ef4bb1e994
Issue #23804 : Merge SSL zero read fix from 3.5
2016-03-28 01:09:13 +00:00
f6b1d66a3c
Issue #23804 : Fix SSL recv/read(0) to not return 1024 bytes
2016-03-28 00:22:09 +00:00
afd465d497
Issue #26644 : Merge SSL negative read fix from 3.5
2016-03-27 10:40:22 +00:00
5503d4731e
Issue #26644 : Raise ValueError for negative SSLSocket.recv() and read()
2016-03-27 05:35:19 +00:00
3840b2ac67
Issue #25940 : Use internal local server more in test_ssl
...
Move many tests from NetworkedTests and NetworkedBIOTests to a new Simple-
BackgroundTests class, using the existing ThreadedEchoServer and SIGNED_
CERTFILE infrastructure.
For tests that cause the server to crash by rejecting its certificate,
separate them into independent test methods.
Added custom root certificate to capath with the following commands:
cp Lib/test/{pycacert.pem,capath/}
# Edit copy to remove part before certificate
c_rehash -v Lib/test/capath/
c_rehash -v -old Lib/test/capath/
# Note the generated file names
cp Lib/test/capath/{pycacert.pem,b1930218.0}
mv Lib/test/capath/{pycacert.pem,ceff1710.0}
Change to pure PEM version of SIGNING_CA because PEM_cert_to_DER_cert() does
not like the extra text at the start.
Moved test_connect_ex_error() into BasicSocketTests and rewrote it to connect
to a reserved localhost port.
NetworkedTests.test_get_server_certificate_ipv6() split out because it needs
to connect to an IPv6 DNS address.
The only reference left to self-signed.pythontest.net is test_timeout_
connect_ex(), which needs a remote server to reliably time out the
connection, but does not rely on the server running SSL.
Made ThreadedEchoServer call unwrap() by default when it sees the client has
shut the connection down, so that the client can cleanly call unwrap().
2016-03-27 01:53:46 +00:00
e0b75b7e87
Fix test_ssl.test_refcycle()
...
Issue #26590 : support.check_warnings() stores warnins, but ResourceWarning now
comes with a reference to the socket object which indirectly keeps the socket
alive.
2016-03-21 17:26:04 +01:00
3464ea2807
Issue #26173 : Separate bad cert file tests and client rejection test
...
Test test_wrong_cert() runs a server that rejects the client's certificate,
so ECONNRESET is reasonable in addition to SSLError. On the other hand, the
other three tests don't even need to run a server because they are just
testing the parsing of invalid certificate files.
Also fix a ResourceWarning by closing the wrapped socket.
2016-02-01 21:58:11 +00:00
407b62f3e5
Issue #26173 : Fix test_ssl confusion with non-existing cert and wrongcert.pem
...
Testing for a non-existing certificate file is already done in test_errors().
Copy wrongcert.pem from Python 2 and use it to test the behaviour with a
mismatched certificate.
2016-01-30 03:41:43 +00:00
a8b43b5fc3
Issue #25940 : Merge ETIMEDOUT fix from 3.4 into 3.5
2016-01-15 02:28:59 +00:00
3f2240ccb6
Issue #25940 : Merge ETIMEDOUT fix from 3.3 into 3.4
2016-01-15 02:18:31 +00:00
fab75d9bb9
Issue #25940 : Merge ETIMEDOUT fix from 3.2 into 3.3
2016-01-15 02:08:13 +00:00
035583b389
Issue #25940 : On Windows, connecting to port 444 returns ETIMEDOUT
2016-01-15 01:16:41 +00:00
40b97ec57a
Issue #25940 : Update new SSL tests for self-signed.pythontest.net
...
Removed SSL_ERROR_SYSCALL checking from ssl_io_loop() so that the loop can
terminate when unwrap() raises that error.
2016-01-14 13:05:46 +00:00
17cbee49d6
Issue #25940 : Merge self-signed.pythontest.net testing from 3.4 into 3.5
2016-01-14 13:22:29 +00:00
b55f8b79af
Issue #25940 : Update new SSL tests for self-signed.pythontest.net
2016-01-14 12:53:56 +00:00
514bb0711f
Issue #25940 : Merge self-signed.pythontest.net testing from 3.3 into 3.4
2016-01-14 12:46:49 +00:00
73f55076f6
Issue #25940 : Merge self-signed.pythontest.net testing from 3.2 into 3.3
2016-01-14 12:21:02 +00:00
3d81d93f34
Issue #25940 : Use self-signed.pythontest.net in SSL tests
...
