Christian Heimes
99a6570295
Issue #19500 : Add client-side SSL session resumption to the ssl module.
2016-09-10 23:44:53 +02:00
Christian Heimes
d04863771b
Issue #28022 : Deprecate ssl-related arguments in favor of SSLContext.
...
The deprecation include manual creation of SSLSocket and certfile/keyfile
(or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib.
ssl.wrap_socket() is not marked as deprecated yet.
2016-09-10 23:23:33 +02:00
Christian Heimes
358cfd426c
Issue 28043: SSLContext has improved default settings
...
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
2016-09-10 22:43:48 +02:00
Christian Heimes
3aeacad561
Issue #28025 : Convert all ssl module constants to IntEnum and IntFlags.
2016-09-10 00:19:35 +02:00
Christian Heimes
ac041c0aa7
Issues #27850 and #27766 : Remove 3DES from ssl default cipher list and add ChaCha20 Poly1305.
2016-09-06 20:07:58 +02:00
Christian Heimes
03d13c0cbf
Issues #27850 and #27766 : Remove 3DES from ssl default cipher list and add ChaCha20 Poly1305.
2016-09-06 20:06:47 +02:00
Christian Heimes
01113faef9
Issue #26470 : Port ssl and hashlib module to OpenSSL 1.1.0.
2016-09-05 23:23:24 +02:00
Christian Heimes
598894ff48
Issue #26470 : Port ssl and hashlib module to OpenSSL 1.1.0.
2016-09-05 23:19:05 +02:00
Steve Dower
48df37dbb8
Issue #27114 : Fix SSLContext._load_windows_store_certs fails with PermissionError
2016-05-26 12:19:42 -07:00
Steve Dower
33bc4a2983
Issue #27114 : Fix SSLContext._load_windows_store_certs fails with PermissionError
2016-05-26 12:18:12 -07:00
Martin Panter
519f91215b
Issue #25951 : Fix SSLSocket.sendall() to return None, by Aviv Palivoda
2016-04-03 02:12:54 +00:00
Martin Panter
f6b1d66a3c
Issue #23804 : Fix SSL recv/read(0) to not return 1024 bytes
2016-03-28 00:22:09 +00:00
Steve Dower
8dd7aebc23
Issue #26313 : ssl.py _load_windows_store_certs fails if windows cert store is empty. Patch by Baji.
2016-03-17 15:02:39 -07:00
Ethan Furman
24e837f231
issue23673
...
add private method to enum to support replacing global constants with Enum members:
- search for candidate constants via supplied filter
- create new enum class and members
- insert enum class and replace constants with members via supplied module name
- replace __reduce_ex__ with function that returns member name, so previous Python versions can unpickle
modify IntEnum classes to use new method
2015-03-18 17:27:57 -07:00
Benjamin Peterson
3e2500d6db
merge 3.4
2015-03-04 23:20:23 -05:00
Benjamin Peterson
7bcf9a5588
use _import_symbols to import VERIFY_* constants
2015-03-04 23:18:57 -05:00
Benjamin Peterson
869311dd97
merge 3.4 ( #23481 )
2015-02-19 17:58:19 -05:00
Benjamin Peterson
500af332f4
remove rc4 from the default client ciphers ( closes #23481 )
2015-02-19 17:57:08 -05:00
Antoine Pitrou
c481bfb3f6
Issue #23239 : ssl.match_hostname() now supports matching of IP addresses.
2015-02-15 18:12:20 +01:00
Benjamin Peterson
cca2732a82
add support for ALPN ( closes #20188 )
2015-01-23 16:35:37 -05:00
Benjamin Peterson
c114e7db60
remove extra definite article
2015-01-11 15:22:07 -05:00
Benjamin Peterson
5318c7aa59
explain None can be returned
2015-01-07 11:26:50 -06:00
Benjamin Peterson
4cb17812d9
expose the client's cipher suites from the handshake ( closes #23186 )
2015-01-07 11:14:26 -06:00
Victor Stinner
fcfed19913
Issue #21356 : Make ssl.RAND_egd() optional to support LibreSSL. The
...
availability of the function is checked during the compilation. Patch written
by Bernard Spil.
