Benjamin Peterson
3e2500d6db
merge 3.4
2015-03-04 23:20:23 -05:00
Benjamin Peterson
c3d9c5ca0a
adjust test_crl_check for trusted first being default
2015-03-04 23:18:48 -05:00
Benjamin Peterson
de8eca4638
merge 3.4
2015-03-04 22:50:25 -05:00
Benjamin Peterson
990fcaac3c
expose X509_V_FLAG_TRUSTED_FIRST
2015-03-04 22:49:41 -05:00
Antoine Pitrou
c481bfb3f6
Issue #23239 : ssl.match_hostname() now supports matching of IP addresses.
2015-02-15 18:12:20 +01:00
Ned Deily
7aa4428835
Issue #23345 : merge from 3.4
2015-02-05 17:24:00 +11:00
Ned Deily
05784a706e
Issue #23345 : Prevent test_ssl failures with large OpenSSL patch level
...
values (like 0.9.8zc).
2015-02-05 17:20:13 +11:00
Benjamin Peterson
8861502e07
prefer server alpn ordering over the client's
2015-01-23 17:30:26 -05:00
Benjamin Peterson
cca2732a82
add support for ALPN ( closes #20188 )
2015-01-23 16:35:37 -05:00
Benjamin Peterson
15042921ad
enable cert validation in test
2015-01-07 22:12:43 -06:00
Benjamin Peterson
23ef9fac16
trying again
2015-01-07 21:21:34 -06:00
Benjamin Peterson
e6838e08ef
reorder cipher prefs
2015-01-07 20:52:40 -06:00
Benjamin Peterson
44c77791ab
drop 256
2015-01-07 20:30:59 -06:00
Benjamin Peterson
359f2982f4
try using AES256
2015-01-07 20:03:27 -06:00
Benjamin Peterson
8791d697e0
fix assertions after ciphers were changed
2015-01-07 14:29:45 -06:00
Benjamin Peterson
f78b78aed4
rc4 is a long time favorite
2015-01-07 14:21:22 -06:00
Benjamin Peterson
438a8db763
everyone should support AES ciphers
2015-01-07 13:28:40 -06:00
Benjamin Peterson
9f6eceab46
include some more ciphers
2015-01-07 12:59:20 -06:00
Benjamin Peterson
aacd524118
force test server to speak tlsv1
2015-01-07 11:42:38 -06:00
Benjamin Peterson
e27a421354
remove apparently wrong assertion about des bit size
2015-01-07 11:33:51 -06:00
Benjamin Peterson
4cb17812d9
expose the client's cipher suites from the handshake ( closes #23186 )
2015-01-07 11:14:26 -06:00
Victor Stinner
fcfed19913
Issue #21356 : Make ssl.RAND_egd() optional to support LibreSSL. The
...
availability of the function is checked during the compilation. Patch written
by Bernard Spil.
2015-01-06 13:54:58 +01:00
Victor Stinner
789b805700
test_ssl: add more debug to investigate test_openssl_version() failure on
...
OpenBSD with LibreSSL.
2015-01-06 11:51:06 +01:00
Victor Stinner
3f7e064b2b
Issue #22935 : Fix test_ssl when the SSLv3 protocol is not supported
2014-12-12 12:27:08 +01:00
Benjamin Peterson
e32467cf6a
allow ssl module to compile if openssl doesn't support SSL 3 ( closes #22935 )
...
Patch by Kurt Roeckx.
2014-12-05 21:59:35 -05:00
Benjamin Peterson
7243b574e5
don't require OpenSSL SNI to pass hostname to ssl functions ( #22921 )
...
Patch by Donald Stufft.
2014-11-23 17:04:34 -06:00
Victor Stinner
648b862017
Issue #22935 : Fix test_ssl when the SSLv3 protocol is not supported
2014-12-12 12:23:59 +01:00
Benjamin Peterson
22293df016
merge 3.4 ( #22935 )
2014-12-05 22:11:33 -05:00
Victor Stinner
beeb512fe1
Issue #21356 : Make ssl.RAND_egd() optional to support LibreSSL. The
...
availability of the function is checked during the compilation.
Patch written by Bernard Spil.