This is instead of svn.python.org, whose certificate recently expired, and
whose new certificate uses a different root certificate.
The certificate used at the pythontest server was modifed to set the "basic
constraints" CA flag. This flag seems to be required for test_get_ca_certs_
capath() to work (in Python 3.4+).
Added the new self-signed certificate to capath with the following commands:
cp Lib/test/{selfsigned_pythontestdotnet.pem,capath/}
c_rehash -v Lib/test/capath/
c_rehash -v -old Lib/test/capath/
# Note the generated file names
cp Lib/test/capath/{selfsigned_pythontestdotnet.pem,0e4015b9.0}
mv Lib/test/capath/{selfsigned_pythontestdotnet.pem,ce7b8643.0}
The new server responds with "No route to host" when connecting to port 444.
2016-01-14 09:36:00 +00:00
45bde5d2ee
merge 3.4 ( #25530 )
2015-11-11 22:45:22 -08:00
a9dcdabccb
always set OP_NO_SSLv3 by default ( closes #25530 )
2015-11-11 22:38:41 -08:00
9e7990ae21
Issue #24210 : Silence more PendingDeprecationWarning warnings in tests.
2015-05-16 23:21:26 +03:00
4b9df0d33b
merge 3.4 ( #23844 )
2015-04-02 00:08:10 -04:00
a7eaf56a6d
replace 512 bit dh key with a 2014 bit one ( closes #23844 )
...
Patch by Cédric Krier.
2015-04-02 00:04:06 -04:00
8490f5acfe
Issue #23001 : Few functions in modules mmap, ossaudiodev, socket, ssl, and
...
codecs, that accepted only read-only bytes-like object now accept writable
bytes-like object too.
2015-03-20 09:00:36 +02:00
18987a11ce
Issue #20617 : Remove unused import in test_ssl.
...
Patch by Mark Lawrence.
2015-03-12 18:50:49 +02:00
4a0e14730b
Issue #20617 : Remove unused import in test_ssl.
...
Patch by Mark Lawrence.
2015-03-12 18:51:16 +02:00
3e2500d6db
merge 3.4
2015-03-04 23:20:23 -05:00
c3d9c5ca0a
adjust test_crl_check for trusted first being default
2015-03-04 23:18:48 -05:00
de8eca4638
merge 3.4
2015-03-04 22:50:25 -05:00
990fcaac3c
expose X509_V_FLAG_TRUSTED_FIRST
2015-03-04 22:49:41 -05:00
c481bfb3f6
Issue #23239 : ssl.match_hostname() now supports matching of IP addresses.
2015-02-15 18:12:20 +01:00
7aa4428835
Issue #23345 : merge from 3.4
2015-02-05 17:24:00 +11:00
05784a706e
Issue #23345 : Prevent test_ssl failures with large OpenSSL patch level
...
values (like 0.9.8zc).
2015-02-05 17:20:13 +11:00
8861502e07
prefer server alpn ordering over the client's
2015-01-23 17:30:26 -05:00
cca2732a82
add support for ALPN ( closes #20188 )
2015-01-23 16:35:37 -05:00
15042921ad
enable cert validation in test
2015-01-07 22:12:43 -06:00
23ef9fac16
trying again
2015-01-07 21:21:34 -06:00
e6838e08ef
reorder cipher prefs
2015-01-07 20:52:40 -06:00
44c77791ab
drop 256
2015-01-07 20:30:59 -06:00
359f2982f4
try using AES256
2015-01-07 20:03:27 -06:00
8791d697e0
fix assertions after ciphers were changed
2015-01-07 14:29:45 -06:00
f78b78aed4
rc4 is a long time favorite
2015-01-07 14:21:22 -06:00
438a8db763
everyone should support AES ciphers
2015-01-07 13:28:40 -06:00
9f6eceab46
include some more ciphers
2015-01-07 12:59:20 -06:00
aacd524118
force test server to speak tlsv1
2015-01-07 11:42:38 -06:00
e27a421354
remove apparently wrong assertion about des bit size
2015-01-07 11:33:51 -06:00
4cb17812d9
expose the client's cipher suites from the handshake ( closes #23186 )
2015-01-07 11:14:26 -06:00
fcfed19913
Issue #21356 : Make ssl.RAND_egd() optional to support LibreSSL. The
...
availability of the function is checked during the compilation. Patch written
by Bernard Spil.
