA certificates and cert_store_stats() returns
amount of loaded X.509 certs, X.509 CA certs and CRLs.
2013-06-17 15:44:12 +02:00
46bebee25f
Issue #17134 : Add ssl.enum_cert_store() as interface to Windows' cert store.
2013-06-09 19:03:31 +02:00
3e738f97f8
removed accidental new line
2013-06-09 18:07:16 +02:00
6d7ad13a45
Issue #18143 : Implement ssl.get_default_verify_paths() in order to debug
...
the default locations for cafile and capath.
2013-06-09 18:02:55 +02:00
9b42128e2c
Issue #17739 : fix the description of SSLSocket.getpeercert(binary_form=True) for server sockets.
...
Thanks to David D Lowe for reporting.
2013-04-16 20:28:15 +02:00
d34941ad4e
Issue #17739 : fix the description of SSLSocket.getpeercert(binary_form=True) for server sockets.
...
Thanks to David D Lowe for reporting.
2013-04-16 20:27:17 +02:00
50b24d0d7c
Fix a crash when setting a servername callback on a SSL server socket and the client doesn't send a server name.
...
Patch by Kazuhiro Yoshida.
(originally issue #8109 )
2013-04-11 20:48:42 +02:00
2463e5fee4
Issue #16692 : The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù.
2013-03-28 22:24:43 +01:00
8e7586bd44
Issue #17047 : remove doubled words added in 3.4,
...
as reported by Serhiy Storchaka and Matthew Barnett.
2013-03-11 18:38:13 -04:00
58ddc9d743
Issue #8109 : The ssl module now has support for server-side SNI, thanks to a :meth:`SSLContext.set_servername_callback` method.
...
Patch by Daniel Black.
2013-01-05 21:20:29 +01:00
d9a7e70939
Update the getpeercert() example with a real-world cert showing non-trivial issuer, subject and subjectAltName.
2012-08-16 22:18:37 +02:00
b7c6c8105e
Update the getpeercert() example with a real-world cert showing non-trivial issuer, subject and subjectAltName.
2012-08-16 22:14:43 +02:00
3b36fb1f53
Issue #14837 : SSL errors now have `library` and `reason` attributes describing precisely what happened and in which OpenSSL submodule.
...
The str() of a SSLError is also enhanced accordingly.
NOTE: this commit creates a reference leak. The leak seems tied to the
use of PyType_FromSpec() to create the SSLError type. The leak is on the
type object when it is instantiated:
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
35
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
36
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
37
2012-06-22 21:11:52 +02:00
d5d17eb653
Issue #14204 : The ssl module now has support for the Next Protocol Negotiation extension, if available in the underlying OpenSSL library.
...
Patch by Colin Marc.
2012-03-22 00:23:03 +01:00
e10ae8871a
Clarify that ssl.OP_ALL can be different from OpenSSL's SSL_OP_ALL.
2012-01-27 10:03:23 +01:00
9f6b02ecde
Clarify that ssl.OP_ALL can be different from OpenSSL's SSL_OP_ALL.
2012-01-27 10:02:55 +01:00
ac8bfcacfc
Issue #13747 : fix SSL compatibility table.
2012-01-09 21:43:18 +01:00
84a2edcdf7
Issue #13747 : fix documentation error about the default SSL version.
2012-01-09 21:35:11 +01:00
441ae043df
Update printout of SSL certificate examples for 3.2+.
2012-01-06 20:06:15 +01:00
b7ffed8a50
Add a subsection explaning cipher selection.
2012-01-04 02:53:44 +01:00
8a9b9c7d16
Merge SSL doc fixes (issue #13747 ).
2012-01-09 21:46:11 +01:00
deec7566ae
Update printout of SSL certificate examples for 3.2+.
2012-01-06 20:09:29 +01:00
8f746d83e2
Add a subsection explaning cipher selection.
2012-01-04 02:54:12 +01:00
0e576f1f50
Issue #13626 : Add support for SSL Diffie-Hellman key exchange, through the
...
SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option.
2011-12-22 10:03:38 +01:00
501da61671
Fix ssl module compilation if ECDH support was disabled in the OpenSSL build.
...
(followup to issue #13627 )
2011-12-21 09:27:41 +01:00
8abdb8abd8
Issue #13634 : Add support for querying and disabling SSL compression.
2011-12-20 10:13:40 +01:00
923df6f22a
Issue #13627 : Add support for SSL Elliptic Curve-based Diffie-Hellman
...
key exchange, through the SSLContext.set_ecdh_curve() method and the
ssl.OP_SINGLE_ECDH_USE option.
2011-12-19 17:16:51 +01:00
6db4944cc5
Issue #13635 : Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
...
choose the cipher based on their own preferences, rather than on the
client's.
2011-12-19 13:27:11 +01:00
f3dc2d7afd
Fix typo
2011-10-28 00:01:03 +02:00
873bf262ad
Update example of non-blocking SSL code for the new finer-grained exceptions
2011-10-27 23:59:03 +02:00
41032a69c1
Issue #11183 : Add finer-grained exceptions to the ssl module, so that
...
you don't have to inspect the exception's attributes in the common case.
2011-10-27 23:56:55 +02:00
5574c3012d
Replace mentions of socket.error.
2011-10-12 17:53:43 +02:00
756b169c5a
Issue #12823 : remove broken link and replace it with another resource.
2011-10-07 16:58:35 +02:00
f394e47851
Issue #12823 : remove broken link and replace it with another resource.
2011-10-07 16:58:07 +02:00
4fd1e6a3ba
Issue #12803 : SSLContext.load_cert_chain() now accepts a password argument
...
to be used if the private key is encrypted. Patch by Adam Simpkins.
2011-08-25 14:39:44 +02:00
d649480739
Issue #12551 : Provide a get_channel_binding() method on SSL sockets so as
...
to get channel binding data for the current SSL session (only the
"tls-unique" channel binding is implemented). This allows the
implementation of certain authentication mechanisms such as SCRAM-SHA-1-PLUS.
Patch by Jacek Konieczny.
2011-07-21 01:11:30 +02:00
126edb5607
Use infinitive, not 3rd person of present tense.
2011-07-11 01:39:35 +02:00
b3593cada2
Use infinitive, not 3rd person of present tense.
2011-07-11 01:39:19 +02:00
f08310f08b
Issue #12343 : Add some notes on behaviour of non-blocking SSL sockets.
2011-07-11 01:38:27 +02:00
6f5dcb1ee2
Issue #12343 : Add some notes on behaviour of non-blocking SSL sockets.
2011-07-11 01:35:48 +02:00
a675206366
Issue #12049 : Document errors cases of ssl.RAND_bytes() and
...
ssl.RAND_pseudo_bytes(). Add also links to RAND_status and RAND_add.
2011-05-25 11:27:40 +02:00
19fb53c119
Issue #12049 : improve RAND_bytes() and RAND_pseudo_bytes() documentation
...
Add also a security warning in the module random pointing to ssl.RAND_bytes().
2011-05-24 21:32:40 +02:00
99c8b16143
Issue #12049 : Add RAND_bytes() and RAND_pseudo_bytes() functions to the ssl
...
module.
2011-05-24 12:05:19 +02:00
17ca323e7c
(Merge 3.1) Issue #12012 : ssl.PROTOCOL_SSLv2 becomes optional
...
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 00:48:41 +02:00
ee18b6f2fd
Issue #12012 : ssl.PROTOCOL_SSLv2 becomes optional
...
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 00:38:00 +02:00
3de49192aa
Issue #12012 : ssl.PROTOCOL_SSLv2 becomes optional
...
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-09 00:42:58 +02:00
15399c3f09
Issue #11811 : ssl.get_server_certificate() is now IPv6-compatible. Patch
...
by Charles-François Natali.
