Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity
110,984 Commits 7 Branches 587 Tags 2.3 GiB
Commit Graph

291 Commits

Author SHA1 Message Date
Christian Heimes 61d478c71c
bpo-31399: Let OpenSSL verify hostname and IP address (#3462) 
bpo-31399: Let OpenSSL verify hostname and IP

The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and
X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses.

* Remove match_hostname calls
* Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host()
* Add documentation for OpenSSL 1.0.2 requirement
* Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform.
* Add hostname_checks_common_name

Signed-off-by: Christian Heimes <christian@python.org>
 2018-01-27 15:51:38 +01:00
Sanyam Khurana 338cd83c5d bpo-25910: Link redirections in docs (#1933) 
Fixes some redirection links in docs.
 2018-01-20 01:25:37 +01:00
jimmy 4f29f3c84b trivial: link updates in documentation (#2765) 2017-12-13 14:37:51 +02:00
Sanyam Khurana 1b4587a246 bpo-25910: Fixes redirection from http to https (#4674) 2017-12-06 17:39:33 +01:00
Mandeep Singh ede2ac913e bpo-23033: Improve SSL Certificate handling (GH-937) 
Wildcard is now supported in hostname when it is one and only character in
the leftmost segment.
 2017-11-26 14:31:27 -08:00
Felipe 19e4d9346d bpo-31533: fix broken link to OpenSSL docs (#3674) 2017-09-20 20:20:18 +02:00
Christian Heimes e82c034496 bpo-31431: SSLContext.check_hostname auto-sets CERT_REQUIRED (#3531) 
Signed-off-by: Christian Heimes <christian@python.org>
 2017-09-15 20:29:57 +02:00
Christian Heimes 4df60f18c6 bpo-31386: Custom wrap_bio and wrap_socket type (#3426) 
SSLSocket.wrap_bio() and SSLSocket.wrap_socket() hard-code SSLObject and
SSLSocket as return types. In the light of future deprecation of
ssl.wrap_socket() module function and direct instantiation of SSLSocket,
it is desirable to make the return type of SSLSocket.wrap_bio() and
SSLSocket.wrap_socket() customizable.

Signed-off-by: Christian Heimes <christian@python.org>
 2017-09-15 20:26:05 +02:00
Christian Heimes b3ad0e5127 bpo-28182: Expose OpenSSL verification results (#3412) 
The SSL module now raises SSLCertVerificationError when OpenSSL fails to
verify the peer's certificate. The exception contains more information about
the error.

Original patch by Chi Hsuan Yen

Signed-off-by: Christian Heimes <christian@python.org>
 2017-09-08 12:00:19 -07:00
Christian Heimes cb5b68abde bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (#1363) 
* bpo-29136: Add TLS 1.3 support

TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
AES-GCM and ChaCha20 suites.

Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
now.

Signed-off-by: Christian Heimes <christian@python.org>
 2017-09-07 18:07:00 -07:00
Christian Heimes ad0ffa033e bpo-21649: Add RFC 7525 and Mozilla server side TLS (#3387) 
Signed-off-by: Christian Heimes <christian@python.org>
 2017-09-06 16:19:56 -07:00
Christian Heimes 7b40cb7293 bpo-30714: ALPN changes for OpenSSL 1.1.0f (#2305) 
OpenSSL 1.1.0 to 1.1.0e aborted the handshake when server and client
could not agree on a protocol using ALPN. OpenSSL 1.1.0f changed that.
The most recent version now behaves like OpenSSL 1.0.2 again. The ALPN
callback can pretend to not been set.