2015-01-06 13:54:58 +01:00
789b805700
test_ssl: add more debug to investigate test_openssl_version() failure on
...
OpenBSD with LibreSSL.
2015-01-06 11:51:06 +01:00
3f7e064b2b
Issue #22935 : Fix test_ssl when the SSLv3 protocol is not supported
2014-12-12 12:27:08 +01:00
e32467cf6a
allow ssl module to compile if openssl doesn't support SSL 3 ( closes #22935 )
...
Patch by Kurt Roeckx.
2014-12-05 21:59:35 -05:00
7243b574e5
don't require OpenSSL SNI to pass hostname to ssl functions ( #22921 )
...
Patch by Donald Stufft.
2014-11-23 17:04:34 -06:00
648b862017
Issue #22935 : Fix test_ssl when the SSLv3 protocol is not supported
2014-12-12 12:23:59 +01:00
22293df016
merge 3.4 ( #22935 )
2014-12-05 22:11:33 -05:00
beeb512fe1
Issue #21356 : Make ssl.RAND_egd() optional to support LibreSSL. The
...
availability of the function is checked during the compilation.
Patch written by Bernard Spil.
2014-11-28 13:28:25 +01:00
f9284ae8ed
merge 3.4 ( #22921 )
2014-11-23 17:06:39 -06:00
98e1b9158c
merge 3.4
2014-11-03 21:06:07 -05:00
1ea070e561
test that keyfile can be None
2014-11-03 21:05:01 -05:00
1cca273669
merge 3.4 ( #22417 )
2014-11-03 14:36:48 -05:00
4ffb075271
PEP 476: enable HTTPS certificate verification by default ( #22417 )
...
Patch by Alex Gaynor with some modifications by me.
2014-11-03 14:29:33 -05:00
b1fdf47ff5
Issue #21965 : Add support for in-memory SSL to the ssl module.
...
Patch by Geert Jansen.
2014-10-05 20:41:53 +02:00
91b62c4a8a
merge 3.4
2014-10-03 18:17:30 -04:00
91244e01bb
separate cert loading tests into Windows and non-Windows cases
2014-10-03 18:17:15 -04:00
8b9cfa1066
merge 3.4 ( #22449 )
2014-10-03 17:33:45 -04:00
5915b0f924
also use openssl envvars to find certs on windows ( closes #22449 )
...
Patch by Christian Heimes and Alex Gaynor.
2014-10-03 17:27:05 -04:00
47e40429fb
Issue #20421 : Add a .version() method to SSL sockets exposing the actual protocol version in use.
2014-09-04 21:00:10 +02:00
6e20460dc6
Issue #21566 : Make use of socket.listen() default backlog.
2014-07-23 19:28:13 +01:00
26408df88f
Issue #21976 : Fix test_ssl to accept LibreSSL version strings.
...
Thanks to William Orr.
2014-07-21 18:37:36 -04:00
dfab935c74
Issue #21976 : Fix test_ssl to accept LibreSSL version strings.
...
Thanks to William Orr.
2014-07-21 18:35:01 -04:00
915d14190e
fix issue #17552 : add socket.sendfile() method allowing to send a file over a socket by using high-performance os.sendfile() on UNIX. Patch by Giampaolo Rodola'·
2014-06-11 03:54:30 +02:00
b4bebdafe3
Issue #20951 : SSLSocket.send() now raises either SSLWantReadError or SSLWantWriteError on a non-blocking socket if the operation would block. Previously, it would return 0.
...
Patch by Nikolaus Rath.
2014-04-29 10:03:28 +02:00
c695c95626
Issue #19940 : ssl.cert_time_to_seconds() now interprets the given time string in the UTC timezone (as specified in RFC 5280), not the local timezone.
