67986f9431
Issue #19735 : Implement private function ssl._create_stdlib_context() to
...
create SSLContext objects in Python's stdlib module. It provides a single
configuration point and makes use of SSLContext.load_default_certs().
2013-11-23 22:43:47 +01:00
4c05b472dd
Issue #19689 : Add ssl.create_default_context() factory function. It creates
...
a new SSLContext object with secure default settings.
2013-11-23 15:58:30 +01:00
72d28500b3
Issue #19292 : Add SSLContext.load_default_certs() to load default root CA
...
certificates from default stores or system stores. By default the method
loads CA certs for authentication of server certs.
2013-11-23 13:56:58 +01:00
2427b50fdd
Issue #8813 : X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
...
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
2013-11-23 11:24:32 +01:00
5398e1a56e
Issue #19448 : report name / NID in exception message of ASN1Object
2013-11-22 16:20:53 +01:00
c2d65e1e93
Issue #17134 : check certs of CA and ROOT system store
2013-11-22 16:13:55 +01:00
32f0c7a67b
or VERIFY_CRL_CHECK_LEAF to verify_flags
2013-11-22 03:43:48 +01:00
44109d7de7
Issue #17134 : Finalize interface to Windows' certificate store. Cert and
...
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
2013-11-22 01:51:30 +01:00
d6dc952e17
one CERT_REQUIRED is enough
2013-11-22 00:39:38 +01:00
225877917e
Issue #8813 : Add SSLContext.verify_flags to change the verification flags
...
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
2013-11-21 23:56:13 +01:00
bd3a7f90b5
Issue #18379 : SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP
...
and CRL distribution points.
2013-11-21 03:40:15 +01:00
efff7060f8
Issue #18138 : Implement cadata argument of SSLContext.load_verify_location()
...
to load CA certificates and CRL from memory. It supports PEM and DER
encoded strings.
2013-11-21 03:35:02 +01:00
a6bc95aa02
Issue #19448 : Add private API to SSL module to lookup ASN.1 objects by OID, NID, short name and long name.
2013-11-17 19:59:14 +01:00
b89b5df9c9
merge with 3.3
2013-10-27 07:46:09 +01:00
72c98d3a76
Issue #17997 : Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,
...
for security reasons. It now doesn't match multiple wildcards nor wildcards
inside IDN fragments.
2013-10-27 07:16:53 +01:00
20b85557f2
Issue #19095 : SSLSocket.getpeercert() now raises ValueError when the SSL handshake hasn't been done.
2013-09-29 19:50:53 +02:00
2769d44827
Issue #18709 : Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
2013-08-25 14:12:50 +02:00
157c9834b4
Issue #18709 : Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
2013-08-25 14:12:41 +02:00
6acbe2aaa3
Issue #18747 : Re-seed OpenSSL's pseudo-random number generator after fork.
...
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:34 +02:00
f77b4b20e9
Issue #18747 : Re-seed OpenSSL's pseudo-random number generator after fork.
...
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:05 +02:00
e06d47c70c
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:58:00 +02:00
824f7f366d
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:54:47 +02:00
2894073e1a
test_ssl: use a bytestring here
2013-07-20 19:36:15 +02:00
60a26e0516
Issue #9177 : Calling read() or write() now raises ValueError, not AttributeError, on a closed SSL socket.
...
Patch by Senko Rasic.
2013-07-20 19:35:16 +02:00
9a5395ae2b
Issue #18147 : Add diagnostic functions to ssl.SSLContext().
...
get_ca_list() lists all loaded CA certificates and cert_store_stats() returns
amount of loaded X.509 certs, X.509 CA certs and CRLs.
2013-06-17 15:44:12 +02:00
9424bb4aea
Issue #18207 : Fix test_ssl for some versions of OpenSSL that ignore seconds
...
in ASN1_TIME fields.
2013-06-17 15:32:57 +02:00
46bebee25f
Issue #17134 : Add ssl.enum_cert_store() as interface to Windows' cert store.
2013-06-09 19:03:31 +02:00
6d7ad13a45
Issue #18143 : Implement ssl.get_default_verify_paths() in order to debug
...
the default locations for cafile and capath.
2013-06-09 18:02:55 +02:00
636f93c63b
Issue #17980 : Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
2013-05-18 17:56:42 +02:00
31fb419908
Issue #17980 : Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
2013-05-18 17:59:12 +02:00
242db728e2
Issue #13721 : SSLSocket.getpeercert() and SSLSocket.do_handshake() now raise an OSError with ENOTCONN, instead of an AttributeError, when the SSLSocket is not connected.
2013-05-01 20:52:07 +02:00
50b24d0d7c
Fix a crash when setting a servername callback on a SSL server socket and the client doesn't send a server name.
...
Patch by Kazuhiro Yoshida.
(originally issue #8109 )
2013-04-11 20:48:42 +02:00
609ef01b02
In search of TLS 1.1 bug: add debugging output in verbose mode
2013-03-29 18:09:06 +01:00
972d5bb763
Use a subtest in test_ssl.test_echo
2013-03-29 17:56:03 +01:00
2463e5fee4
Issue #16692 : The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù.
2013-03-28 22:24:43 +01:00
6386e17f39
Issue #13898 : test_ssl no longer prints a spurious stack trace on Ubuntu.
2013-03-03 22:48:15 +01:00
ad246bfb71
Issue #13898 : test_ssl no longer prints a spurious stack trace on Ubuntu.
2013-03-03 22:44:22 +01:00
7b39b9b51b
Issue #13898 : test_ssl no longer prints a spurious stack trace on Ubuntu.
2013-03-03 22:31:21 +01:00
da23259f99
Issue #17107 : Test client-side SNI support in urllib.request thanks to the new server-side SNI support in the ssl module.
...
Initial patch by Daniel Black.
2013-02-05 21:20:51 +01:00
6b4e2a9c02
In test_ssl, threaded tests shouldn't need the network resource to be enabled
2013-01-12 22:00:54 +01:00
db5012ab47
In test_ssl, threaded tests shouldn't need the "network" resource to be enabled
2013-01-12 22:00:09 +01:00
e9bb4733d9
Issue #16923 : Fix ResourceWarnings in test_ssl.
2013-01-12 21:56:56 +01:00
e1ceb50cdf
Issue #16923 : Fix ResourceWarnings in test_ssl.
2013-01-12 21:54:44 +01:00
f86b3c394c
merge 3.3 ( #16900 )
2013-01-10 14:16:42 -06:00
36f7b97787
remove __del__ because it's evil and also prevents the ResourceWarning on the socket from happening ( closes #16900 )
2013-01-10 14:16:20 -06:00
58ddc9d743
Issue #8109 : The ssl module now has support for server-side SNI, thanks to a :meth:`SSLContext.set_servername_callback` method.
...
Patch by Daniel Black.
2013-01-05 21:20:29 +01:00
49f7e58778
Forward port new test for SSLSocket.connect_ex()
2012-12-28 19:09:41 +01:00
6464b84b3e
Forward port new test for SSLSocket.connect_ex()
2012-12-28 19:08:49 +01:00
ddb87ab1b4
Forward port new test for SSLSocket.connect_ex()
2012-12-28 19:07:43 +01:00
40f12ab0c5
Backport Python 3.2 fix for issue #12065 , and add another test for SSLSocket.connect_ex().
2012-12-28 19:03:43 +01:00
Christian Heimes
Georg Brandl
Antoine Pitrou
Nadeem Vawda
Benjamin Peterson