See https://github.com/openssl/openssl/pull/3158 for more details

Signed-off-by: Christian Heimes <christian@python.org>
 2017-08-15 10:33:43 +02:00
Benjamin Peterson fdfca5f0ff remove extra word (#2101) 2017-06-11 00:24:38 -07:00
Benjamin Peterson dc1da9adc3 clarify recv() and send() on SSLObject (#2100) 
SSLObject has recv() and send(), but they don't do any network io.
 2017-06-11 00:15:14 -07:00
Chandan Kumar 63c2c8ac17 bpo-19180: Updated references for RFC 1750, RFC 3280 & RFC 4366 (GH-148) 
* RFC 1750 has been been obsoleted by RFC 4086.
* RFC 3280 has been obsoleted by RFC 5280.
* RFC 4366 has been obsoleted by RFC 6066.
 2017-06-09 19:43:58 +10:00
Nathaniel J. Smith d4069de511 Clean up some confusing text left by PROTOCOL_SSLv23 -> PROTOCOL_TLS transition (#1355) 2017-05-01 22:43:31 -07:00
Marco Buttu 7b2491a6aa bpo-27200: Fix pathlib, ssl, turtle and weakref doctests (GH-616) 2017-04-13 17:17:59 +03:00
Alex Gaynor 275104e86b In SSL module version examples, don't use a legacy version. (#381) 2017-03-02 11:23:19 +01:00
Alex Gaynor 1cf2a809b1 Fixed a handful of typos (GH-343) 2017-02-28 19:26:56 -08:00
Berker Peksag d93c4de522 Fix usage of data directive 2017-02-06 13:37:19 +03:00
Serhiy Storchaka 7d6dda4b78 Issue #19795: Improved more markups of True/False. 2016-10-19 18:36:51 +03:00
Serhiy Storchaka 4adf01caae Issue #19795: Improved more markups of True/False. 2016-10-19 18:30:05 +03:00
Serhiy Storchaka 989db5c880 Issue #19795: Mark up None as literal text. 2016-10-19 16:37:13 +03:00
Serhiy Storchaka ecf41da83e Issue #19795: Mark up None as literal text. 2016-10-19 16:29:26 +03:00
Christian Heimes ed9c0706cf Explain why PROTOCOL_SSLv23 does not support SSLv2 and SSLv3 by default. 2016-09-13 13:27:26 +02:00
Christian Heimes 17352fff92 Explain why PROTOCOL_SSLv23 does not support SSLv2 and SSLv3 by default. 2016-09-13 12:09:55 +02:00
Christian Heimes c4d2e500a9 Update whatsnew with my contributions 2016-09-12 01:14:35 +02:00
Christian Heimes 5fe668c672 Issue #28085: Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContext 2016-09-12 00:01:11 +02:00
Christian Heimes 99a6570295 Issue #19500: Add client-side SSL session resumption to the ssl module. 2016-09-10 23:44:53 +02:00
Christian Heimes d04863771b Issue #28022: Deprecate ssl-related arguments in favor of SSLContext. 
The deprecation include manual creation of SSLSocket and certfile/keyfile
(or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib.

