Christian Heimes
03d13c0cbf
Issues #27850 and #27766 : Remove 3DES from ssl default cipher list and add ChaCha20 Poly1305.
2016-09-06 20:06:47 +02:00
Christian Heimes
598894ff48
Issue #26470 : Port ssl and hashlib module to OpenSSL 1.1.0.
2016-09-05 23:19:05 +02:00
Steve Dower
33bc4a2983
Issue #27114 : Fix SSLContext._load_windows_store_certs fails with PermissionError
2016-05-26 12:18:12 -07:00
Martin Panter
f6b1d66a3c
Issue #23804 : Fix SSL recv/read(0) to not return 1024 bytes
2016-03-28 00:22:09 +00:00
Steve Dower
8dd7aebc23
Issue #26313 : ssl.py _load_windows_store_certs fails if windows cert store is empty. Patch by Baji.
2016-03-17 15:02:39 -07:00
Ethan Furman
24e837f231
issue23673
...
add private method to enum to support replacing global constants with Enum members:
- search for candidate constants via supplied filter
- create new enum class and members
- insert enum class and replace constants with members via supplied module name
- replace __reduce_ex__ with function that returns member name, so previous Python versions can unpickle
modify IntEnum classes to use new method
2015-03-18 17:27:57 -07:00
Benjamin Peterson
3e2500d6db
merge 3.4
2015-03-04 23:20:23 -05:00
Benjamin Peterson
7bcf9a5588
use _import_symbols to import VERIFY_* constants
2015-03-04 23:18:57 -05:00
Benjamin Peterson
869311dd97
merge 3.4 ( #23481 )
2015-02-19 17:58:19 -05:00
Benjamin Peterson
500af332f4
remove rc4 from the default client ciphers ( closes #23481 )
2015-02-19 17:57:08 -05:00
Antoine Pitrou
c481bfb3f6
Issue #23239 : ssl.match_hostname() now supports matching of IP addresses.
2015-02-15 18:12:20 +01:00
Benjamin Peterson
cca2732a82
add support for ALPN ( closes #20188 )
2015-01-23 16:35:37 -05:00
Benjamin Peterson
c114e7db60
remove extra definite article
2015-01-11 15:22:07 -05:00
Benjamin Peterson
5318c7aa59
explain None can be returned
2015-01-07 11:26:50 -06:00
Benjamin Peterson
4cb17812d9
expose the client's cipher suites from the handshake ( closes #23186 )
2015-01-07 11:14:26 -06:00
Victor Stinner
fcfed19913
Issue #21356 : Make ssl.RAND_egd() optional to support LibreSSL. The
...
availability of the function is checked during the compilation. Patch written
by Bernard Spil.
2015-01-06 13:54:58 +01:00
Victor Stinner
9d01717f37
Issue #20896 , #22935 : The ssl.get_server_certificate() function now uses the
...
ssl.PROTOCOL_SSLv23 protocol by default, not ssl.PROTOCOL_SSLv3, for maximum
compatibility and support platforms where ssl.PROTOCOL_SSLv3 support is
disabled.
2015-01-06 12:21:26 +01:00
Victor Stinner
0041142785
Issue #22935 : Fix ssl module when SSLv3 protocol is not supported
2014-12-12 12:23:09 +01:00
Benjamin Peterson
7243b574e5
don't require OpenSSL SNI to pass hostname to ssl functions ( #22921 )
...
Patch by Donald Stufft.
2014-11-23 17:04:34 -06:00
Victor Stinner
beeb512fe1
Issue #21356 : Make ssl.RAND_egd() optional to support LibreSSL. The
...
availability of the function is checked during the compilation.
Patch written by Bernard Spil.
2014-11-28 13:28:25 +01:00
Benjamin Peterson
f9284ae8ed
merge 3.4 ( #22921 )
2014-11-23 17:06:39 -06:00
Benjamin Peterson
1cca273669
merge 3.4 ( #22417 )
2014-11-03 14:36:48 -05:00
Benjamin Peterson
4ffb075271
PEP 476: enable HTTPS certificate verification by default ( #22417 )
...
Patch by Alex Gaynor with some modifications by me.
2014-11-03 14:29:33 -05:00
Berker Peksag
1ed2e69a4a
Issue #22186 : Fix typos in Lib/.
...
Patch by Févry Thibault.
2014-10-19 18:07:05 +03:00
Berker Peksag
f23530f569
Issue #22186 : Fix typos in Lib/.
...
Patch by Févry Thibault.
2014-10-19 18:04:38 +03:00
Antoine Pitrou
a21de3d45e
Issue #22638 : SSLv3 is now disabled throughout the standard library.
...
It can still be enabled by instantiating a SSLContext manually.
2014-10-17 19:28:30 +02:00
Antoine Pitrou
e4eda4d33f
Issue #22638 : SSLv3 is now disabled throughout the standard library.
...
It can still be enabled by instantiating a SSLContext manually.
