470fba1f9f
SNI was added in OpenSSL 0.9.8f [11 Oct 2007], too
2013-11-28 15:12:15 +01:00
2427b50fdd
Issue #8813 : X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
...
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
2013-11-23 11:24:32 +01:00
5398e1a56e
Issue #19448 : report name / NID in exception message of ASN1Object
2013-11-22 16:20:53 +01:00
f22e8e5426
Issue #18147 : Add missing documentation for SSLContext.get_ca_certs().
...
Also change the argument name to the same name as getpeercert()
2013-11-22 02:22:51 +01:00
44109d7de7
Issue #17134 : Finalize interface to Windows' certificate store. Cert and
...
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
2013-11-22 01:51:30 +01:00
1dbf61fa46
downcast len to int. The code has already checked that len < INT_MAX
2013-11-22 00:34:18 +01:00
18fc7be80d
lst might be NULL here
...
CID 1130752: Dereference after null check (FORWARD_NULL)
2013-11-21 23:57:49 +01:00
225877917e
Issue #8813 : Add SSLContext.verify_flags to change the verification flags
...
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
2013-11-21 23:56:13 +01:00
949ec14209
Issue #19682 : Fix compatibility issue with old version of OpenSSL that
...
was introduced by Issue #18379 .
2013-11-21 16:26:51 +01:00
bd3a7f90b5
Issue #18379 : SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP
...
and CRL distribution points.
2013-11-21 03:40:15 +01:00
efff7060f8
Issue #18138 : Implement cadata argument of SSLContext.load_verify_location()
...
to load CA certificates and CRL from memory. It supports PEM and DER
encoded strings.
2013-11-21 03:35:02 +01:00
b08ff7dcb4
Safely downcast SOCKET_T to int in _ssl module
2013-11-18 10:04:07 +01:00
a6bc95aa02
Issue #19448 : Add private API to SSL module to lookup ASN.1 objects by OID, NID, short name and long name.
2013-11-17 19:59:14 +01:00
a9eb38f02a
Issue #19437 : Fix newPySSLSocket(), handle PyWeakref_NewRef() failure
2013-10-31 16:35:38 +01:00
ba9be477b0
Issue #19437 : Fix fill_and_set_sslerror() of _ssl, handle Py_BuildValue()
...
failure
Don't call PyObject_CallObject() with NULL parameters and an exception set.
2013-10-31 15:00:24 +01:00
ee0bac66b2
Issue #19227 / Issue #18747 : Remove pthread_atfork() handler to remove OpenSSL re-seeding
...
It is causing trouble like e.g. hanging processes.
2013-10-29 21:11:55 +01:00
fb6b44e830
Issue #19227 / Issue #18747 : Remove pthread_atfork() handler to remove OpenSSL re-seeding
...
It is causing trouble like e.g. hanging processes.
2013-10-29 20:50:01 +01:00
81be27d53e
Issue #19227 : Try to fix deadlocks caused by re-seeding then OpenSSL
...
pseudo-random number generator on fork().
2013-10-27 07:56:11 +01:00
fb404f528a
#19227 : merge with 3.3
2013-10-27 07:57:42 +01:00
b2201e1aa6
Properly initialize all fields of a SSL object after allocation.
2013-09-29 19:53:45 +02:00
860aee75b8
Properly initialize all fields of a SSL object after allocation.
2013-09-29 19:52:45 +02:00
20b85557f2
Issue #19095 : SSLSocket.getpeercert() now raises ValueError when the SSL handshake hasn't been done.
2013-09-29 19:50:53 +02:00
2d7aba3db1
Issue #18709 : GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
2013-09-05 16:04:50 +02:00
60bf2fc25b
Issue #18709 : GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
2013-09-05 16:04:35 +02:00
daf455554b
Issue #18571 : Implementation of the PEP 446: file descriptors and file handles
...
are now created non-inheritable; add functions os.get/set_inheritable(),
os.get/set_handle_inheritable() and socket.socket.get/set_inheritable().
2013-08-28 00:53:59 +02:00
cfa47962c2
Issue #18747 : Fix spelling errors in my commit message and comments,
...
thanks to Vajrasky Kok for proof-reading.
2013-08-25 14:19:29 +02:00
61636e7105
Issue #18747 : Fix spelling errors in my commit message and comments,
...
thanks to Vajrasky Kok for proof-reading.