...
Patch by Akira.
2014-04-28 20:57:36 +02:00
172f025bed
Issue #21068 : The ssl.PROTOCOL* constants are now enum members.
2014-04-18 20:33:08 +02:00
c043061667
Try to fix buildbot failures on old OpenSSLs (< 1.0.0) - followup to issue #21015
2014-04-16 18:33:39 +02:00
94a5b663bf
Issue #20896 : ssl.get_server_certificate() now uses PROTOCOL_SSLv23, not PROTOCOL_SSLv3, for maximum compatibility.
2014-04-16 18:56:28 +02:00
6a2ba94908
Issue #21013 : Enhance ssl.create_default_context() for server side contexts
...
Closes #21013 by modfying ssl.create_default_context() to:
* Move the restricted ciphers to only apply when using
ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
is the lack of RC4 in the restricted. However there are servers that exist
that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
socket the context will prioritize our ciphers which have been carefully
selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
that end users can more easily determine if they need to unset
ssl.OP_NO_SSLv3.
2014-03-23 19:05:28 -04:00
0bebbc33fa
Issue #21015 : SSL contexts will now automatically select an elliptic curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to "prime256v1".
...
(should also fix a buildbot failure introduced by #20995 )
2014-03-22 18:13:50 +01:00
10b93cc29c
merge 3.3 ( #20896 )
2014-03-12 18:10:57 -05:00
d0fc83d5eb
merge 3.2 ( #20896 )
2014-03-12 18:10:47 -05:00
cf25c5caae
use ssl.PROTOCOL_SSLv23 for maximum compatibility ( closes #20896 )
2014-03-12 18:05:53 -05:00
ba44860c11
Try to fix test_ssl failures on some buildbots
2014-01-09 21:30:17 +01:00
32c4915b23
Try to fix test_ssl failures on some buildbots
2014-01-09 21:28:48 +01:00
78ace81c93
Issue #20207 : Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
2014-01-09 20:09:03 +01:00
cd3d7cabef
Issue #20207 : Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
2014-01-09 20:02:20 +01:00
3e86ba4e32
Issue #19422 : Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
2013-12-28 17:26:33 +01:00
e6d2f159fc
Issue #19422 : Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
2013-12-28 17:30:51 +01:00
36e96b8716
(Merge 3.3) Issue #20025 : ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now
...
raise a ValueError if num is negative (instead of raising a SystemError).
2013-12-19 16:47:25 +01:00
1e81a399a2
Issue #20025 : ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now raise a
...
ValueError if num is negative (instead of raising a SystemError).
2013-12-19 16:47:04 +01:00
bd9cbb0691
Issue #19919 : Fix flacky SSL test. connect_ex() sometimes returns
...
EWOULDBLOCK on Windows or VMs hosted on Windows.
2013-12-16 21:16:45 +01:00
de57074874
Issue #19919 : Fix flacky SSL test. connect_ex() sometimes returns
...
EWOULDBLOCK on Windows or VMs hosted on Windows.
2013-12-16 21:15:44 +01:00
575596e19a
test_ssl: skip tests when SNI is not available
2013-12-15 21:49:17 +01:00
8e7f394282
Test SSLSock's context getter and setter
2013-12-05 07:41:08 +01:00
a02c69a73b
add check_hostname arg to ssl._create_stdlib_context()
2013-12-02 20:59:28 +01:00
1aa9a75fbf
Issue #19509 : Add SSLContext.check_hostname to match the peer's certificate
...
with server_hostname on handshake.
2013-12-02 02:41:19 +01:00
67986f9431
Issue #19735 : Implement private function ssl._create_stdlib_context() to
...
create SSLContext objects in Python's stdlib module. It provides a single
configuration point and makes use of SSLContext.load_default_certs().
2013-11-23 22:43:47 +01:00
4c05b472dd
Issue #19689 : Add ssl.create_default_context() factory function. It creates
...
a new SSLContext object with secure default settings.
2013-11-23 15:58:30 +01:00
72d28500b3
Issue #19292 : Add SSLContext.load_default_certs() to load default root CA
...
certificates from default stores or system stores. By default the method
loads CA certs for authentication of server certs.
2013-11-23 13:56:58 +01:00
2427b50fdd
Issue #8813 : X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
...