2014-10-17 19:28:30 +02:00
Antoine Pitrou
3cb9379881
Remove unused "block" argument in SSLObject.do_handshake() (issue #21965 )
2014-10-06 00:21:09 +02:00
Antoine Pitrou
b1fdf47ff5
Issue #21965 : Add support for in-memory SSL to the ssl module.
...
Patch by Geert Jansen.
2014-10-05 20:41:53 +02:00
Benjamin Peterson
8b9cfa1066
merge 3.4 ( #22449 )
2014-10-03 17:33:45 -04:00
Benjamin Peterson
5915b0f924
also use openssl envvars to find certs on windows ( closes #22449 )
...
Patch by Christian Heimes and Alex Gaynor.
2014-10-03 17:27:05 -04:00
Antoine Pitrou
47e40429fb
Issue #20421 : Add a .version() method to SSL sockets exposing the actual protocol version in use.
2014-09-04 21:00:10 +02:00
Giampaolo Rodola'
915d14190e
fix issue #17552 : add socket.sendfile() method allowing to send a file over a socket by using high-performance os.sendfile() on UNIX. Patch by Giampaolo Rodola'·
2014-06-11 03:54:30 +02:00
Antoine Pitrou
b4bebdafe3
Issue #20951 : SSLSocket.send() now raises either SSLWantReadError or SSLWantWriteError on a non-blocking socket if the operation would block. Previously, it would return 0.
...
Patch by Nikolaus Rath.
2014-04-29 10:03:28 +02:00
Antoine Pitrou
c695c95626
Issue #19940 : ssl.cert_time_to_seconds() now interprets the given time string in the UTC timezone (as specified in RFC 5280), not the local timezone.
...
Patch by Akira.
2014-04-28 20:57:36 +02:00
Antoine Pitrou
172f025bed
Issue #21068 : The ssl.PROTOCOL* constants are now enum members.
2014-04-18 20:33:08 +02:00
Antoine Pitrou
94a5b663bf
Issue #20896 : ssl.get_server_certificate() now uses PROTOCOL_SSLv23, not PROTOCOL_SSLv3, for maximum compatibility.
2014-04-16 18:56:28 +02:00
Donald Stufft
6a2ba94908
Issue #21013 : Enhance ssl.create_default_context() for server side contexts
...
Closes #21013 by modfying ssl.create_default_context() to:
* Move the restricted ciphers to only apply when using
ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
is the lack of RC4 in the restricted. However there are servers that exist
that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
socket the context will prioritize our ciphers which have been carefully
selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
that end users can more easily determine if they need to unset
ssl.OP_NO_SSLv3.
2014-03-23 19:05:28 -04:00
Donald Stufft
79ccaa2cad
Issue #20995 : Enhance default ciphers used by the ssl module
...
Closes #20995 by Enabling better security by prioritizing ciphers
such that:
* Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
* Prefer ECDHE over DHE for better performance
* Prefer any AES-GCM over any AES-CBC for better performance and security
* Then Use HIGH cipher suites as a fallback
* Then Use 3DES as fallback which is secure but slow
* Finally use RC4 as a fallback which is problematic but needed for
compatibility some times.
* Disable NULL authentication, NULL encryption, and MD5 MACs for security
reasons
2014-03-21 21:33:34 -04:00
Victor Stinner
7fa767e517
Issue #20976 : pyflakes: Remove unused imports
2014-03-20 09:16:38 +01:00
Antoine Pitrou
e6d2f159fc
Issue #19422 : Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
2013-12-28 17:30:51 +01:00
Antoine Pitrou
3e86ba4e32
Issue #19422 : Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
2013-12-28 17:26:33 +01:00
Christian Heimes
1da3ba8697
Issue #19509 : Don't close the socket in do_handshake() when hostname verification fails.
2013-12-04 20:46:20 +01:00
Christian Heimes
a02c69a73b
add check_hostname arg to ssl._create_stdlib_context()
2013-12-02 20:59:28 +01:00
Christian Heimes
1aa9a75fbf
Issue #19509 : Add SSLContext.check_hostname to match the peer's certificate
...
with server_hostname on handshake.
2013-12-02 02:41:19 +01:00
Christian Heimes
dec813f118
ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME
2013-11-28 08:06:54 +01:00
Christian Heimes
67986f9431
Issue #19735 : Implement private function ssl._create_stdlib_context() to
...
create SSLContext objects in Python's stdlib module. It provides a single
configuration point and makes use of SSLContext.load_default_certs().
2013-11-23 22:43:47 +01:00
Christian Heimes
4c05b472dd
Issue #19689 : Add ssl.create_default_context() factory function. It creates
...
a new SSLContext object with secure default settings.
2013-11-23 15:58:30 +01:00
Christian Heimes
72d28500b3
Issue #19292 : Add SSLContext.load_default_certs() to load default root CA
...
certificates from default stores or system stores. By default the method
loads CA certs for authentication of server certs.
2013-11-23 13:56:58 +01:00
Christian Heimes
44109d7de7
Issue #17134 : Finalize interface to Windows' certificate store. Cert and
...
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
2013-11-22 01:51:30 +01:00