Commit Graph

48 Commits

Author SHA1 Message Date
Christian Heimes b9a860f3bf [2.7] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (#3446)
* bpo-29136: Add TLS 1.3 support

TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
AES-GCM and ChaCha20 suites.

Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
now.

Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit cb5b68abde)
2017-09-07 22:31:17 -07:00
Christian Heimes d988f429fe Issues #27850 and #27766: Remove 3DES from ssl default cipher list and add ChaCha20 Poly1305. 2016-09-06 20:06:47 +02:00
Christian Heimes c2fc7c4f53 Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. 2016-09-05 23:37:13 +02:00
Steve Dower 90c9b40c71 Issue #27114: Fix SSLContext._load_windows_store_certs fails with PermissionError 2016-05-26 12:17:21 -07:00
Martin Panter d524b705af Issue #23804: Fix SSL recv/read(0) to not return 1024 bytes 2016-03-28 00:22:09 +00:00
Nick Coghlan dbcd457624 Issue #23857: Implement PEP 493
Adds a Python-2-only ssl module API and environment variable to
configure the default handling of SSL/TLS certificates for
HTTPS connections.
2016-03-20 22:39:15 +10:00
Steve Dower 9cb2074fe4 Issue #26313: ssl.py _load_windows_store_certs fails if windows cert store is empty. Patch by Baji. 2016-03-17 15:02:19 -07:00
Benjamin Peterson b10d50eb90 use _import_symbols to import VERIFY_* constants 2015-03-04 23:18:57 -05:00
Benjamin Peterson a0dd7dc1b0 remove rc4 from the default client ciphers (closes #23481) 2015-02-19 17:57:08 -05:00
Benjamin Peterson b10bfbe036 pep 466 backport of alpn (#20188) 2015-01-23 16:35:37 -05:00
Victor Stinner 7c90667f74 Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. The
availability of the function is checked during the compilation. Patch written
by Bernard Spil.
2015-01-06 13:53:37 +01:00
Benjamin Peterson e3e7d40514 pep 476: verify certificates by default (#22417) 2014-11-23 21:02:02 -06:00
Benjamin Peterson 31aa69ead5 allow hostname to be passed to SSLContext even if OpenSSL doesn't support SNI (closes #22921)
Patch from Donald Stufft.
2014-11-23 20:13:31 -06:00
Benjamin Peterson 5f6b89bda3 initialize _makefile_refs earlier so things don't blow up when close() is called in the constructor 2014-11-23 11:16:48 -06:00
Antoine Pitrou 95b616480e Backport disabling of SSLv3 in ssl._create_stdlib_context() (issue #22638).
The backport currently doesn't achieve anything since the function isn't used (yet).
2014-10-17 19:28:30 +02:00
Benjamin Peterson 0b30a2bd27 also use openssl envvars to find certs on windows (closes #22449)
Patch by Christian Heimes and Alex Gaynor.
2014-10-03 17:27:05 -04:00
Benjamin Peterson 2f33456e41 fix sslwrap_simple (closes #22523)
Thanks Alex Gaynor.
2014-10-01 23:53:01 -04:00
Alex Gaynor e98205d798 Issue #20421: Add a .version() method to SSL sockets exposing the actual protocol version in use.
Backport from default.
2014-09-04 13:33:22 -07:00
Benjamin Peterson daeb925cc8 backport many ssl features from Python 3 (closes #21308)
A contribution of Alex Gaynor and David Reid with the generous support of
Rackspace. May God have mercy on their souls.
2014-08-20 14:14:50 -05:00
Antoine Pitrou 63cc99d9a6 Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. 2013-12-28 17:26:33 +01:00
Antoine Pitrou f16ff7bc21 Issue #17918: When using SSLSocket.accept(), if the SSL handshake failed on the new socket, the socket would linger indefinitely.
Thanks to Peter Saveliev for reporting.
2013-05-06 22:19:48 +02:00
Antoine Pitrou 40f12ab0c5 Backport Python 3.2 fix for issue #12065, and add another test for SSLSocket.connect_ex(). 2012-12-28 19:03:43 +01:00
Antoine Pitrou d76088d972 Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
2012-01-03 22:46:48 +01:00
Victor Stinner b1241f9619 (Merge 3.1) Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.

Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 01:52:03 +02:00
Antoine Pitrou d3f6ea1d1e Merged revisions 88664 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r88664 | antoine.pitrou | 2011-02-27 00:24:06 +0100 (dim., 27 févr. 2011) | 4 lines

  Issue #11326: Add the missing connect_ex() implementation for SSL sockets,
  and make it work for non-blocking connects.
........
2011-02-26 23:35:27 +00:00
Antoine Pitrou f7f390a251 Issue #9729: Fix the signature of SSLSocket.recvfrom() and
SSLSocket.sendto() to match the corresponding socket methods.  Also,
fix various SSLSocket methods to raise socket.error rather than an
unhelpful TypeError when called on an unconnected socket.  Original patch
by Andrew Bennetts.