2015-01-06 13:54:58 +01:00
Victor Stinner
9d01717f37
Issue #20896 , #22935 : The ssl.get_server_certificate() function now uses the
...
ssl.PROTOCOL_SSLv23 protocol by default, not ssl.PROTOCOL_SSLv3, for maximum
compatibility and support platforms where ssl.PROTOCOL_SSLv3 support is
disabled.
2015-01-06 12:21:26 +01:00
Victor Stinner
0041142785
Issue #22935 : Fix ssl module when SSLv3 protocol is not supported
2014-12-12 12:23:09 +01:00
Benjamin Peterson
7243b574e5
don't require OpenSSL SNI to pass hostname to ssl functions ( #22921 )
...
Patch by Donald Stufft.
2014-11-23 17:04:34 -06:00
Victor Stinner
beeb512fe1
Issue #21356 : Make ssl.RAND_egd() optional to support LibreSSL. The
...
availability of the function is checked during the compilation.
Patch written by Bernard Spil.
2014-11-28 13:28:25 +01:00
Benjamin Peterson
f9284ae8ed
merge 3.4 ( #22921 )
2014-11-23 17:06:39 -06:00
Benjamin Peterson
1cca273669
merge 3.4 ( #22417 )
2014-11-03 14:36:48 -05:00
Benjamin Peterson
4ffb075271
PEP 476: enable HTTPS certificate verification by default ( #22417 )
...
Patch by Alex Gaynor with some modifications by me.
2014-11-03 14:29:33 -05:00
Berker Peksag
1ed2e69a4a
Issue #22186 : Fix typos in Lib/.
...
Patch by Févry Thibault.
2014-10-19 18:07:05 +03:00
Berker Peksag
f23530f569
Issue #22186 : Fix typos in Lib/.
...
Patch by Févry Thibault.
2014-10-19 18:04:38 +03:00
Antoine Pitrou
a21de3d45e
Issue #22638 : SSLv3 is now disabled throughout the standard library.
...
It can still be enabled by instantiating a SSLContext manually.
2014-10-17 19:28:30 +02:00
Antoine Pitrou
e4eda4d33f
Issue #22638 : SSLv3 is now disabled throughout the standard library.
...
It can still be enabled by instantiating a SSLContext manually.
2014-10-17 19:28:30 +02:00
Antoine Pitrou
3cb9379881
Remove unused "block" argument in SSLObject.do_handshake() (issue #21965 )
2014-10-06 00:21:09 +02:00
Antoine Pitrou
b1fdf47ff5
Issue #21965 : Add support for in-memory SSL to the ssl module.
...
Patch by Geert Jansen.
2014-10-05 20:41:53 +02:00
Benjamin Peterson
8b9cfa1066
merge 3.4 ( #22449 )
2014-10-03 17:33:45 -04:00
Benjamin Peterson
5915b0f924
also use openssl envvars to find certs on windows ( closes #22449 )
...
Patch by Christian Heimes and Alex Gaynor.
2014-10-03 17:27:05 -04:00
Antoine Pitrou
47e40429fb
Issue #20421 : Add a .version() method to SSL sockets exposing the actual protocol version in use.
2014-09-04 21:00:10 +02:00
Giampaolo Rodola'
915d14190e
fix issue #17552 : add socket.sendfile() method allowing to send a file over a socket by using high-performance os.sendfile() on UNIX. Patch by Giampaolo Rodola'·
2014-06-11 03:54:30 +02:00
Antoine Pitrou
b4bebdafe3
Issue #20951 : SSLSocket.send() now raises either SSLWantReadError or SSLWantWriteError on a non-blocking socket if the operation would block. Previously, it would return 0.
...
Patch by Nikolaus Rath.
