`int` fails back to `__trunc__` is `__int__` isn't defined, so cover
that in the docs.
(cherry picked from commit 308eab979d)
Co-authored-by: Eric Appelt <eric.appelt@gmail.com>
* fix a typo: documention -> documentation
* fix the type of IPv?Network.hostmask
* add documentation about IPv?Network.netmask
* fix IPv6Network constructor doc that extended netmasks are not supported
(cherry picked from commit e405096ea9)
Co-authored-by: Xiang Zhang <angwerzx@126.com>
* Add What's New entry for addition of datetime.timezone to the C API
Closes bpo-10381
* Add what's new entry for date and datetime optimizations
Closes bpo-32403
(cherry picked from commit 5bd04f964b)
Co-authored-by: Paul Ganssle <pganssle@users.noreply.github.com>
OpenSSL 1.1 has introduced a new API to set the minimum and maximum
supported protocol version. The API is easier to use than the old
OP_NO_TLS1 option flags, too.
Since OpenSSL has no call to set minimum version to highest supported,
the implementation emulate maximum_version = MINIMUM_SUPPORTED and
minimum_version = MAXIMUM_SUPPORTED by figuring out the minumum and
maximum supported version at compile time.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 698dde16f6)
Co-authored-by: Christian Heimes <christian@python.org>
Direct instantiation of SSLSocket and SSLObject objects is now prohibited.
The constructors were never documented, tested, or designed as public
constructors. The SSLSocket constructor had limitations. For example it was
not possible to enabled hostname verification except was
ssl_version=PROTOCOL_TLS_CLIENT with cert_reqs=CERT_REQUIRED.
SSLContext.wrap_socket() and SSLContext.wrap_bio are the recommended API
to construct SSLSocket and SSLObject instances. ssl.wrap_socket() is
also deprecated.
The only test case for direct instantiation was added a couple of days
ago for IDNA testing.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 9d50ab563d)
Co-authored-by: Christian Heimes <christian@python.org>
The ssl module function ssl.wrap_socket() has been de-emphasized
and deprecated in favor of the more secure and efficient
SSLContext.wrap_socket() method.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 90f05a527c)
Co-authored-by: Christian Heimes <christian@python.org>
* bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes
Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and
TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
default. Some test cases only apply to TLS 1.2. Other tests currently
fail because the threaded or async test servers stop after failure.
I'm going to address these issues when OpenSSL 1.1.1 reaches beta.
OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
1.3. The feature is enabled by default for maximum compatibility with
broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
it to verify default options.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 05d9fe32a1)
Co-authored-by: Christian Heimes <christian@python.org>
Dropped the part that says: "For objects that do not provide sequence protocol".
(cherry picked from commit 7a1e1786f9)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
The 'optimization' is for space in the executable file, not for run time.
(cherry picked from commit 186b606d8a)
Co-authored-by: Cheryl Sabella <cheryl.sabella@gmail.com>
The ssl module now detects missing NPN support in LibreSSL.
Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org>
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 6cdb7954b0)
Co-authored-by: Christian Heimes <christian@python.org>
Previously, the ssl module stored international domain names (IDNs)
as U-labels. This is problematic for a number of reasons -- for
example, it made it impossible for users to use a different version
of IDNA than the one built into Python.
After this change, we always convert to A-labels as soon as possible,
and use them for all internal processing. In particular, server_hostname
attribute is now an A-label, and on the server side there's a new
sni_callback that receives the SNI servername as an A-label rather than
a U-label.
(cherry picked from commit 11a1493bc4)
Co-authored-by: Christian Heimes <christian@python.org>
`whilst` and `while` are both english words, `whilst` is not as commonly used.
This can be confusing to readers whose primary language is not english.
(cherry picked from commit 98f42aac23)
Co-authored-by: Mariatta <Mariatta@users.noreply.github.com>
It's bad form to pin to an old version of TLS. ssl.SSLContext has the right
protocol default, so let's not pass anyway.
(cherry picked from commit e9edee0b65)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
If the directory already exists, it will be re-used.
(cherry picked from commit e8eb972514)
Co-authored-by: TROUVERIE Joachim <joachim.trouverie@linoame.fr>
Adapt documentation for `copyright` and `credits` to reality. Previously, the documentation implied that all each of `copyright`,
`credits`, and `license`, would print a message to call the object in order to see the full text. In reality, only `license` exhibits this
behaviour, and `copyright` and `credit` print their full text either when printed, displayed, or called.
(cherry picked from commit 243d6d7126)
Co-authored-by: Gerrit Holl <gerrit.holl@gmail.com>
There was an extra dash in the example for re.sub().