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
2013-11-23 11:24:32 +01:00
5398e1a56e
Issue #19448 : report name / NID in exception message of ASN1Object
2013-11-22 16:20:53 +01:00
c2d65e1e93
Issue #17134 : check certs of CA and ROOT system store
2013-11-22 16:13:55 +01:00
32f0c7a67b
or VERIFY_CRL_CHECK_LEAF to verify_flags
2013-11-22 03:43:48 +01:00
44109d7de7
Issue #17134 : Finalize interface to Windows' certificate store. Cert and
...
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
2013-11-22 01:51:30 +01:00
d6dc952e17
one CERT_REQUIRED is enough
2013-11-22 00:39:38 +01:00
225877917e
Issue #8813 : Add SSLContext.verify_flags to change the verification flags
...
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
2013-11-21 23:56:13 +01:00
bd3a7f90b5
Issue #18379 : SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP
...
and CRL distribution points.
2013-11-21 03:40:15 +01:00
efff7060f8
Issue #18138 : Implement cadata argument of SSLContext.load_verify_location()
...
to load CA certificates and CRL from memory. It supports PEM and DER
encoded strings.
2013-11-21 03:35:02 +01:00
a6bc95aa02
Issue #19448 : Add private API to SSL module to lookup ASN.1 objects by OID, NID, short name and long name.
2013-11-17 19:59:14 +01:00
ec3c103520
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for ``rfc822Name`` (email), ``dNSName`` (DNS) and
``uniformResourceIdentifier`` (URI).
2014-09-30 14:04:51 +02:00
72c98d3a76
Issue #17997 : Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,
...
for security reasons. It now doesn't match multiple wildcards nor wildcards
inside IDN fragments.
2013-10-27 07:16:53 +01:00
b89b5df9c9
merge with 3.3
2013-10-27 07:46:09 +01:00
20b85557f2
Issue #19095 : SSLSocket.getpeercert() now raises ValueError when the SSL handshake hasn't been done.
2013-09-29 19:50:53 +02:00
2769d44827
Issue #18709 : Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
2013-08-25 14:12:50 +02:00
157c9834b4
Issue #18709 : Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
2013-08-25 14:12:41 +02:00
6acbe2aaa3
Issue #18747 : Re-seed OpenSSL's pseudo-random number generator after fork.
...
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:34 +02:00
f77b4b20e9
Issue #18747 : Re-seed OpenSSL's pseudo-random number generator after fork.
...
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:05 +02:00
e06d47c70c
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:58:00 +02:00
824f7f366d
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:54:47 +02:00
2894073e1a
test_ssl: use a bytestring here
2013-07-20 19:36:15 +02:00
60a26e0516
Issue #9177 : Calling read() or write() now raises ValueError, not AttributeError, on a closed SSL socket.
...
Patch by Senko Rasic.
2013-07-20 19:35:16 +02:00
9a5395ae2b
Issue #18147 : Add diagnostic functions to ssl.SSLContext().
...
get_ca_list() lists all loaded CA certificates and cert_store_stats() returns
amount of loaded X.509 certs, X.509 CA certs and CRLs.
2013-06-17 15:44:12 +02:00
9424bb4aea
Issue #18207 : Fix test_ssl for some versions of OpenSSL that ignore seconds
...
in ASN1_TIME fields.
2013-06-17 15:32:57 +02:00
46bebee25f
Issue #17134 : Add ssl.enum_cert_store() as interface to Windows' cert store.
2013-06-09 19:03:31 +02:00
6d7ad13a45
Issue #18143 : Implement ssl.get_default_verify_paths() in order to debug
...
the default locations for cafile and capath.
2013-06-09 18:02:55 +02:00
86d53cadda
Issue #17980 : Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
2013-05-18 17:56:42 +02:00
636f93c63b
Issue #17980 : Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
2013-05-18 17:56:42 +02:00
31fb419908
Issue #17980 : Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
2013-05-18 17:59:12 +02:00
242db728e2
Issue #13721 : SSLSocket.getpeercert() and SSLSocket.do_handshake() now raise an OSError with ENOTCONN, instead of an AttributeError, when the SSLSocket is not connected.