2013-08-25 14:19:16 +02:00
cabbde9e1e
Fix compiler warning on Windows.
2013-08-24 23:46:27 +01:00
f54c24628b
Issue #18747 : Use a parent atfork handler instead of a child atfork handler.
...
fork() is suppose to be async-signal safe but the handler calls unsafe functions. A parent handler mitigates the issue.
2013-08-22 13:19:56 +02:00
80c5de93f9
Issue #18747 : Use a parent atfork handler instead of a child atfork handler.
...
fork() is suppose to be async-signal safe but the handler calls unsafe functions. A parent handler mitigates the issue.
2013-08-22 13:19:48 +02:00
6acbe2aaa3
Issue #18747 : Re-seed OpenSSL's pseudo-random number generator after fork.
...
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:34 +02:00
f77b4b20e9
Issue #18747 : Re-seed OpenSSL's pseudo-random number generator after fork.
...
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:05 +02:00
85532eb212
Issue #18777 : The ssl module now uses the new CRYPTO_THREADID API of
...
OpenSSL 1.0.0+ instead of the deprecated CRYPTO id callback function.
2013-08-19 17:36:39 +02:00
4d98ca9ff6
Issue #18777 : The ssl module now uses the new CRYPTO_THREADID API of
...
OpenSSL 1.0.0+ instead of the deprecated CRYPTO id callback function.
2013-08-19 17:36:29 +02:00
f920a1c1f1
Issue 18768: Correct doc string of RAND_edg(). Patch by Vajrasky Kok.
2013-08-17 17:25:27 +02:00
3c2593b2bb
Issue 18768: Correct doc string of RAND_edg(). Patch by Vajrasky Kok.
2013-08-17 17:25:18 +02:00
9b5907cbd5
Issue #18768 : coding style nitpick. Thanks to Vajrasky Kok
2013-08-17 17:19:03 +02:00
474afdda60
Issue #18768 : coding style nitpick. Thanks to Vajrasky Kok
2013-08-17 17:18:56 +02:00
a7e7497d88
#18466 : merge with 3.3.
2013-08-17 16:58:13 +03:00
85a8629d21
#18466 : fix more typos. Patch by Févry Thibault.
2013-08-17 16:57:41 +03:00
e06d47c70c
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:58:00 +02:00
824f7f366d
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:54:47 +02:00
9bfcaa6fb3
Check return value of PyLong_FromLong(X509_get_version()). It might be NULL if
...
X509_get_version() grows beyond our small int cache.
CID 1058279
2013-07-26 15:51:35 +02:00
5962bef8aa
Check return value of PyLong_FromLong(X509_get_version()). It might be NULL if
...
X509_get_version() grows beyond our small int cache.
CID 1058279
2013-07-26 15:51:18 +02:00
11ebff2757
Issue #18203 : Replace malloc() with PyMem_Malloc() in _ssl for the password
2013-07-07 17:07:52 +02:00
b64049183c
Issue #18203 : Replace malloc() with PyMem_Malloc() in Python modules
...
Replace malloc() with PyMem_Malloc() when the GIL is held, or with
PyMem_RawMalloc() otherwise.
2013-07-07 16:21:41 +02:00
7e00151e1f
_ssl.c: strip trailing spaces
2013-06-25 00:44:31 +02:00
86073dc3c2
(Merge 3.3) Issue #18135 : ssl.SSLSocket.write() now raises an OverflowError if
...
the input string in longer than 2 gigabytes, and
ssl.SSLContext.load_cert_chain() raises a ValueError if the password is longer
than 2 gigabytes. The ssl module does not support partial write.
2013-06-25 00:43:47 +02:00
6efa965a27
Issue #18135 : ssl.SSLSocket.write() now raises an OverflowError if the input
...
string in longer than 2 gigabytes, and ssl.SSLContext.load_cert_chain() raises
a ValueError if the password is longer than 2 gigabytes. The ssl module does
not support partial write.
2013-06-25 00:42:31 +02:00
8cfd67cfe7
(Merge 3.3) Issue #18135 : Fix a possible integer overflow in
...
ssl.SSLSocket.write() and in ssl.SSLContext.load_cert_chain() for strings and
passwords longer than 2 gigabytes.