2014-04-29 10:03:28 +02:00
Antoine Pitrou
c695c95626
Issue #19940 : ssl.cert_time_to_seconds() now interprets the given time string in the UTC timezone (as specified in RFC 5280), not the local timezone.
...
Patch by Akira.
2014-04-28 20:57:36 +02:00
Antoine Pitrou
172f025bed
Issue #21068 : The ssl.PROTOCOL* constants are now enum members.
2014-04-18 20:33:08 +02:00
Antoine Pitrou
94a5b663bf
Issue #20896 : ssl.get_server_certificate() now uses PROTOCOL_SSLv23, not PROTOCOL_SSLv3, for maximum compatibility.
2014-04-16 18:56:28 +02:00
Donald Stufft
6a2ba94908
Issue #21013 : Enhance ssl.create_default_context() for server side contexts
...
Closes #21013 by modfying ssl.create_default_context() to:
* Move the restricted ciphers to only apply when using
ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
is the lack of RC4 in the restricted. However there are servers that exist
that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
socket the context will prioritize our ciphers which have been carefully
selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
that end users can more easily determine if they need to unset
ssl.OP_NO_SSLv3.
2014-03-23 19:05:28 -04:00
Donald Stufft
79ccaa2cad
Issue #20995 : Enhance default ciphers used by the ssl module
...
Closes #20995 by Enabling better security by prioritizing ciphers
such that:
* Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
* Prefer ECDHE over DHE for better performance
* Prefer any AES-GCM over any AES-CBC for better performance and security
* Then Use HIGH cipher suites as a fallback
* Then Use 3DES as fallback which is secure but slow
* Finally use RC4 as a fallback which is problematic but needed for
compatibility some times.
* Disable NULL authentication, NULL encryption, and MD5 MACs for security
reasons
2014-03-21 21:33:34 -04:00
Victor Stinner
7fa767e517
Issue #20976 : pyflakes: Remove unused imports
2014-03-20 09:16:38 +01:00
Antoine Pitrou
e6d2f159fc
Issue #19422 : Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
2013-12-28 17:30:51 +01:00
Antoine Pitrou
3e86ba4e32
Issue #19422 : Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
2013-12-28 17:26:33 +01:00
Christian Heimes
1da3ba8697
Issue #19509 : Don't close the socket in do_handshake() when hostname verification fails.
2013-12-04 20:46:20 +01:00
Christian Heimes
a02c69a73b
add check_hostname arg to ssl._create_stdlib_context()
2013-12-02 20:59:28 +01:00
Christian Heimes
1aa9a75fbf
Issue #19509 : Add SSLContext.check_hostname to match the peer's certificate
...
with server_hostname on handshake.
2013-12-02 02:41:19 +01:00
Christian Heimes
dec813f118
ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME
2013-11-28 08:06:54 +01:00
Christian Heimes
67986f9431
Issue #19735 : Implement private function ssl._create_stdlib_context() to
...
create SSLContext objects in Python's stdlib module. It provides a single
configuration point and makes use of SSLContext.load_default_certs().
2013-11-23 22:43:47 +01:00
Christian Heimes
4c05b472dd
Issue #19689 : Add ssl.create_default_context() factory function. It creates
...
a new SSLContext object with secure default settings.
2013-11-23 15:58:30 +01:00
Christian Heimes
72d28500b3
Issue #19292 : Add SSLContext.load_default_certs() to load default root CA
...
certificates from default stores or system stores. By default the method
loads CA certs for authentication of server certs.
2013-11-23 13:56:58 +01:00
Christian Heimes
44109d7de7
Issue #17134 : Finalize interface to Windows' certificate store. Cert and
...
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
2013-11-22 01:51:30 +01:00
Christian Heimes
225877917e
Issue #8813 : Add SSLContext.verify_flags to change the verification flags
...
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
2013-11-21 23:56:13 +01:00
Christian Heimes
a6bc95aa02
Issue #19448 : Add private API to SSL module to lookup ASN.1 objects by OID, NID, short name and long name.
