Commit Graph

262 Commits

Author SHA1 Message Date
Miss Islington (bot) ec10b70ea6
bpo-35044, doc: Use the :exc: role for the exceptions (GH-10037)
(cherry picked from commit e483f02423)

Co-authored-by: Stéphane Wirtel <stephane@wirtel.be>
2018-10-26 03:56:28 -07:00
Cheryl Sabella b248a8c9a5 [3.7] bpo-11233: Create availability directive for documentation (GH-9692) (GH-9830)
Replace "Availability: xxx" with ".. availability:: xxx" in the doc.
 Original patch by Georg Brandl.

 Co-Authored-By: Georg Brandl <georg@python.org>
 (cherry picked from commit 2d6097d027)

 Co-authored-by: Cheryl Sabella <cheryl.sabella@gmail.com>
2018-10-15 22:52:26 +02:00
Miss Islington (bot) b3c4a050b7
bpo-34906: Doc: Fix typos (GH-9712)
(cherry picked from commit 07fbbfde1b)

Co-authored-by: Stéphane Wirtel <stephane@wirtel.be>
2018-10-05 07:35:18 -07:00
Christian Heimes 2756ef3165 [3.7] bpo-34670: Add TLS 1.3 post handshake auth (GH-9460) (GH-9505)
Add SSLContext.post_handshake_auth and
SSLSocket.verify_client_post_handshake for TLS 1.3 post-handshake
authentication.

Signed-off-by: Christian Heimes <christian@python.org>q

https://bugs.python.org/issue34670.
(cherry picked from commit 9fb051f032)

Co-authored-by: Christian Heimes <christian@python.org>



https://bugs.python.org/issue34670
2018-09-23 00:22:52 -07:00
Miss Islington (bot) a912305512
closes bpo-34050: Fix link in SSL docs (GH-8173)
(cherry picked from commit 9c5ba09748)

Co-authored-by: Marcin Niemira <marcin@niemira.net>
2018-07-07 15:47:35 -07:00
Miss Islington (bot) 5f165851b9
bpo-33892: Doc: Use gender neutral words (GH-7770)
(cherry picked from commit 5092439c2c)

Co-authored-by: Andrés Delfino <adelfino@gmail.com>
2018-06-17 21:49:43 -07:00
Miss Islington (bot) a5db479ac4 bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530) (GH-7649)
The documentation for CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED were
misleading and partly wrong. It fails to explain that OpenSSL behaves
differently in client and server mode. Also OpenSSL does validate the
cert chain everytime. With SSL_VERIFY_NONE a validation error is not
fatal in client mode and does not request a client cert in server mode.
Also discourage people from using CERT_OPTIONAL in client mode.
(cherry picked from commit ef24b6c54d)

Co-authored-by: Christian Heimes <christian@python.org>
2018-06-11 19:20:24 -04:00
Miss Islington (bot) d16d72f555
bpo-31215: Add version changed notes for OpenSSL 1.1.0 compatibility (GH-7346)
(cherry picked from commit 9ef1b0690b)

Co-authored-by: Mayank Singhal <17mayank.singhal@gmail.com>
2018-06-08 03:22:40 -07:00
Miss Islington (bot) 0f1a183269
bpo-33641: Convert RFC references into links. (GH-7103)
85% of them are already links.
(cherry picked from commit 0a36ac1a09)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
2018-05-30 22:33:23 -07:00
Miss Islington (bot) 72ef4fc32b [3.7] bpo-33618: Enable TLS 1.3 in tests (GH-7079) (GH-7082)
TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS
client cert auth are now handled after the initialy handshake. Tests now
either send/recv data to trigger session and client certs. Or tests
ignore ConnectionResetError / BrokenPipeError on the server side to
handle clients that force-close the socket fd.

To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR
https://github.com/openssl/openssl/pull/6340) is required.

Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 529525fb5a)
2018-05-23 22:49:04 +02:00
Miss Islington (bot) cd57b48ef9
bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
default.

Also update multissltests and Travis config to test with latest OpenSSL.

Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit e8eb6cb792)

Co-authored-by: Christian Heimes <christian@python.org>
2018-05-22 14:40:46 -07:00
Miss Islington (bot) e2db6ad1d9 [3.7] bpo-32257: Add ssl.OP_NO_RENEGOTIATION (GH-5904) (#6877)
The ssl module now contains OP_NO_RENEGOTIATION constant, available with
OpenSSL 1.1.0h or 1.1.1.

Note, OpenSSL 1.1.0h hasn't been released yet.

Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 67c4801663)

Co-authored-by: Christian Heimes <christian@python.org>
2018-05-16 10:26:19 -04:00
Miss Islington (bot) 51b2f6d3a3 bpo-33503: Fix the broken pypi link in the source and the documentation (GH-6814) (GH-6872)
(cherry picked from commit 19177fbd5d)

Co-authored-by: Stéphane Wirtel <stephane@wirtel.be>
2018-05-16 10:05:46 -04:00
Miss Islington (bot) 17b6c19d39 bpo-33045: Fix typos in SSL documentation (GH-6065)
(cherry picked from commit 9cf8c42f32)

Co-authored-by: Matt Eaton <agnosticdev@gmail.com>
2018-03-11 04:21:27 +03:00
Miss Islington (bot) 4c842b0920
bpo-31453: Add setter for min/max protocol version (GH-5259)
OpenSSL 1.1 has introduced a new API to set the minimum and maximum
supported protocol version. The API is easier to use than the old
OP_NO_TLS1 option flags, too.