2013-05-01 20:52:07 +02:00
50b24d0d7c
Fix a crash when setting a servername callback on a SSL server socket and the client doesn't send a server name.
...
Patch by Kazuhiro Yoshida.
(originally issue #8109 )
2013-04-11 20:48:42 +02:00
609ef01b02
In search of TLS 1.1 bug: add debugging output in verbose mode
2013-03-29 18:09:06 +01:00
972d5bb763
Use a subtest in test_ssl.test_echo
2013-03-29 17:56:03 +01:00
2463e5fee4
Issue #16692 : The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù.
2013-03-28 22:24:43 +01:00
6386e17f39
Issue #13898 : test_ssl no longer prints a spurious stack trace on Ubuntu.
2013-03-03 22:48:15 +01:00
ad246bfb71
Issue #13898 : test_ssl no longer prints a spurious stack trace on Ubuntu.
2013-03-03 22:44:22 +01:00
7b39b9b51b
Issue #13898 : test_ssl no longer prints a spurious stack trace on Ubuntu.
2013-03-03 22:31:21 +01:00
da23259f99
Issue #17107 : Test client-side SNI support in urllib.request thanks to the new server-side SNI support in the ssl module.
...
Initial patch by Daniel Black.
2013-02-05 21:20:51 +01:00
6b4e2a9c02
In test_ssl, threaded tests shouldn't need the network resource to be enabled
2013-01-12 22:00:54 +01:00
db5012ab47
In test_ssl, threaded tests shouldn't need the "network" resource to be enabled
2013-01-12 22:00:09 +01:00
e9bb4733d9
Issue #16923 : Fix ResourceWarnings in test_ssl.
2013-01-12 21:56:56 +01:00
e1ceb50cdf
Issue #16923 : Fix ResourceWarnings in test_ssl.
2013-01-12 21:54:44 +01:00
f86b3c394c
merge 3.3 ( #16900 )
2013-01-10 14:16:42 -06:00
36f7b97787
remove __del__ because it's evil and also prevents the ResourceWarning on the socket from happening ( closes #16900 )
2013-01-10 14:16:20 -06:00
58ddc9d743
Issue #8109 : The ssl module now has support for server-side SNI, thanks to a :meth:`SSLContext.set_servername_callback` method.
...
Patch by Daniel Black.
2013-01-05 21:20:29 +01:00
49f7e58778
Forward port new test for SSLSocket.connect_ex()
2012-12-28 19:09:41 +01:00
6464b84b3e
Forward port new test for SSLSocket.connect_ex()
2012-12-28 19:08:49 +01:00
ddb87ab1b4
Forward port new test for SSLSocket.connect_ex()
2012-12-28 19:07:43 +01:00
40f12ab0c5
Backport Python 3.2 fix for issue #12065 , and add another test for SSLSocket.connect_ex().
2012-12-28 19:03:43 +01:00
f7a17b48d7
Replace IOError with OSError ( #16715 )
2012-12-25 16:47:37 +02:00
0832af6628
Issue #16717 : get rid of socket.error, replace with OSError
2012-12-18 23:10:48 +02:00
73e9bd4d25
Issue #16357 : fix calling accept() on a SSLSocket created through SSLContext.wrap_socket().
...
Original patch by Jeff McNeil.
2012-11-11 01:27:33 +01:00
5c89b4ec55
Issue #16357 : fix calling accept() on a SSLSocket created through SSLContext.wrap_socket().
...
Original patch by Jeff McNeil.
2012-11-11 01:25:36 +01:00
b7a2800831
MERGE: Closes #15793 : Stack corruption in ssl.RAND_egd()
2012-09-11 02:08:48 +02:00
c8754a13e6
Closes #15793 : Stack corruption in ssl.RAND_egd()
2012-09-11 02:00:58 +02:00
a8a5b397c1
Closes #15793 : Stack corruption in ssl.RAND_egd(). Python 2.7 hasn't any issue about this, but add a test just to be sure
2012-09-11 01:55:04 +02:00
3b36fb1f53
Issue #14837 : SSL errors now have `library` and `reason` attributes describing precisely what happened and in which OpenSSL submodule.
...
The str() of a SSLError is also enhanced accordingly.