2011-04-28 19:23:55 +02:00
2774310c27
Merged revisions 87627,87638,87739,87760,87771,87787,87984,87986,88108,88115,88144,88165,88329,88364-88365,88369-88370,88423-88424 via svnmerge from
...
svn+ssh://svn.python.org/python/branches/py3k
........
r87627 | georg.brandl | 2011-01-02 15:23:43 +0100 (So, 02 Jan 2011) | 1 line
#1665333 : add more docs for optparse.OptionGroup.
........
r87638 | georg.brandl | 2011-01-02 20:07:51 +0100 (So, 02 Jan 2011) | 1 line
Fix code indentation.
........
r87739 | georg.brandl | 2011-01-04 18:27:13 +0100 (Di, 04 Jan 2011) | 1 line
Fix exception catching.
........
r87760 | georg.brandl | 2011-01-05 11:59:48 +0100 (Mi, 05 Jan 2011) | 1 line
Fix duplicate end tag.
........
r87771 | georg.brandl | 2011-01-05 22:47:47 +0100 (Mi, 05 Jan 2011) | 1 line
On Py3k, -tt and -3 are no-op and unsupported respectively.
........
r87787 | georg.brandl | 2011-01-06 10:15:45 +0100 (Do, 06 Jan 2011) | 1 line
Remove doc for nonexisting parameter.
........
r87984 | georg.brandl | 2011-01-13 08:24:40 +0100 (Do, 13 Jan 2011) | 1 line
Add semicolon for consistency.
........
r87986 | georg.brandl | 2011-01-13 08:31:18 +0100 (Do, 13 Jan 2011) | 1 line
Fix the example output of count().
........
r88108 | georg.brandl | 2011-01-19 09:42:03 +0100 (Mi, 19 Jan 2011) | 1 line
Suppress trailing spaces in table paragraphs.
........
r88115 | georg.brandl | 2011-01-19 21:05:49 +0100 (Mi, 19 Jan 2011) | 1 line
#10944 : add c_bool to types table.
........
r88144 | georg.brandl | 2011-01-22 23:06:24 +0100 (Sa, 22 Jan 2011) | 1 line
#10983 : fix several bugs in the _tunnel implementation that seem to have missed while porting between branches. A unittest is needed!
........
r88165 | georg.brandl | 2011-01-24 20:53:18 +0100 (Mo, 24 Jan 2011) | 1 line
Typo fix.
........
r88329 | georg.brandl | 2011-02-03 08:08:25 +0100 (Do, 03 Feb 2011) | 1 line
Punctuation typos.
........
r88364 | georg.brandl | 2011-02-07 13:10:46 +0100 (Mo, 07 Feb 2011) | 1 line
#11138 : fix order of fill and align specifiers.
........
r88365 | georg.brandl | 2011-02-07 13:13:58 +0100 (Mo, 07 Feb 2011) | 1 line
#8691 : document that right alignment is default for numbers.
........
r88369 | georg.brandl | 2011-02-07 16:30:45 +0100 (Mo, 07 Feb 2011) | 1 line
Consistent heading spacing, and fix two typos.
........
r88370 | georg.brandl | 2011-02-07 16:44:27 +0100 (Mo, 07 Feb 2011) | 1 line
Spelling fixes.
........
r88423 | georg.brandl | 2011-02-15 13:41:17 +0100 (Di, 15 Feb 2011) | 1 line
Apply logging SocketHandler doc update by Vinay.
........
r88424 | georg.brandl | 2011-02-15 13:44:43 +0100 (Di, 15 Feb 2011) | 1 line
Remove editing slip.
........
2011-02-25 10:18:11 +00:00
469271d4ea
More source links
2011-01-27 20:38:46 +00:00
Berker Peksag
Antoine Pitrou
Zachary Ware
Giampaolo Rodola'
Donald Stufft
Larry Hastings
R David Murray
Christian Heimes
Serhiy Storchaka
Georg Brandl
Terry Jan Reedy
Victor Stinner
Raymond Hettinger