Commit Graph

262 Commits

Author SHA1 Message Date
Christian Heimes d04863771b Issue #28022: Deprecate ssl-related arguments in favor of SSLContext.
The deprecation include manual creation of SSLSocket and certfile/keyfile
(or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib.

ssl.wrap_socket() is not marked as deprecated yet.
2016-09-10 23:23:33 +02:00
Christian Heimes 358cfd426c Issue 28043: SSLContext has improved default settings
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
2016-09-10 22:43:48 +02:00
Christian Heimes 3aeacad561 Issue #28025: Convert all ssl module constants to IntEnum and IntFlags. 2016-09-10 00:19:35 +02:00
Christian Heimes 03d13c0cbf Issues #27850 and #27766: Remove 3DES from ssl default cipher list and add ChaCha20 Poly1305. 2016-09-06 20:06:47 +02:00
Christian Heimes 598894ff48 Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. 2016-09-05 23:19:05 +02:00
Christian Heimes ac041c0aa7 Issues #27850 and #27766: Remove 3DES from ssl default cipher list and add ChaCha20 Poly1305. 2016-09-06 20:07:58 +02:00
Christian Heimes 25bfcd5d9e Issue #27866: Add SSLContext.get_ciphers() method to get a list of all enabled ciphers. 2016-09-06 00:04:45 +02:00
Christian Heimes 01113faef9 Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. 2016-09-05 23:23:24 +02:00
Terry Jan Reedy fa089b9b0b Issue #22558: Add remaining doc links to source code for Python-coded modules.
Reformat header above separator line (added if missing) to a common format.
Patch by Yoni Lavi.
2016-06-11 15:02:54 -04:00
Serhiy Storchaka dba903993a Issue #23921: Standardized documentation whitespace formatting.
Original patch by James Edwards.
2016-05-10 12:01:23 +03:00
Serhiy Storchaka 6dff0205b7 Issue #26736: Used HTTPS for external links in the documentation if possible. 2016-05-07 10:49:07 +03:00
Martin Panter f6b1d66a3c Issue #23804: Fix SSL recv/read(0) to not return 1024 bytes 2016-03-28 00:22:09 +00:00
Georg Brandl 5d94134040 Closes #25910: fix dead and permanently redirected links in the docs. Thanks to SilentGhost for the patch. 2016-02-26 19:37:12 +01:00
Georg Brandl 8c16cb9f65 Closes #26435: fix syntax in directives. Thanks to Jakub Stasiak. 2016-02-25 20:17:45 +01:00
Serhiy Storchaka 4981dd2cb8 Fixed merging error in 3ebeeed1eb28.
Thanks Марк Коренберг.
2015-11-06 11:19:42 +02:00
Martin Panter 4827e488a4 Merge spelling fixes from 3.4 into 3.5 2015-10-31 12:16:18 +00:00
Martin Panter 1f1177d69a Fix some spelling errors in documentation and code comments 2015-10-31 11:48:53 +00:00
Berker Peksag fee05daef8 Issue #24232: Fix typos. Patch by Ville Skyttä. 2015-05-19 01:38:05 +03:00
Berker Peksag 315e104d11 Issue #24232: Fix typos. Patch by Ville Skyttä. 2015-05-19 01:36:55 +03:00
Antoine Pitrou b9f2ab9eae Fix duplicate doc entry for SSLContext.get_ca_certs()
(closes #18147)
2015-04-13 21:06:51 +02:00
Antoine Pitrou 97aa953550 Fix duplicate doc entry for SSLContext.get_ca_certs()
(closes #18147)
2015-04-13 21:06:15 +02:00
Benjamin Peterson 1c69c3e3d8 use imperative 2015-04-11 07:42:42 -04:00
Berker Peksag eb7a97c48e Issue #23025: Add a mention of os.urandom to RAND_bytes and RAND_pseudo_bytes docs.
Patch by Alex Gaynor.
2015-04-10 16:19:13 +03:00
Benjamin Peterson 339e3f33b6 merge 3.4 2015-04-11 07:44:45 -04:00
Serhiy Storchaka 2ce11d296c Null merge 2015-04-10 16:22:14 +03:00
Berker Peksag a7b9a1f4df Issue #23025: Add a mention of os.urandom to RAND_bytes and RAND_pseudo_bytes docs.