ssl.wrap_socket() is not marked as deprecated yet.
 2016-09-10 23:23:33 +02:00
Christian Heimes 358cfd426c Issue 28043: SSLContext has improved default settings 
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
 2016-09-10 22:43:48 +02:00
Christian Heimes 3aeacad561 Issue #28025: Convert all ssl module constants to IntEnum and IntFlags. 2016-09-10 00:19:35 +02:00
Christian Heimes 03d13c0cbf Issues #27850 and #27766: Remove 3DES from ssl default cipher list and add ChaCha20 Poly1305. 2016-09-06 20:06:47 +02:00
Christian Heimes 598894ff48 Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. 2016-09-05 23:19:05 +02:00
Christian Heimes ac041c0aa7 Issues #27850 and #27766: Remove 3DES from ssl default cipher list and add ChaCha20 Poly1305. 2016-09-06 20:07:58 +02:00
Christian Heimes 25bfcd5d9e Issue #27866: Add SSLContext.get_ciphers() method to get a list of all enabled ciphers. 2016-09-06 00:04:45 +02:00
Christian Heimes 01113faef9 Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. 2016-09-05 23:23:24 +02:00
Terry Jan Reedy fa089b9b0b Issue #22558: Add remaining doc links to source code for Python-coded modules. 
Reformat header above separator line (added if missing) to a common format.
Patch by Yoni Lavi.
 2016-06-11 15:02:54 -04:00
Serhiy Storchaka dba903993a Issue #23921: Standardized documentation whitespace formatting. 
Original patch by James Edwards.
 2016-05-10 12:01:23 +03:00
Serhiy Storchaka 6dff0205b7 Issue #26736: Used HTTPS for external links in the documentation if possible. 2016-05-07 10:49:07 +03:00
Martin Panter f6b1d66a3c Issue #23804: Fix SSL recv/read(0) to not return 1024 bytes 2016-03-28 00:22:09 +00:00
Georg Brandl 5d94134040 Closes #25910: fix dead and permanently redirected links in the docs. Thanks to SilentGhost for the patch. 2016-02-26 19:37:12 +01:00
Georg Brandl 8c16cb9f65 Closes #26435: fix syntax in directives. Thanks to Jakub Stasiak. 2016-02-25 20:17:45 +01:00
Serhiy Storchaka 4981dd2cb8 Fixed merging error in 3ebeeed1eb28. 
Thanks Марк Коренберг.
 2015-11-06 11:19:42 +02:00
Martin Panter 4827e488a4 Merge spelling fixes from 3.4 into 3.5 2015-10-31 12:16:18 +00:00
Martin Panter 1f1177d69a Fix some spelling errors in documentation and code comments 2015-10-31 11:48:53 +00:00
Berker Peksag fee05daef8 Issue #24232: Fix typos. Patch by Ville Skyttä. 2015-05-19 01:38:05 +03:00
Berker Peksag 315e104d11 Issue #24232: Fix typos. Patch by Ville Skyttä. 2015-05-19 01:36:55 +03:00
Antoine Pitrou b9f2ab9eae Fix duplicate doc entry for SSLContext.get_ca_certs() 
(closes #18147)
 2015-04-13 21:06:51 +02:00
Antoine Pitrou 97aa953550 Fix duplicate doc entry for SSLContext.get_ca_certs() 
(closes #18147)
 2015-04-13 21:06:15 +02:00
Benjamin Peterson 1c69c3e3d8 use imperative 2015-04-11 07:42:42 -04:00
Berker Peksag eb7a97c48e Issue #23025: Add a mention of os.urandom to RAND_bytes and RAND_pseudo_bytes docs. 
Patch by Alex Gaynor.
 2015-04-10 16:19:13 +03:00
Benjamin Peterson 339e3f33b6 merge 3.4 2015-04-11 07:44:45 -04:00
Serhiy Storchaka 2ce11d296c Null merge 2015-04-10 16:22:14 +03:00
Berker Peksag a7b9a1f4df Issue #23025: Add a mention of os.urandom to RAND_bytes and RAND_pseudo_bytes docs. 
Patch by Alex Gaynor.
 2015-04-10 16:19:44 +03:00
Benjamin Peterson f1c5dea3c2 merge 3.4 2015-04-08 11:11:45 -04:00
Benjamin Peterson 6f362fa6c8 actually ssl3 is just completely broken 2015-04-08 11:11:00 -04:00
Victor Stinner 146907081c Issue #23853: Methods of SSL socket don't reset the socket timeout anymore each 
time bytes are received or sent. The socket timeout is now the maximum total
duration of the method.