Since OpenSSL has no call to set minimum version to highest supported,
the implementation emulate maximum_version = MINIMUM_SUPPORTED and
minimum_version = MAXIMUM_SUPPORTED by figuring out the minumum and
maximum supported version at compile time.

Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 698dde16f6)

Co-authored-by: Christian Heimes <christian@python.org>
2018-02-27 03:41:04 -08:00
Christian Heimes 89c2051a55
[3.7] bpo-32951: Disable SSLSocket/SSLObject constructor (GH-5864) (#5925)
Direct instantiation of SSLSocket and SSLObject objects is now prohibited.
The constructors were never documented, tested, or designed as public
constructors. The SSLSocket constructor had limitations. For example it was
not possible to enabled hostname verification except was
ssl_version=PROTOCOL_TLS_CLIENT with cert_reqs=CERT_REQUIRED.

SSLContext.wrap_socket() and SSLContext.wrap_bio are the recommended API
to construct SSLSocket and SSLObject instances. ssl.wrap_socket() is
also deprecated.

The only test case for direct instantiation was added a couple of days
ago for IDNA testing.

Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 9d50ab563d)

Co-authored-by: Christian Heimes <christian@python.org>
2018-02-27 11:17:32 +01:00
Miss Islington (bot) 102d5204ad
bpo-28124: deprecate ssl.wrap_socket() (GH-5888)
The ssl module function ssl.wrap_socket() has been de-emphasized
and deprecated in favor of the more secure and efficient
SSLContext.wrap_socket() method.

Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 90f05a527c)

Co-authored-by: Christian Heimes <christian@python.org>
2018-02-27 01:45:31 -08:00
Miss Islington (bot) 2614ed4c6e
bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes (GH-5663)
* bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes

Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and
TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
default. Some test cases only apply to TLS 1.2. Other tests currently
fail because the threaded or async test servers stop after failure.

I'm going to address these issues when OpenSSL 1.1.1 reaches beta.

OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
1.3. The feature is enabled by default for maximum compatibility with
broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
it to verify default options.

Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 05d9fe32a1)

Co-authored-by: Christian Heimes <christian@python.org>
2018-02-27 00:17:49 -08:00
Miss Islington (bot) 01d9c23e47 [3.7] bpo-30622: Improve NPN support detection (GH-5859) (#5860)
The ssl module now detects missing NPN support in LibreSSL.

Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org>
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 6cdb7954b0)

Co-authored-by: Christian Heimes <christian@python.org>
2018-02-24 23:04:27 +01:00
Miss Islington (bot) 1c37e27719 [bpo-28414] Make all hostnames in SSL module IDN A-labels (GH-5128) (GH-5843)
Previously, the ssl module stored international domain names (IDNs)
as U-labels. This is problematic for a number of reasons -- for
example, it made it impossible for users to use a different version
of IDNA than the one built into Python.

After this change, we always convert to A-labels as soon as possible,
and use them for all internal processing. In particular, server_hostname
attribute is now an A-label, and on the server side there's a new
sni_callback that receives the SNI servername as an A-label rather than
a U-label.
(cherry picked from commit 11a1493bc4)

Co-authored-by: Christian Heimes <christian@python.org>
2018-02-23 19:18:28 -08:00
Miss Islington (bot) e5d38deb04
bpo-32008: don't use PROTOCOL_TLSv1 in example (GH-5789)
It's bad form to pin to an old version of TLS. ssl.SSLContext has the right
protocol default, so let's not pass anyway.
(cherry picked from commit e9edee0b65)

Co-authored-by: Benjamin Peterson <benjamin@python.org>
2018-02-20 22:02:18 -08:00
Christian Heimes 61d478c71c
bpo-31399: Let OpenSSL verify hostname and IP address (#3462)
bpo-31399: Let OpenSSL verify hostname and IP

The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and
X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses.

* Remove match_hostname calls
* Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host()
* Add documentation for OpenSSL 1.0.2 requirement
* Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform.
* Add hostname_checks_common_name