Patch by Alex Gaynor.
2015-04-10 16:19:44 +03:00
Benjamin Peterson f1c5dea3c2 merge 3.4 2015-04-08 11:11:45 -04:00
Benjamin Peterson 6f362fa6c8 actually ssl3 is just completely broken 2015-04-08 11:11:00 -04:00
Victor Stinner 146907081c Issue #23853: Methods of SSL socket don't reset the socket timeout anymore each
time bytes are received or sent. The socket timeout is now the maximum total
duration of the method.

This change fixes a denial of service if the application is regulary
interrupted by a signal and the signal handler does not raise an exception.
2015-04-06 22:46:13 +02:00
Serhiy Storchaka 8490f5acfe Issue #23001: Few functions in modules mmap, ossaudiodev, socket, ssl, and
codecs, that accepted only read-only bytes-like object now accept writable
bytes-like object too.
2015-03-20 09:00:36 +02:00
Benjamin Peterson 85586ebc39 merge 3.4 (#23679) 2015-03-16 12:45:27 -05:00
Benjamin Peterson 59c4eb71f2 versionchanged for rc4 removal (closes #23679) 2015-03-16 12:43:38 -05:00
Benjamin Peterson af098a221a merge 3.4 (#23608) 2015-03-08 09:42:40 -04:00
Benjamin Peterson c8358273ae indicate correct version (closes #23608) 2015-03-08 09:42:25 -04:00
Benjamin Peterson de8eca4638 merge 3.4 2015-03-04 22:50:25 -05:00
Benjamin Peterson 990fcaac3c expose X509_V_FLAG_TRUSTED_FIRST 2015-03-04 22:49:41 -05:00
Antoine Pitrou c481bfb3f6 Issue #23239: ssl.match_hostname() now supports matching of IP addresses. 2015-02-15 18:12:20 +01:00
Benjamin Peterson 8861502e07 prefer server alpn ordering over the client's 2015-01-23 17:30:26 -05:00
Benjamin Peterson cca2732a82 add support for ALPN (closes #20188) 2015-01-23 16:35:37 -05:00
Benjamin Peterson 4cb17812d9 expose the client's cipher suites from the handshake (closes #23186) 2015-01-07 11:14:26 -06:00
Victor Stinner 3ce67a9560 Issue #23177: Document that ssl.RAND_egd() is not available with LibreSSL 2015-01-06 13:53:09 +01:00
Benjamin Peterson b92fd01189 note that sslv3 may not be available 2014-12-06 11:36:32 -05:00
Serhiy Storchaka b757c83ec6 Issue #22581: Use more "bytes-like object" throughout the docs and comments. 2014-12-05 22:25:22 +02:00
Antoine Pitrou 2b207badd6 Fix #22987: update the compatibility matrix for a SSLv23 client. 2014-12-03 20:00:56 +01:00
Benjamin Peterson dbd4bcfcca correct versionchanged version 2014-11-23 20:09:31 -06:00
Benjamin Peterson 7243b574e5 don't require OpenSSL SNI to pass hostname to ssl functions (#22921)
Patch by Donald Stufft.