NOTE: this commit creates a reference leak. The leak seems tied to the
use of PyType_FromSpec() to create the SSLError type. The leak is on the
type object when it is instantiated:
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
35
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
36
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
37
2012-06-22 21:11:52 +02:00
c642f67c63
Skip test_algorithms (known remote hosts need SNI, which is only available on 3.2+)
2012-05-04 16:33:30 +02:00
f340c21ca9
Fix test connecting to sha256.tbs-internet.com.
...
The certificate has changed and the test now needs SNI to pass.
2012-05-04 16:26:56 +02:00
16f6f8338b
Fix test connecting to sha256.tbs-internet.com.
...
The certificate has changed and the test now needs SNI to pass.
2012-05-04 16:26:02 +02:00
d5d17eb653
Issue #14204 : The ssl module now has support for the Next Protocol Negotiation extension, if available in the underlying OpenSSL library.
...
Patch by Colin Marc.
2012-03-22 00:23:03 +01:00
c135fa424e
Fix last remaining build issues of _ssl under old OpenSSLs. Patch by Vinay.
2012-02-19 21:22:39 +01:00
ce816a5111
Issue #13895 : fix test_ssl hanging under Ubuntu
2012-01-28 17:40:23 +01:00
eba63c4203
Issue #13895 : fix test_ssl hanging under Ubuntu
2012-01-28 17:38:34 +01:00
6636887104
Fix intermittent test_ssl failure.
2012-01-27 17:34:56 +01:00
eced82ecbf
Fix intermittent test_ssl failure.
2012-01-27 17:33:01 +01:00
7a556846d4
Fix intermittent test_ssl failure.
2012-01-27 17:33:01 +01:00
d76088d972
Issue #13636 : Weak ciphers are now disabled by default in the ssl module
...
(except when SSLv2 is explicitly asked for).
2012-01-03 22:46:48 +01:00
8f85f907e3
Issue #13636 : Weak ciphers are now disabled by default in the ssl module
...
(except when SSLv2 is explicitly asked for).
2012-01-03 22:46:48 +01:00
65a3f4b8c5
Use context managers in test_ssl to simplify test writing.
2011-12-21 16:52:40 +01:00
5b95eb90a7
Use context managers in test_ssl to simplify test writing.
2011-12-21 16:52:40 +01:00
72aeec35a1
Issue #13636 : Weak ciphers are now disabled by default in the ssl module
...
(except when SSLv2 is explicitly asked for).
2012-01-03 22:49:08 +01:00
0e576f1f50
Issue #13626 : Add support for SSL Diffie-Hellman key exchange, through the
...
SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option.
2011-12-22 10:03:38 +01:00
6b15c90fd8
Use context managers in test_ssl to simplify test writing.
2011-12-21 16:54:45 +01:00
501da61671
Fix ssl module compilation if ECDH support was disabled in the OpenSSL build.
...
(followup to issue #13627 )
2011-12-21 09:27:41 +01:00
8691bff6db
Fix for buggy test
2011-12-20 10:47:42 +01:00
8abdb8abd8
Issue #13634 : Add support for querying and disabling SSL compression.
2011-12-20 10:13:40 +01:00
923df6f22a
Issue #13627 : Add support for SSL Elliptic Curve-based Diffie-Hellman
...
key exchange, through the SSLContext.set_ecdh_curve() method and the
ssl.OP_SINGLE_ECDH_USE option.
2011-12-19 17:16:51 +01:00
6db4944cc5
Issue #13635 : Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
...
choose the cipher based on their own preferences, rather than on the
client's.
2011-12-19 13:27:11 +01:00
cf9943de97
Backout redundant changeset 1de4d92cd6a4
2011-10-31 20:23:00 +01:00
39aec0171d
test_protocol_sslv2(): Skip this test if ssl.PROTOCOL_SSLv2 is not
...
defined (as is the case with Ubuntu 11.10).
2011-10-31 14:08:15 -04:00
6361ea2b07
Remove unstable SSL tests in the absence of ssl.OP_NO_{SSLv2,SSLv3,TLSv1}
2011-10-30 21:31:34 +01:00
be83698f21
- Issue #13218 : Fix test_ssl failures on Debian/Ubuntu.
