Commit Graph

147 Commits

Author SHA1 Message Date
Benjamin Peterson b92fd01189 note that sslv3 may not be available 2014-12-06 11:36:32 -05:00
Serhiy Storchaka b757c83ec6 Issue #22581: Use more "bytes-like object" throughout the docs and comments. 2014-12-05 22:25:22 +02:00
Antoine Pitrou 2b207badd6 Fix #22987: update the compatibility matrix for a SSLv23 client. 2014-12-03 20:00:56 +01:00
Benjamin Peterson dbd4bcfcca correct versionchanged version 2014-11-23 20:09:31 -06:00
Benjamin Peterson 7243b574e5 don't require OpenSSL SNI to pass hostname to ssl functions (#22921)
Patch by Donald Stufft.
2014-11-23 17:04:34 -06:00
Georg Brandl b7354a65ce Fixing broken links in doc, part 4: some more breaks and redirects 2014-10-29 10:57:37 +01:00
Antoine Pitrou 4b4ddb2190 Issue #22660: update various mentions in the ssl module documentation. 2014-10-21 00:14:39 +02:00
Victor Stinner cfb2a0a855 Issue #22564: ssl doc: mention asyncio in the non-blocking section 2014-10-10 12:45:10 +02:00
Victor Stinner d28fe8c8f4 Issue #22564: ssl doc: mention how SSLSocket are usually created 2014-10-10 12:07:19 +02:00
Victor Stinner 3c3d3c73f3 Issue #22564: ssl doc: use "class" marker to document the SSLSocket class 2014-10-10 12:06:51 +02:00
Victor Stinner 41f92c2818 Issue #22564: ssl doc: document read(), write(), pending, server_side and
server_hostname methods and attributes of SSLSocket.
2014-10-10 12:05:56 +02:00
Victor Stinner 851a6cc071 Issue #22564: ssl doc: fix typos 2014-10-10 12:04:15 +02:00
Berker Peksag 9c1dba2758 Revert #22251 2014-09-28 00:00:58 +03:00
Berker Peksag 3749404ba5 Issue #22251: Fix ReST markup to avoid errors building docs. 2014-09-27 23:21:35 +03:00
Zachary Ware 88a1977a08 Issue #22072: Fix a couple of SSL doc typos. Patch by Alex Gaynor. 2014-07-25 13:30:50 -05:00
Berker Peksag 38bf87c7f2 Issue #21994: Fix SyntaxError in the SSLContext.check_hostname documentation. 2014-07-17 05:00:36 +03:00
Antoine Pitrou 75e03388d8 Issue #21430: additions to the description of non-blocking SSL sockets 2014-05-18 00:55:13 +02:00
Donald Stufft 4137465bf5 Issue #21043: Remove the recommendation for specific CA organizations
Closes #21043 by updating the documentation to remove specific CA
organizations and update the text to no longer need to tell you to
download root certificates, but instead use the OS certificates
avaialble through SSLContext.load_default_certs.
2014-03-24 19:26:03 -04:00
Donald Stufft 6a2ba94908 Issue #21013: Enhance ssl.create_default_context() for server side contexts
Closes #21013 by modfying ssl.create_default_context() to:

* Move the restricted ciphers to only apply when using
  ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
  is the lack of RC4 in the restricted. However there are servers that exist
  that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
  will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
  of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
  socket the context will prioritize our ciphers which have been carefully
  selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
  that end users can more easily determine if they need to unset
  ssl.OP_NO_SSLv3.
2014-03-23 19:05:28 -04:00
Antoine Pitrou f8cbbbb652 Issue #20913: make it clear that create_default_context() also enables hostname checking 2014-03-23 16:31:08 +01:00
Antoine Pitrou c5e075ff03 Issue #20913: improve the SSL security considerations to first advocate using create_default_context(). 2014-03-22 18:19:11 +01:00
Donald Stufft 79ccaa2cad Issue #20995: Enhance default ciphers used by the ssl module
Closes #20995 by Enabling better security by prioritizing ciphers
such that:

* Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
* Prefer ECDHE over DHE for better performance
* Prefer any AES-GCM over any AES-CBC for better performance and security
* Then Use HIGH cipher suites as a fallback
* Then Use 3DES as fallback which is secure but slow
* Finally use RC4 as a fallback which is problematic but needed for
  compatibility some times.
* Disable NULL authentication, NULL encryption, and MD5 MACs for security
  reasons
2014-03-21 21:33:34 -04:00
Larry Hastings 3732ed2414 Merge in all documentation changes since branching 3.4.0rc1. 2014-03-15 21:13:56 -07:00
Antoine Pitrou e6d2f159fc Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. 2013-12-28 17:30:51 +01:00
Antoine Pitrou 3e86ba4e32 Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. 2013-12-28 17:26:33 +01:00
R David Murray 748bad2cd0 Tidy up ssl whatsnew references, make ssl section formatting consistent.
Also remove some extra blank lines in the ssl doc acctions for tls1.1/1.2,
and reflow a paragraph.
2013-12-20 17:08:39 -05:00
Christian Heimes 1aa9a75fbf Issue #19509: Add SSLContext.check_hostname to match the peer's certificate
with server_hostname on handshake.
2013-12-02 02:41:19 +01:00
Serhiy Storchaka 0e90e99188 Issue #19795: Improved markup of True/False constants. 2013-11-29 12:19:53 +02:00
Serhiy Storchaka fbc1c26803 Issue #19795: Improved markup of True/False constants. 2013-11-29 12:17:13 +02:00
Antoine Pitrou 5bef410471 Tweak ssl docs 2013-11-23 16:16:29 +01:00
Christian Heimes 4c05b472dd Issue #19689: Add ssl.create_default_context() factory function. It creates
a new SSLContext object with secure default settings.
2013-11-23 15:58:30 +01:00
Christian Heimes 6b2ff98df4 Correct documentation clientAuth -> CLIENT_AUTH 2013-11-23 14:42:01 +01:00
Christian Heimes 72d28500b3 Issue #19292: Add SSLContext.load_default_certs() to load default root CA
certificates from default stores or system stores. By default the method
loads CA certs for authentication of server certs.
2013-11-23 13:56:58 +01:00
Christian Heimes 2427b50fdd Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
2013-11-23 11:24:32 +01:00
Christian Heimes f22e8e5426 Issue #18147: Add missing documentation for SSLContext.get_ca_certs().
Also change the argument name to the same name as getpeercert()
2013-11-22 02:22:51 +01:00
Christian Heimes 44109d7de7 Issue #17134: Finalize interface to Windows' certificate store. Cert and
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
2013-11-22 01:51:30 +01:00
Christian Heimes 225877917e Issue #8813: Add SSLContext.verify_flags to change the verification flags
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
2013-11-21 23:56:13 +01:00
Christian Heimes bd3a7f90b5 Issue #18379: SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP
and CRL distribution points.
2013-11-21 03:40:15 +01:00
Christian Heimes efff7060f8 Issue #18138: Implement cadata argument of SSLContext.load_verify_location()
to load CA certificates and CRL from memory. It supports PEM and DER
encoded strings.
2013-11-21 03:35:02 +01:00
Antoine Pitrou 6b2b084192 Issue #19508: direct the user to read the security considerations for the ssl module 2013-11-17 15:36:03 +01:00
Antoine Pitrou 9eefe91fc2 Issue #19508: direct the user to read the security considerations for the ssl module 2013-11-17 15:35:33 +01:00
Christian Heimes 9f09120b83 merge 2013-10-29 22:21:16 +01:00
Christian Heimes 47674bc470 fix language 2013-10-29 22:19:39 +01:00
Christian Heimes ee0bac66b2 Issue #19227 / Issue #18747: Remove pthread_atfork() handler to remove OpenSSL re-seeding
It is causing trouble like e.g. hanging processes.
2013-10-29 21:11:55 +01:00
Christian Heimes 3046fe4c03 Issue #18747: document issue with OpenSSL's CPRNG state and fork 2013-10-29 21:08:56 +01:00
Georg Brandl 72c98d3a76 Issue #17997: Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,
for security reasons.  It now doesn't match multiple wildcards nor wildcards
inside IDN fragments.
2013-10-27 07:16:53 +01:00
Georg Brandl b89b5df9c9 merge with 3.3 2013-10-27 07:46:09 +01:00
Georg Brandl 99b1a12f2f merge with 3.3 2013-10-06 18:20:39 +02:00
Georg Brandl 4a6cf6c9d1 Closes #19177: replace dead link to SSL/TLS introduction with the version from Apache. 2013-10-06 18:20:31 +02:00
Antoine Pitrou 20b85557f2 Issue #19095: SSLSocket.getpeercert() now raises ValueError when the SSL handshake hasn't been done. 2013-09-29 19:50:53 +02:00