2014-11-23 17:04:34 -06:00
Benjamin Peterson b9859daeeb merge 3.4 2014-12-06 11:37:18 -05:00
Serhiy Storchaka 92bf919ed0 Issue #22581: Use more "bytes-like object" throughout the docs and comments. 2014-12-05 22:26:10 +02:00
Antoine Pitrou af12676659 Fix #22987: update the compatibility matrix for a SSLv23 client. 2014-12-03 20:03:11 +01:00
Benjamin Peterson f9284ae8ed merge 3.4 (#22921) 2014-11-23 17:06:39 -06:00
Georg Brandl bad8d4bb53 merge with 3.4 2014-10-29 10:57:42 +01:00
Georg Brandl b7354a65ce Fixing broken links in doc, part 4: some more breaks and redirects 2014-10-29 10:57:37 +01:00
Antoine Pitrou 35cd53a940 Issue #22660: update various mentions in the ssl module documentation. 2014-10-21 00:16:00 +02:00
Antoine Pitrou 4b4ddb2190 Issue #22660: update various mentions in the ssl module documentation. 2014-10-21 00:14:39 +02:00
Victor Stinner 2debf15593 Issue #22564: cleanup SSLObject doc 2014-10-10 13:04:08 +02:00
Victor Stinner 29611452b7 Issue #22564: ssl doc, add more links to the non-blocking section 2014-10-10 12:52:43 +02:00
Victor Stinner 805b262d38 Issue #22564: ssl doc: reorganize and reindent documentation of SSLObject and
MemoryBIO; move documentation of SSLContext.wrap_bio()
2014-10-10 12:49:08 +02:00
Victor Stinner 9558e90315 Merge 3.4 2014-10-10 12:47:01 +02:00
Victor Stinner cfb2a0a855 Issue #22564: ssl doc: mention asyncio in the non-blocking section 2014-10-10 12:45:10 +02:00
Victor Stinner 92127a5edb Merge 3.4 2014-10-10 12:43:17 +02:00
Victor Stinner d28fe8c8f4 Issue #22564: ssl doc: mention how SSLSocket are usually created 2014-10-10 12:07:19 +02:00
Victor Stinner 3c3d3c73f3 Issue #22564: ssl doc: use "class" marker to document the SSLSocket class 2014-10-10 12:06:51 +02:00
Victor Stinner 41f92c2818 Issue #22564: ssl doc: document read(), write(), pending, server_side and
server_hostname methods and attributes of SSLSocket.
2014-10-10 12:05:56 +02:00
Victor Stinner 851a6cc071 Issue #22564: ssl doc: fix typos 2014-10-10 12:04:15 +02:00
Antoine Pitrou b1fdf47ff5 Issue #21965: Add support for in-memory SSL to the ssl module.
Patch by Geert Jansen.
2014-10-05 20:41:53 +02:00
Berker Peksag 131caba074 Revert #22251 2014-09-28 00:01:55 +03:00
Berker Peksag 9c1dba2758 Revert #22251 2014-09-28 00:00:58 +03:00
Berker Peksag f7fee33104 Issue #22251: Fix ReST markup to avoid errors building docs. 2014-09-27 23:22:35 +03:00
Berker Peksag 3749404ba5 Issue #22251: Fix ReST markup to avoid errors building docs. 2014-09-27 23:21:35 +03:00
Antoine Pitrou 47e40429fb Issue #20421: Add a .version() method to SSL sockets exposing the actual protocol version in use. 2014-09-04 21:00:10 +02:00
Zachary Ware b27d3a2d21 Closes #22072: Merge typo fixes from 3.4 2014-07-25 13:31:36 -05:00
Zachary Ware 88a1977a08 Issue #22072: Fix a couple of SSL doc typos. Patch by Alex Gaynor. 2014-07-25 13:30:50 -05:00
Berker Peksag 68f411670e Issue #21994: Merge with 3.4. 2014-07-17 05:02:02 +03:00
Berker Peksag 38bf87c7f2 Issue #21994: Fix SyntaxError in the SSLContext.check_hostname documentation. 2014-07-17 05:00:36 +03:00
Zachary Ware ba9fb0d83f Fix doc build warning 2014-06-11 15:02:25 -05:00
Giampaolo Rodola' 915d14190e fix issue #17552: add socket.sendfile() method allowing to send a file over a socket by using high-performance os.sendfile() on UNIX. Patch by Giampaolo Rodola'· 2014-06-11 03:54:30 +02:00
Donald Stufft 8b852f111e Fix Issue #21528 - Fix documentation typos 2014-05-20 12:58:38 -04:00
Antoine Pitrou f48ff0dd6c Issue #21430: additions to the description of non-blocking SSL sockets 2014-05-18 00:56:53 +02:00
Antoine Pitrou 75e03388d8 Issue #21430: additions to the description of non-blocking SSL sockets 2014-05-18 00:55:13 +02:00
Antoine Pitrou b4bebdafe3 Issue #20951: SSLSocket.send() now raises either SSLWantReadError or SSLWantWriteError on a non-blocking socket if the operation would block. Previously, it would return 0.
Patch by Nikolaus Rath.
2014-04-29 10:03:28 +02:00
Antoine Pitrou c695c95626 Issue #19940: ssl.cert_time_to_seconds() now interprets the given time string in the UTC timezone (as specified in RFC 5280), not the local timezone.