(cherry picked from commit b65cb163d6)
Co-authored-by: xpvpc <32843902+xpvpc@users.noreply.github.com>
Remove pkg_add -r python from FreeBSD installation section.
Moved to OpenBSD.
(cherry picked from commit 3384d38d51)
Co-authored-by: Eitan Adler <grimreaper@users.noreply.github.com>
This note incorrectly stated that "Base64 has an expansion factor of 6
to 4" (it is actually 4 to 3). It was decided to remove the note.
(cherry picked from commit 88c38a4049)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Describe *text* as an alias for *universal_newlines* in more places that people are likely to be referred to.
(cherry picked from commit e14c010378)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
The new link is given in a red box on the old page.
(cherry picked from commit 8d1f2f4038)
Co-authored-by: sblondon <sblondon@users.noreply.github.com>
`arg_name` and `element_index` are defined as `digit`+ instead of `integer`.
(cherry picked from commit 7a561afd2c)
Co-authored-by: Mariatta <Mariatta@users.noreply.github.com>
Fixes the documentation for `subprocess.check_output()` not mentioning that the encoding and errors parameters were added in 3.6.
(cherry picked from commit fc1ce810f1)
Co-authored-by: Brice Gros <brice-gros@users.noreply.github.com>
When `__getattr__` is implemented, attribute lookup will always fall back to that,
even if the initial failure comes from `__getattribute__` or a descriptor's `__get__`
method (including property methods).
(cherry picked from commit d1f318105b)
Co-authored-by: Cheryl Sabella <cheryl.sabella@gmail.com>
Changed the definition of width and precision from "integer" to "digit+" in format mini-language doc.
(cherry picked from commit 8b5fa289fd)
Co-authored-by: nathankerr96 <nathankerr96@gmail.com>
Fix typos found by codespell in docs, docstrings, and comments.
(cherry picked from commit c3d9508ff2)
Co-authored-by: Leo Arias <leo.arias@canonical.com>
Modify RE examples in documentation to use raw strings to prevent DeprecationWarning.
Add text to REGEX HOWTO to highlight the deprecation. Approved by Serhiy Storchaka.
(cherry picked from commit 66771422d0)
Co-authored-by: Cheryl Sabella <cheryl.sabella@gmail.com>
This reverts commit 72a0d218dc.
The reverted commit had a few issues so it was unanimously decided
to undo it. See the bpo issue for details.
(cherry picked from commit 383b32fe10)
Co-authored-by: Yury Selivanov <yury@magic.io>
The f-string example for using datetime format specifier does not match the given output.
Changed the format from %b to %B so it matches the output of "January".
This allows the compression level to be specified when writing zipfiles
(for the entire file *and* overridden on a per-file basis).
Contributed by Bo Bayles
Fix socket(fileno=fd) by auto-detecting the socket's family, type,
and proto from the file descriptor. The auto-detection can be overruled
by passing in family, type, and proto explicitly.
Without the fix, all socket except for TCP/IP over IPv4 are basically broken:
>>> s = socket.create_connection(('www.python.org', 443))
>>> s
<socket.socket fd=3, family=AddressFamily.AF_INET6, type=SocketKind.SOCK_STREAM, proto=6, laddr=('2003:58:bc4a:3b00:56ee:75ff:fe47:ca7b', 59730, 0, 0), raddr=('2a04:4e42:1b::223', 443, 0, 0)>
>>> socket.socket(fileno=s.fileno())
<socket.socket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('2003:58:bc4a:3b00::%2550471192', 59730, 0, 2550471192), raddr=('2a04:4e42:1b:0:700c:e70b:ff7f:0%2550471192', 443, 0, 2550471192)>
Signed-off-by: Christian Heimes <christian@python.org>
Until now Python used a hard coded white list of default TLS cipher
suites. The old approach has multiple downsides. OpenSSL's default
selection was completely overruled. Python did neither benefit from new
cipher suites (ChaCha20, TLS 1.3 suites) nor blacklisted cipher suites.
For example we used to re-enable 3DES.
Python now defaults to OpenSSL DEFAULT cipher suite selection and black
lists all unwanted ciphers. Downstream vendors can override the default
cipher list with --with-ssl-default-suites.
Signed-off-by: Christian Heimes <christian@python.org>
socketserver.ForkingMixIn.server_close() and
socketserver.ThreadingMixIn.server_close() now waits until all child
processes and non-daemonic threads complete.
bpo-31399: Let OpenSSL verify hostname and IP
The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and
X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses.
* Remove match_hostname calls
* Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host()
* Add documentation for OpenSSL 1.0.2 requirement
* Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform.
* Add hostname_checks_common_name
Signed-off-by: Christian Heimes <christian@python.org>