2011-10-28 16:14:44 -04:00
c21a81bf76
- Issue #13218 : Fix test_ssl failures on Debian/Ubuntu.
2011-10-28 17:08:12 -04:00
46ae0efce1
- Issue #13218 : Fix test_ssl failures on Debian/Ubuntu.
2011-10-28 16:52:17 -04:00
41032a69c1
Issue #11183 : Add finer-grained exceptions to the ssl module, so that
...
you don't have to inspect the exception's attributes in the common case.
2011-10-27 23:56:55 +02:00
f06eb46918
Issue #13034 : When decoding some SSL certificates, the subjectAltName extension could be unreported.
2011-10-01 19:30:58 +02:00
a02a12c517
Issue #13034 : When decoding some SSL certificates, the subjectAltName extension could be unreported.
2011-10-01 19:22:30 +02:00
d8c347a8de
Issue #13034 : When decoding some SSL certificates, the subjectAltName extension could be unreported.
2011-10-01 19:20:25 +02:00
513886aabb
Fix #12835 : prevent use of the unencrypted sendmsg/recvmsg APIs on SSL wrapped sockets (Patch by David Watson)
2011-08-28 00:00:27 +10:00
4fd1e6a3ba
Issue #12803 : SSLContext.load_cert_chain() now accepts a password argument
...
to be used if the private key is encrypted. Patch by Adam Simpkins.
2011-08-25 14:39:44 +02:00
5fab03fd15
Remove the SSLSocket versions of sendmsg/recvmsg due to lack of proper tests and documentation in conjunction with lack of any known use cases (see issue #6560 for details)
2011-08-23 22:26:44 +10:00
96fe56abec
Add support for the send/recvmsg API to the socket module. Patch by David Watson and Heiko Wundram. ( Closes #6560 )
2011-08-22 11:55:57 +10:00
d649480739
Issue #12551 : Provide a get_channel_binding() method on SSL sockets so as
...
to get channel binding data for the current SSL session (only the
"tls-unique" channel binding is implemented). This allows the
implementation of certain authentication mechanisms such as SCRAM-SHA-1-PLUS.
Patch by Jacek Konieczny.
2011-07-21 01:11:30 +02:00
7128f95bd2
Issue #12440 : When testing whether some bits in SSLContext.options can be
...
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
2011-07-08 18:49:07 +02:00
b9ac25d1c3
Issue #12440 : When testing whether some bits in SSLContext.options can be
...
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
2011-07-08 18:47:06 +02:00
2e2baa9208
Issue #12049 : test_ssl now checks also that RAND_bytes() raises an error if
...
there is not enough entropy.
2011-05-25 11:15:16 +02:00
99c8b16143
Issue #12049 : Add RAND_bytes() and RAND_pseudo_bytes() functions to the ssl
...
module.
2011-05-24 12:05:19 +02:00
2e7f39e889
Issue #12012 : test_ssl uses test_support.import_module()
...
Skip the whole file if the SSL module is missing. It was already the case,
except that the SkipTest exception was raised in test_main().
This commit fixes an error in test_ssl if the ssl module is missing.
2011-05-22 13:22:28 +02:00
7a616f2fc5
Issue #12065 : connect_ex() on an SSL socket now returns the original errno
...
when the socket's timeout expires (it used to return None).
2011-05-18 18:52:20 +02:00
b4410dbea6
Issue #12065 : connect_ex() on an SSL socket now returns the original errno
...
when the socket's timeout expires (it used to return None).
2011-05-18 18:51:06 +02:00
b1241f9619
(Merge 3.1) Issue #12012 : ssl.PROTOCOL_SSLv2 becomes optional
...
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 01:52:03 +02:00
17ca323e7c
(Merge 3.1) Issue #12012 : ssl.PROTOCOL_SSLv2 becomes optional
...
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 00:48:41 +02:00
Martin Panter
Victor Stinner
Martin Panter
Benjamin Peterson
Berker Peksag
Serhiy Storchaka
Antoine Pitrou
Ned Deily
Charles-François Natali
Giampaolo Rodola'
Donald Stufft
Christian Heimes
Georg Brandl
Nadeem Vawda
Andrew Svetlov
Jesus Cea
Barry Warsaw
Nick Coghlan
Victor Stinner