2014-11-28 13:28:25 +01:00
Benjamin Peterson
f9284ae8ed
merge 3.4 ( #22921 )
2014-11-23 17:06:39 -06:00
Benjamin Peterson
98e1b9158c
merge 3.4
2014-11-03 21:06:07 -05:00
Benjamin Peterson
1ea070e561
test that keyfile can be None
2014-11-03 21:05:01 -05:00
Benjamin Peterson
1cca273669
merge 3.4 ( #22417 )
2014-11-03 14:36:48 -05:00
Benjamin Peterson
4ffb075271
PEP 476: enable HTTPS certificate verification by default ( #22417 )
...
Patch by Alex Gaynor with some modifications by me.
2014-11-03 14:29:33 -05:00
Antoine Pitrou
b1fdf47ff5
Issue #21965 : Add support for in-memory SSL to the ssl module.
...
Patch by Geert Jansen.
2014-10-05 20:41:53 +02:00
Benjamin Peterson
91b62c4a8a
merge 3.4
2014-10-03 18:17:30 -04:00
Benjamin Peterson
91244e01bb
separate cert loading tests into Windows and non-Windows cases
2014-10-03 18:17:15 -04:00
Benjamin Peterson
8b9cfa1066
merge 3.4 ( #22449 )
2014-10-03 17:33:45 -04:00
Benjamin Peterson
5915b0f924
also use openssl envvars to find certs on windows ( closes #22449 )
...
Patch by Christian Heimes and Alex Gaynor.
2014-10-03 17:27:05 -04:00
Antoine Pitrou
47e40429fb
Issue #20421 : Add a .version() method to SSL sockets exposing the actual protocol version in use.
2014-09-04 21:00:10 +02:00
Charles-François Natali
6e20460dc6
Issue #21566 : Make use of socket.listen() default backlog.
2014-07-23 19:28:13 +01:00
Antoine Pitrou
26408df88f
Issue #21976 : Fix test_ssl to accept LibreSSL version strings.
...
Thanks to William Orr.
2014-07-21 18:37:36 -04:00
Antoine Pitrou
dfab935c74
Issue #21976 : Fix test_ssl to accept LibreSSL version strings.
...
Thanks to William Orr.
2014-07-21 18:35:01 -04:00
Giampaolo Rodola'
915d14190e
fix issue #17552 : add socket.sendfile() method allowing to send a file over a socket by using high-performance os.sendfile() on UNIX. Patch by Giampaolo Rodola'·
2014-06-11 03:54:30 +02:00
Antoine Pitrou
b4bebdafe3
Issue #20951 : SSLSocket.send() now raises either SSLWantReadError or SSLWantWriteError on a non-blocking socket if the operation would block. Previously, it would return 0.
...
Patch by Nikolaus Rath.
2014-04-29 10:03:28 +02:00
Antoine Pitrou
c695c95626
Issue #19940 : ssl.cert_time_to_seconds() now interprets the given time string in the UTC timezone (as specified in RFC 5280), not the local timezone.
...
Patch by Akira.
2014-04-28 20:57:36 +02:00
Antoine Pitrou
172f025bed
Issue #21068 : The ssl.PROTOCOL* constants are now enum members.
2014-04-18 20:33:08 +02:00
Antoine Pitrou
c043061667
Try to fix buildbot failures on old OpenSSLs (< 1.0.0) - followup to issue #21015
2014-04-16 18:33:39 +02:00
Antoine Pitrou
94a5b663bf
Issue #20896 : ssl.get_server_certificate() now uses PROTOCOL_SSLv23, not PROTOCOL_SSLv3, for maximum compatibility.
2014-04-16 18:56:28 +02:00
Donald Stufft
6a2ba94908
Issue #21013 : Enhance ssl.create_default_context() for server side contexts
...
Closes #21013 by modfying ssl.create_default_context() to:
* Move the restricted ciphers to only apply when using
ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
is the lack of RC4 in the restricted. However there are servers that exist
that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
socket the context will prioritize our ciphers which have been carefully
selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
that end users can more easily determine if they need to unset
ssl.OP_NO_SSLv3.
2014-03-23 19:05:28 -04:00