Signed-off-by: Christian Heimes <christian@python.org>
2018-01-27 15:51:38 +01:00
Sanyam Khurana 338cd83c5d bpo-25910: Link redirections in docs (#1933)
Fixes some redirection links in docs.
2018-01-20 01:25:37 +01:00
jimmy 4f29f3c84b trivial: link updates in documentation (#2765) 2017-12-13 14:37:51 +02:00
Sanyam Khurana 1b4587a246 bpo-25910: Fixes redirection from http to https (#4674) 2017-12-06 17:39:33 +01:00
Mandeep Singh ede2ac913e bpo-23033: Improve SSL Certificate handling (GH-937)
Wildcard is now supported in hostname when it is one and only character in
the leftmost segment.
2017-11-26 14:31:27 -08:00
Felipe 19e4d9346d bpo-31533: fix broken link to OpenSSL docs (#3674) 2017-09-20 20:20:18 +02:00
Christian Heimes e82c034496 bpo-31431: SSLContext.check_hostname auto-sets CERT_REQUIRED (#3531)
Signed-off-by: Christian Heimes <christian@python.org>
2017-09-15 20:29:57 +02:00
Christian Heimes 4df60f18c6 bpo-31386: Custom wrap_bio and wrap_socket type (#3426)
SSLSocket.wrap_bio() and SSLSocket.wrap_socket() hard-code SSLObject and
SSLSocket as return types. In the light of future deprecation of
ssl.wrap_socket() module function and direct instantiation of SSLSocket,
it is desirable to make the return type of SSLSocket.wrap_bio() and
SSLSocket.wrap_socket() customizable.

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-15 20:26:05 +02:00
Christian Heimes b3ad0e5127 bpo-28182: Expose OpenSSL verification results (#3412)
The SSL module now raises SSLCertVerificationError when OpenSSL fails to
verify the peer's certificate. The exception contains more information about
the error.

Original patch by Chi Hsuan Yen

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-08 12:00:19 -07:00
Christian Heimes cb5b68abde bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (#1363)
* bpo-29136: Add TLS 1.3 support

TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
AES-GCM and ChaCha20 suites.

Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
now.

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-07 18:07:00 -07:00
Christian Heimes ad0ffa033e bpo-21649: Add RFC 7525 and Mozilla server side TLS (#3387)
Signed-off-by: Christian Heimes <christian@python.org>
2017-09-06 16:19:56 -07:00
Christian Heimes 7b40cb7293 bpo-30714: ALPN changes for OpenSSL 1.1.0f (#2305)
OpenSSL 1.1.0 to 1.1.0e aborted the handshake when server and client
could not agree on a protocol using ALPN. OpenSSL 1.1.0f changed that.
The most recent version now behaves like OpenSSL 1.0.2 again. The ALPN
callback can pretend to not been set.

See https://github.com/openssl/openssl/pull/3158 for more details

Signed-off-by: Christian Heimes <christian@python.org>
2017-08-15 10:33:43 +02:00
Benjamin Peterson fdfca5f0ff remove extra word (#2101) 2017-06-11 00:24:38 -07:00
Benjamin Peterson dc1da9adc3 clarify recv() and send() on SSLObject (#2100)
SSLObject has recv() and send(), but they don't do any network io.
2017-06-11 00:15:14 -07:00
Chandan Kumar 63c2c8ac17 bpo-19180: Updated references for RFC 1750, RFC 3280 & RFC 4366 (GH-148)
* RFC 1750 has been been obsoleted by RFC 4086.
* RFC 3280 has been obsoleted by RFC 5280.
* RFC 4366 has been obsoleted by RFC 6066.
2017-06-09 19:43:58 +10:00
Nathaniel J. Smith d4069de511 Clean up some confusing text left by PROTOCOL_SSLv23 -> PROTOCOL_TLS transition (#1355) 2017-05-01 22:43:31 -07:00
Marco Buttu 7b2491a6aa bpo-27200: Fix pathlib, ssl, turtle and weakref doctests (GH-616) 2017-04-13 17:17:59 +03:00
Alex Gaynor 275104e86b In SSL module version examples, don't use a legacy version. (#381) 2017-03-02 11:23:19 +01:00
Alex Gaynor 1cf2a809b1 Fixed a handful of typos (GH-343) 2017-02-28 19:26:56 -08:00
Berker Peksag d93c4de522 Fix usage of data directive 2017-02-06 13:37:19 +03:00
Serhiy Storchaka 7d6dda4b78 Issue #19795: Improved more markups of True/False. 2016-10-19 18:36:51 +03:00
Serhiy Storchaka 4adf01caae Issue #19795: Improved more markups of True/False. 2016-10-19 18:30:05 +03:00
Serhiy Storchaka 989db5c880 Issue #19795: Mark up None as literal text. 2016-10-19 16:37:13 +03:00
Serhiy Storchaka ecf41da83e Issue #19795: Mark up None as literal text. 2016-10-19 16:29:26 +03:00
Christian Heimes ed9c0706cf Explain why PROTOCOL_SSLv23 does not support SSLv2 and SSLv3 by default. 2016-09-13 13:27:26 +02:00
Christian Heimes 17352fff92 Explain why PROTOCOL_SSLv23 does not support SSLv2 and SSLv3 by default. 2016-09-13 12:09:55 +02:00
Christian Heimes c4d2e500a9 Update whatsnew with my contributions 2016-09-12 01:14:35 +02:00
Christian Heimes 5fe668c672 Issue #28085: Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContext 2016-09-12 00:01:11 +02:00
Christian Heimes 99a6570295 Issue #19500: Add client-side SSL session resumption to the ssl module. 2016-09-10 23:44:53 +02:00