This change fixes a denial of service if the application is regulary
interrupted by a signal and the signal handler does not raise an exception.
 2015-04-06 22:46:13 +02:00
Serhiy Storchaka 8490f5acfe Issue #23001: Few functions in modules mmap, ossaudiodev, socket, ssl, and 
codecs, that accepted only read-only bytes-like object now accept writable
bytes-like object too.
 2015-03-20 09:00:36 +02:00
Benjamin Peterson 85586ebc39 merge 3.4 (#23679) 2015-03-16 12:45:27 -05:00
Benjamin Peterson 59c4eb71f2 versionchanged for rc4 removal (closes #23679) 2015-03-16 12:43:38 -05:00
Benjamin Peterson af098a221a merge 3.4 (#23608) 2015-03-08 09:42:40 -04:00
Benjamin Peterson c8358273ae indicate correct version (closes #23608) 2015-03-08 09:42:25 -04:00
Benjamin Peterson de8eca4638 merge 3.4 2015-03-04 22:50:25 -05:00
Benjamin Peterson 990fcaac3c expose X509_V_FLAG_TRUSTED_FIRST 2015-03-04 22:49:41 -05:00
Antoine Pitrou c481bfb3f6 Issue #23239: ssl.match_hostname() now supports matching of IP addresses. 2015-02-15 18:12:20 +01:00
Benjamin Peterson 8861502e07 prefer server alpn ordering over the client's 2015-01-23 17:30:26 -05:00
Benjamin Peterson cca2732a82 add support for ALPN (closes #20188) 2015-01-23 16:35:37 -05:00
Benjamin Peterson 4cb17812d9 expose the client's cipher suites from the handshake (closes #23186) 2015-01-07 11:14:26 -06:00
Victor Stinner 3ce67a9560 Issue #23177: Document that ssl.RAND_egd() is not available with LibreSSL 2015-01-06 13:53:09 +01:00
Benjamin Peterson b92fd01189 note that sslv3 may not be available 2014-12-06 11:36:32 -05:00
Serhiy Storchaka b757c83ec6 Issue #22581: Use more "bytes-like object" throughout the docs and comments. 2014-12-05 22:25:22 +02:00
Antoine Pitrou 2b207badd6 Fix #22987: update the compatibility matrix for a SSLv23 client. 2014-12-03 20:00:56 +01:00
Benjamin Peterson dbd4bcfcca correct versionchanged version 2014-11-23 20:09:31 -06:00
Benjamin Peterson 7243b574e5 don't require OpenSSL SNI to pass hostname to ssl functions (#22921) 
Patch by Donald Stufft.
 2014-11-23 17:04:34 -06:00
Benjamin Peterson b9859daeeb merge 3.4 2014-12-06 11:37:18 -05:00
Serhiy Storchaka 92bf919ed0 Issue #22581: Use more "bytes-like object" throughout the docs and comments. 2014-12-05 22:26:10 +02:00
Antoine Pitrou af12676659 Fix #22987: update the compatibility matrix for a SSLv23 client. 2014-12-03 20:03:11 +01:00
Benjamin Peterson f9284ae8ed merge 3.4 (#22921) 2014-11-23 17:06:39 -06:00
Georg Brandl bad8d4bb53 merge with 3.4 2014-10-29 10:57:42 +01:00
Georg Brandl b7354a65ce Fixing broken links in doc, part 4: some more breaks and redirects 2014-10-29 10:57:37 +01:00
Antoine Pitrou 35cd53a940 Issue #22660: update various mentions in the ssl module documentation. 2014-10-21 00:16:00 +02:00
Antoine Pitrou 4b4ddb2190 Issue #22660: update various mentions in the ssl module documentation. 2014-10-21 00:14:39 +02:00
Victor Stinner 2debf15593 Issue #22564: cleanup SSLObject doc 2014-10-10 13:04:08 +02:00
Victor Stinner 29611452b7 Issue #22564: ssl doc, add more links to the non-blocking section 2014-10-10 12:52:43 +02:00
Victor Stinner 805b262d38 Issue #22564: ssl doc: reorganize and reindent documentation of SSLObject and 
MemoryBIO; move documentation of SSLContext.wrap_bio()
 2014-10-10 12:49:08 +02:00
Victor Stinner 9558e90315 Merge 3.4 2014-10-10 12:47:01 +02:00
Victor Stinner cfb2a0a855 Issue #22564: ssl doc: mention asyncio in the non-blocking section 2014-10-10 12:45:10 +02:00
Victor Stinner 92127a5edb Merge 3.4 2014-10-10 12:43:17 +02:00
Victor Stinner d28fe8c8f4 Issue #22564: ssl doc: mention how SSLSocket are usually created 2014-10-10 12:07:19 +02:00
Victor Stinner 3c3d3c73f3 Issue #22564: ssl doc: use "class" marker to document the SSLSocket class 2014-10-10 12:06:51 +02:00
Victor Stinner 41f92c2818 Issue #22564: ssl doc: document read(), write(), pending, server_side and 
server_hostname methods and attributes of SSLSocket.
 2014-10-10 12:05:56 +02:00
Victor Stinner 851a6cc071 Issue #22564: ssl doc: fix typos 2014-10-10 12:04:15 +02:00
Antoine Pitrou b1fdf47ff5 Issue #21965: Add support for in-memory SSL to the ssl module. 
Patch by Geert Jansen.
 2014-10-05 20:41:53 +02:00
Berker Peksag 131caba074 Revert #22251 2014-09-28 00:01:55 +03:00
Berker Peksag 9c1dba2758 Revert #22251 2014-09-28 00:00:58 +03:00
Berker Peksag f7fee33104 Issue #22251: Fix ReST markup to avoid errors building docs. 2014-09-27 23:22:35 +03:00
Berker Peksag 3749404ba5 Issue #22251: Fix ReST markup to avoid errors building docs. 2014-09-27 23:21:35 +03:00
Antoine Pitrou 47e40429fb Issue #20421: Add a .version() method to SSL sockets exposing the actual protocol version in use. 2014-09-04 21:00:10 +02:00
Zachary Ware b27d3a2d21 Closes #22072: Merge typo fixes from 3.4 2014-07-25 13:31:36 -05:00