Patch by Akira.
2014-04-28 20:57:36 +02:00
Antoine Pitrou 94a5b663bf Issue #20896: ssl.get_server_certificate() now uses PROTOCOL_SSLv23, not PROTOCOL_SSLv3, for maximum compatibility. 2014-04-16 18:56:28 +02:00
Donald Stufft 4137465bf5 Issue #21043: Remove the recommendation for specific CA organizations
Closes #21043 by updating the documentation to remove specific CA
organizations and update the text to no longer need to tell you to
download root certificates, but instead use the OS certificates
avaialble through SSLContext.load_default_certs.
2014-03-24 19:26:03 -04:00
Donald Stufft 6a2ba94908 Issue #21013: Enhance ssl.create_default_context() for server side contexts
Closes #21013 by modfying ssl.create_default_context() to:

* Move the restricted ciphers to only apply when using
  ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
  is the lack of RC4 in the restricted. However there are servers that exist
  that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
  will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
  of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
  socket the context will prioritize our ciphers which have been carefully
  selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
  that end users can more easily determine if they need to unset
  ssl.OP_NO_SSLv3.
2014-03-23 19:05:28 -04:00
Antoine Pitrou f8cbbbb652 Issue #20913: make it clear that create_default_context() also enables hostname checking 2014-03-23 16:31:08 +01:00
Antoine Pitrou c5e075ff03 Issue #20913: improve the SSL security considerations to first advocate using create_default_context(). 2014-03-22 18:19:11 +01:00
Donald Stufft 79ccaa2cad Issue #20995: Enhance default ciphers used by the ssl module
Closes #20995 by Enabling better security by prioritizing ciphers
such that:

* Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
* Prefer ECDHE over DHE for better performance
* Prefer any AES-GCM over any AES-CBC for better performance and security
* Then Use HIGH cipher suites as a fallback
* Then Use 3DES as fallback which is secure but slow
* Finally use RC4 as a fallback which is problematic but needed for
  compatibility some times.
* Disable NULL authentication, NULL encryption, and MD5 MACs for security
  reasons
2014-03-21 21:33:34 -04:00
Larry Hastings 3732ed2414 Merge in all documentation changes since branching 3.4.0rc1. 2014-03-15 21:13:56 -07:00
Antoine Pitrou e6d2f159fc Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. 2013-12-28 17:30:51 +01:00
Antoine Pitrou 3e86ba4e32 Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. 2013-12-28 17:26:33 +01:00
R David Murray 748bad2cd0 Tidy up ssl whatsnew references, make ssl section formatting consistent.
Also remove some extra blank lines in the ssl doc acctions for tls1.1/1.2,
and reflow a paragraph.
2013-12-20 17:08:39 -05:00
Christian Heimes 1aa9a75fbf Issue #19509: Add SSLContext.check_hostname to match the peer's certificate
with server_hostname on handshake.
2013-12-02 02:41:19 +01:00
Serhiy Storchaka 0e90e99188 Issue #19795: Improved markup of True/False constants. 2013-11-29 12:19:53 +02:00
Serhiy Storchaka fbc1c26803 Issue #19795: Improved markup of True/False constants. 2013-11-29 12:17:13 +02:00
Antoine Pitrou 5bef410471 Tweak ssl docs 2013-11-23 16:16:29 +01:00
Christian Heimes 4c05b472dd Issue #19689: Add ssl.create_default_context() factory function. It creates
a new SSLContext object with secure default settings.
2013-11-23 15:58:30 +01:00
Christian Heimes 6b2ff98df4 Correct documentation clientAuth -> CLIENT_AUTH 2013-11-23 14:42:01 +01:00
Christian Heimes 72d28500b3 Issue #19292: Add SSLContext.load_default_certs() to load default root CA
certificates from default stores or system stores. By default the method
loads CA certs for authentication of server certs.
2013-11-23 13:56:58 +01:00
Christian Heimes 2427b50fdd Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
2013-11-23 11:24:32 +01:00
Christian Heimes f22e8e5426 Issue #18147: Add missing documentation for SSLContext.get_ca_certs().
Also change the argument name to the same name as getpeercert()
2013-11-22 02:22:51 +01:00