2013-06-23 15:09:26 +02:00
9ee0203057
Issue #18135 : Fix a possible integer overflow in ssl.SSLSocket.write()
...
and in ssl.SSLContext.load_cert_chain() for strings and passwords longer
than 2 gigabytes.
2013-06-23 15:08:23 +02:00
4569cd5eab
_ssl.c: strip trailing spaces
2013-06-23 14:58:43 +02:00
9a5395ae2b
Issue #18147 : Add diagnostic functions to ssl.SSLContext().
...
get_ca_list() lists all loaded CA certificates and cert_store_stats() returns
amount of loaded X.509 certs, X.509 CA certs and CRLs.
2013-06-17 15:44:12 +02:00
200bb1b08c
Simplify return value of ssl.get_default_verify_paths
...
prefix function with PySSL_, too. Other module level functions have a prefix, too.
2013-06-14 15:14:29 +02:00
75b8426698
fixd refleak
2013-06-10 10:47:22 +02:00
46bebee25f
Issue #17134 : Add ssl.enum_cert_store() as interface to Windows' cert store.
2013-06-09 19:03:31 +02:00
142ec2c014
get_default_verify_paths doesn't belong inside the ifdef block
2013-06-09 18:29:54 +02:00
6d7ad13a45
Issue #18143 : Implement ssl.get_default_verify_paths() in order to debug
...
the default locations for cafile and capath.
2013-06-09 18:02:55 +02:00
19fef69b75
Fix compilation under MSVC: ssl_set_mode() is a macro, and the MSVC preprocessor doesn't process #ifdef's inside a macro argument list.
...
(found explanation at http://www.tech-archive.net/Archive/VC/microsoft.public.vc.language/2007-05/msg00385.html )
2013-05-25 13:23:03 +02:00
3a65ad7f08
Issue #8240 : Set the SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag on SSL sockets.
2013-05-25 13:02:32 +02:00
50b24d0d7c
Fix a crash when setting a servername callback on a SSL server socket and the client doesn't send a server name.
...
Patch by Kazuhiro Yoshida.
(originally issue #8109 )
2013-04-11 20:48:42 +02:00
ce852cb8b9
Fix comment about the OpenSSL version in which SNI version was introduced.
2013-03-30 16:45:04 +01:00
edbc18e9d0
Improve set_servername_callback docstring.
2013-03-30 16:40:27 +01:00
a596338bb8
Fix previous fix (the cause was actually a misplaced #endif, or so it seems)
2013-03-30 16:39:00 +01:00
41f8c4f5e4
Further compiling fixes (issue #17581 )
2013-03-30 16:36:54 +01:00
912fbff105
Issue #17581 : try to fix building on old OpenSSL versions
2013-03-30 16:29:32 +01:00
2463e5fee4
Issue #16692 : The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù.
2013-03-28 22:24:43 +01:00
20d60803d5
Issue #16982 : Fix --without-threads build failure.
2013-01-17 17:07:17 +01:00
1e37e9efa9
SSLContext.load_dh_params() now properly closes the input file.
2013-01-12 21:44:33 +01:00
457a2292ca
SSLContext.load_dh_params() now properly closes the input file.
2013-01-12 21:43:45 +01:00
5dd12a5978
Fix returning uninitialized variable (issue #8109 ).
...
Found by Christian with Coverity.
2013-01-06 15:25:36 +01:00
58ddc9d743
Issue #8109 : The ssl module now has support for server-side SNI, thanks to a :meth:`SSLContext.set_servername_callback` method.
...
Patch by Daniel Black.
2013-01-05 21:20:29 +01:00
5cb31c9277
Issue #15977 : Fix memory leak in Modules/_ssl.c when the function _set_npn_protocols() is called multiple times
2012-09-20 12:42:54 +02:00
b7a2800831
MERGE: Closes #15793 : Stack corruption in ssl.RAND_egd()
2012-09-11 02:08:48 +02:00
c8754a13e6
Closes #15793 : Stack corruption in ssl.RAND_egd()
2012-09-11 02:00:58 +02:00
721738fbee
Issue #15604 : Update uses of PyObject_IsTrue() to check for and handle errors correctly.
...
Patch by Serhiy Storchaka.
2012-08-15 23:20:39 +02:00
6f430e4963
Issue #15604 : Update uses of PyObject_IsTrue() to check for and handle errors correctly.