2013-11-17 19:59:14 +01:00
Georg Brandl
72c98d3a76
Issue #17997 : Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,
...
for security reasons. It now doesn't match multiple wildcards nor wildcards
inside IDN fragments.
2013-10-27 07:16:53 +01:00
Georg Brandl
b89b5df9c9
merge with 3.3
2013-10-27 07:46:09 +01:00
Ezio Melotti
9a3777e525
#18705 : merge with 3.3.
2013-08-17 15:53:55 +03:00
Ezio Melotti
30b9d5d3af
#18705 : fix a number of typos. Patch by Févry Thibault.
2013-08-17 15:50:46 +03:00
Antoine Pitrou
60a26e0516
Issue #9177 : Calling read() or write() now raises ValueError, not AttributeError, on a closed SSL socket.
...
Patch by Senko Rasic.
2013-07-20 19:35:16 +02:00
Brett Cannon
cd171c8e92
Issue #18200 : Back out usage of ModuleNotFoundError (8d28d44f3a9a)
2013-07-04 17:43:24 -04:00
Brett Cannon
0a140668fa
Issue #18200 : Update the stdlib (except tests) to use
...
ModuleNotFoundError.
2013-06-13 20:57:26 -04:00
Christian Heimes
46bebee25f
Issue #17134 : Add ssl.enum_cert_store() as interface to Windows' cert store.
2013-06-09 19:03:31 +02:00
Christian Heimes
6d7ad13a45
Issue #18143 : Implement ssl.get_default_verify_paths() in order to debug
...
the default locations for cafile and capath.
2013-06-09 18:02:55 +02:00
Antoine Pitrou
636f93c63b
Issue #17980 : Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
2013-05-18 17:56:42 +02:00
Antoine Pitrou
31fb419908
Issue #17980 : Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
2013-05-18 17:59:12 +02:00
Antoine Pitrou
242db728e2
Issue #13721 : SSLSocket.getpeercert() and SSLSocket.do_handshake() now raise an OSError with ENOTCONN, instead of an AttributeError, when the SSLSocket is not connected.
2013-05-01 20:52:07 +02:00
Giampaolo Rodola'
06d0c1e72c
remove uneffective 'while True' clause
2013-04-03 12:01:44 +02:00
Antoine Pitrou
2463e5fee4
Issue #16692 : The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù.
2013-03-28 22:24:43 +01:00
Benjamin Peterson
f86b3c394c
merge 3.3 ( #16900 )
2013-01-10 14:16:42 -06:00
Benjamin Peterson
36f7b97787
remove __del__ because it's evil and also prevents the ResourceWarning on the socket from happening ( closes #16900 )
2013-01-10 14:16:20 -06:00
Antoine Pitrou
58ddc9d743
Issue #8109 : The ssl module now has support for server-side SNI, thanks to a :meth:`SSLContext.set_servername_callback` method.
...
Patch by Daniel Black.
2013-01-05 21:20:29 +01:00
Andrew Svetlov
0832af6628
Issue #16717 : get rid of socket.error, replace with OSError
2012-12-18 23:10:48 +02:00
Antoine Pitrou
73e9bd4d25
Issue #16357 : fix calling accept() on a SSLSocket created through SSLContext.wrap_socket().
...
Original patch by Jeff McNeil.
2012-11-11 01:27:33 +01:00
Antoine Pitrou
5c89b4ec55
Issue #16357 : fix calling accept() on a SSLSocket created through SSLContext.wrap_socket().
...
Original patch by Jeff McNeil.
2012-11-11 01:25:36 +01:00
Antoine Pitrou
d5d17eb653
Issue #14204 : The ssl module now has support for the Next Protocol Negotiation extension, if available in the underlying OpenSSL library.
...
Patch by Colin Marc.
2012-03-22 00:23:03 +01:00
Antoine Pitrou
a9bf2ac726
Try to really fix compilation failures of the _ssl module under very old OpenSSLs.