NOTE: obviously, these methods are untested and unused in the real world...
2010-09-14 14:37:18 +00:00
Antoine Pitrou 4c7bcf1194 Issue #8086: In :func:`ssl.DER_cert_to_PEM_cert()`, fix missing newline
before the certificate footer.  Patch by Kyle VanderBeek.
2010-04-27 22:03:37 +00:00
Antoine Pitrou 278d665c6a When calling getpeername() in SSLSocket.__init__, only silence exceptions
caused by the "socket not connected" condition.
2010-04-26 17:23:33 +00:00
Antoine Pitrou fc69af1562 Issue #5103: SSL handshake would ignore the socket timeout and block
indefinitely if the other end didn't respond.
2010-04-24 20:04:58 +00:00
Antoine Pitrou b558f17b18 Issue #5238: Calling makefile() on an SSL object would prevent the
underlying socket from being closed until all objects get truely destroyed.
2010-04-23 23:25:45 +00:00
Antoine Pitrou dfb299bb95 Issue #7943: Fix circular reference created when instantiating an SSL
socket.  Initial patch by Péter Szabó.
2010-04-23 22:54:59 +00:00
Antoine Pitrou 0a6373c1a9 Issue #8322: Add a *ciphers* argument to SSL sockets, so as to change the
available cipher list.  Helps fix test_ssl with OpenSSL 1.0.0.
2010-04-17 17:10:38 +00:00
Antoine Pitrou f9de534c21 Issue #8321: Give access to OpenSSL version numbers from the `ssl` module,
using the new attributes `ssl.OPENSSL_VERSION`, `ssl.OPENSSL_VERSION_INFO`
and `ssl.OPENSSL_VERSION_NUMBER`.
2010-04-05 21:35:07 +00:00
Antoine Pitrou 448da71807 Issue #3890: Fix recv() and recv_into() on non-blocking SSL sockets. 2010-03-21 19:33:38 +00:00
Ezio Melotti b01f5e6f84 #7730: remove spaces after functions names 2010-01-18 09:10:26 +00:00
Benjamin Peterson 941db4d91f fix name collision issues 2008-12-31 04:08:55 +00:00
Benjamin Peterson 43ea6d9acc #4788 qualify some bare except clauses 2008-12-31 03:37:51 +00:00
Bill Janssen eb257ac97d fix for release blocker 3910, 2.6 regression in socket.ssl method 2008-09-29 18:56:38 +00:00
Bill Janssen 61c001a939 incorporate fixes from issue 3162; SSL doc patch 2008-09-08 16:37:24 +00:00
Bill Janssen 39295c2650 remove duplicate close() from ssl.py; expose unwrap and add test for it 2008-08-12 16:31:21 +00:00
Bill Janssen 934b16d0c2 various SSL fixes; issues 1251, 3162, 3212 2008-06-28 22:19:33 +00:00
Christian Heimes c5f05e45cf Patch #2167 from calvin: Remove unused imports 2008-02-23 17:40:11 +00:00
Bill Janssen 296a59d3be Add support for asyncore server-side SSL support. This requires
adding the 'makefile' method to ssl.SSLSocket, and importing the
requisite fakefile class from socket.py, and making the appropriate
changes to it to make it use the SSL connection.

Added sample HTTPS server to test_ssl.py, and test that uses it.

Change SSL tests to use https://svn.python.org/, instead of
www.sf.net and pop.gmail.com.

Added utility function to ssl module, get_server_certificate,
to wrap up the several things to be done to pull a certificate
from a remote server.
2007-09-16 22:06:00 +00:00
Bill Janssen 98d19dafd9 More work on SSL support.
* Much expanded test suite:

  All protocols tested against all other protocols.
  All protocols tested with all certificate options.
  Tests for bad key and bad cert.
  Test of STARTTLS functionality.
  Test of RAND_* functions.

* Fixes for threading/malloc bug.

* Issue 1065 fixed:

  sslsocket class renamed to SSLSocket.
  sslerror class renamed to SSLError.
  Function "wrap_socket" now used to wrap an existing socket.

* Issue 1583946 finally fixed:

  Support for subjectAltName added.
  Subject name now returned as proper DN list of RDNs.

* SSLError exported from socket as "sslerror".

* RAND_* functions properly exported from ssl.py.

* Documentation improved:

  Example of how to create a self-signed certificate.
  Better indexing.
2007-09-10 21:51:02 +00:00
Bill Janssen 24bccf2e32 Added docstrings to methods and functions. 2007-08-30 17:07:28 +00:00
Bill Janssen 426ea0a864 This contains a number of things:
1) Improve the documentation of the SSL module, with a fuller
   explanation of certificate usage, another reference, proper
   formatting of this and that.

2) Fix Windows bug in ssl.py, and general bug in sslsocket.close().
   Remove some unused code from ssl.py.  Allow accept() to be called on
   sslsocket sockets.

3) Use try-except-else in import of ssl in socket.py.  Deprecate use of
   socket.ssl().

4) Remove use of socket.ssl() in every library module, except for
   test_socket_ssl.py and test_ssl.py.
2007-08-29 22:35:05 +00:00
Guido van Rossum e472933e27 Bill Janssen wrote:
Here's a patch which makes test_ssl a better player in the buildbots
environment.  I deep-ended on "try-except-else" clauses.
2007-08-26 19:35:09 +00:00
Guido van Rossum 4f2c3ddca4 Server-side SSL and certificate validation, by Bill Janssen.
While cleaning up Bill's C style, I may have cleaned up some code
he didn't touch as well (in _ssl.c).
2007-08-25 15:08:43 +00:00