...
Patch by Serhiy Storchaka.
2012-08-15 23:18:25 +02:00
3b36fb1f53
Issue #14837 : SSL errors now have `library` and `reason` attributes describing precisely what happened and in which OpenSSL submodule.
...
The str() of a SSLError is also enhanced accordingly.
NOTE: this commit creates a reference leak. The leak seems tied to the
use of PyType_FromSpec() to create the SSLError type. The leak is on the
type object when it is instantiated:
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
35
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
36
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
37
2012-06-22 21:11:52 +02:00
d5d17eb653
Issue #14204 : The ssl module now has support for the Next Protocol Negotiation extension, if available in the underlying OpenSSL library.
...
Patch by Colin Marc.
2012-03-22 00:23:03 +01:00
c135fa424e
Fix last remaining build issues of _ssl under old OpenSSLs. Patch by Vinay.
2012-02-19 21:22:39 +01:00
a9bf2ac726
Try to really fix compilation failures of the _ssl module under very old OpenSSLs.
2012-02-17 18:47:54 +01:00
e9fccb360f
Fix compilation when SSL_OP_SINGLE_ECDH_USE isn't defined
2012-02-17 11:53:10 +01:00
04d4ee4e56
Issue #13014 : Fix a possible reference leak in SSLSocket.getpeercert().
2012-02-15 22:28:21 +01:00
2f5a163dfc
Issue #13014 : Fix a possible reference leak in SSLSocket.getpeercert().
2012-02-15 22:25:27 +01:00
9e2e5329dc
Issue #13885 : CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
2012-01-27 09:53:29 +01:00
3f366314e8
Issue #13885 : CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
2012-01-27 09:50:45 +01:00
f2bf8a6ac5
Issue #13885 : CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
2012-01-27 09:48:47 +01:00
0e576f1f50
Issue #13626 : Add support for SSL Diffie-Hellman key exchange, through the
...
SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option.
2011-12-22 10:03:38 +01:00
501da61671
Fix ssl module compilation if ECDH support was disabled in the OpenSSL build.
...
(followup to issue #13627 )
2011-12-21 09:27:41 +01:00
8abdb8abd8
Issue #13634 : Add support for querying and disabling SSL compression.
2011-12-20 10:13:40 +01:00
923df6f22a
Issue #13627 : Add support for SSL Elliptic Curve-based Diffie-Hellman
...
key exchange, through the SSLContext.set_ecdh_curve() method and the
ssl.OP_SINGLE_ECDH_USE option.
2011-12-19 17:16:51 +01:00
6db4944cc5
Issue #13635 : Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
...
choose the cipher based on their own preferences, rather than on the
client's.
2011-12-19 13:27:11 +01:00
bc53032408
Issue #13458 : Fix a memory leak in the ssl module when decoding a certificate with a subjectAltName.
...
Patch by Robert Xiao.
2011-11-23 01:42:52 +01:00
116d6b98bf
Issue #13458 : Fix a memory leak in the ssl module when decoding a certificate with a subjectAltName.
...
Patch by Robert Xiao.
2011-11-23 01:39:19 +01:00
41032a69c1
Issue #11183 : Add finer-grained exceptions to the ssl module, so that
...
you don't have to inspect the exception's attributes in the common case.
2011-10-27 23:56:55 +02:00
a0e0e23299
Add a docstring to SSLError
2011-10-22 23:41:52 +02:00
b7705b7792
Use PyExc_OSError directly instead of grabbing it from the socket module API
2011-10-22 23:37:51 +02:00
a02a12c517
Issue #13034 : When decoding some SSL certificates, the subjectAltName extension could be unreported.
2011-10-01 19:22:30 +02:00
d8c347a8de
Issue #13034 : When decoding some SSL certificates, the subjectAltName extension could be unreported.
2011-10-01 19:20:25 +02:00
ac7e9e058d
Issue #12287 : Fix a stack corruption in ossaudiodev module when the FD is
...
greater than FD_SETSIZE.
2011-08-28 18:10:27 +02:00
Christian Heimes
Victor Stinner
Georg Brandl
Antoine Pitrou
Richard Oudkerk
Ezio Melotti
Stefan Krah
Jesus Cea
Charles-François Natali