2012-02-17 18:47:54 +01:00
Antoine Pitrou
8f85f907e3
Issue #13636 : Weak ciphers are now disabled by default in the ssl module
...
(except when SSLv2 is explicitly asked for).
2012-01-03 22:46:48 +01:00
Antoine Pitrou
72aeec35a1
Issue #13636 : Weak ciphers are now disabled by default in the ssl module
...
(except when SSLv2 is explicitly asked for).
2012-01-03 22:49:08 +01:00
Antoine Pitrou
0e576f1f50
Issue #13626 : Add support for SSL Diffie-Hellman key exchange, through the
...
SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option.
2011-12-22 10:03:38 +01:00
Antoine Pitrou
501da61671
Fix ssl module compilation if ECDH support was disabled in the OpenSSL build.
...
(followup to issue #13627 )
2011-12-21 09:27:41 +01:00
Antoine Pitrou
8abdb8abd8
Issue #13634 : Add support for querying and disabling SSL compression.
2011-12-20 10:13:40 +01:00
Antoine Pitrou
923df6f22a
Issue #13627 : Add support for SSL Elliptic Curve-based Diffie-Hellman
...
key exchange, through the SSLContext.set_ecdh_curve() method and the
ssl.OP_SINGLE_ECDH_USE option.
2011-12-19 17:16:51 +01:00
Antoine Pitrou
6db4944cc5
Issue #13635 : Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
...
choose the cipher based on their own preferences, rather than on the
client's.
2011-12-19 13:27:11 +01:00
Antoine Pitrou
41032a69c1
Issue #11183 : Add finer-grained exceptions to the ssl module, so that
...
you don't have to inspect the exception's attributes in the common case.
2011-10-27 23:56:55 +02:00
Nick Coghlan
513886aabb
Fix #12835 : prevent use of the unencrypted sendmsg/recvmsg APIs on SSL wrapped sockets (Patch by David Watson)
2011-08-28 00:00:27 +10:00
Nick Coghlan
5fab03fd15
Remove the SSLSocket versions of sendmsg/recvmsg due to lack of proper tests and documentation in conjunction with lack of any known use cases (see issue #6560 for details)
2011-08-23 22:26:44 +10:00
Nick Coghlan
96fe56abec
Add support for the send/recvmsg API to the socket module. Patch by David Watson and Heiko Wundram. ( Closes #6560 )
2011-08-22 11:55:57 +10:00
Antoine Pitrou
d649480739
Issue #12551 : Provide a get_channel_binding() method on SSL sockets so as
...
to get channel binding data for the current SSL session (only the
"tls-unique" channel binding is implemented). This allows the
implementation of certain authentication mechanisms such as SCRAM-SHA-1-PLUS.
Patch by Jacek Konieczny.
2011-07-21 01:11:30 +02:00
Antoine Pitrou
7128f95bd2
Issue #12440 : When testing whether some bits in SSLContext.options can be
...
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
2011-07-08 18:49:07 +02:00
Antoine Pitrou
b9ac25d1c3
Issue #12440 : When testing whether some bits in SSLContext.options can be
...
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
2011-07-08 18:47:06 +02:00
Victor Stinner
99c8b16143
Issue #12049 : Add RAND_bytes() and RAND_pseudo_bytes() functions to the ssl
...
module.
2011-05-24 12:05:19 +02:00
Antoine Pitrou
7a616f2fc5
Issue #12065 : connect_ex() on an SSL socket now returns the original errno
...
when the socket's timeout expires (it used to return None).
2011-05-18 18:52:20 +02:00
Antoine Pitrou
b4410dbea6
Issue #12065 : connect_ex() on an SSL socket now returns the original errno
...
when the socket's timeout expires (it used to return None).
2011-05-18 18:51:06 +02:00
Victor Stinner
17ca323e7c
(Merge 3.1) Issue #12012 : ssl.PROTOCOL_SSLv2 becomes optional
...
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 00:48:41 +02:00