a7eaf56a6d
replace 512 bit dh key with a 2014 bit one ( closes #23844 )
...
Patch by Cédric Krier.
2015-04-02 00:04:06 -04:00
18987a11ce
Issue #20617 : Remove unused import in test_ssl.
...
Patch by Mark Lawrence.
2015-03-12 18:50:49 +02:00
c3d9c5ca0a
adjust test_crl_check for trusted first being default
2015-03-04 23:18:48 -05:00
990fcaac3c
expose X509_V_FLAG_TRUSTED_FIRST
2015-03-04 22:49:41 -05:00
05784a706e
Issue #23345 : Prevent test_ssl failures with large OpenSSL patch level
...
values (like 0.9.8zc).
2015-02-05 17:20:13 +11:00
fcfed19913
Issue #21356 : Make ssl.RAND_egd() optional to support LibreSSL. The
...
availability of the function is checked during the compilation. Patch written
by Bernard Spil.
2015-01-06 13:54:58 +01:00
3f7e064b2b
Issue #22935 : Fix test_ssl when the SSLv3 protocol is not supported
2014-12-12 12:27:08 +01:00
e32467cf6a
allow ssl module to compile if openssl doesn't support SSL 3 ( closes #22935 )
...
Patch by Kurt Roeckx.
2014-12-05 21:59:35 -05:00
7243b574e5
don't require OpenSSL SNI to pass hostname to ssl functions ( #22921 )
...
Patch by Donald Stufft.
2014-11-23 17:04:34 -06:00
1ea070e561
test that keyfile can be None
2014-11-03 21:05:01 -05:00
4ffb075271
PEP 476: enable HTTPS certificate verification by default ( #22417 )
...
Patch by Alex Gaynor with some modifications by me.
2014-11-03 14:29:33 -05:00
91244e01bb
separate cert loading tests into Windows and non-Windows cases
2014-10-03 18:17:15 -04:00
5915b0f924
also use openssl envvars to find certs on windows ( closes #22449 )
...
Patch by Christian Heimes and Alex Gaynor.
2014-10-03 17:27:05 -04:00
dfab935c74
Issue #21976 : Fix test_ssl to accept LibreSSL version strings.
...
Thanks to William Orr.
2014-07-21 18:35:01 -04:00
c043061667
Try to fix buildbot failures on old OpenSSLs (< 1.0.0) - followup to issue #21015
2014-04-16 18:33:39 +02:00
6a2ba94908
Issue #21013 : Enhance ssl.create_default_context() for server side contexts
...
Closes #21013 by modfying ssl.create_default_context() to:
* Move the restricted ciphers to only apply when using
ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
is the lack of RC4 in the restricted. However there are servers that exist
that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
socket the context will prioritize our ciphers which have been carefully
selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
that end users can more easily determine if they need to unset
ssl.OP_NO_SSLv3.
2014-03-23 19:05:28 -04:00
0bebbc33fa
Issue #21015 : SSL contexts will now automatically select an elliptic curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to "prime256v1".
...
(should also fix a buildbot failure introduced by #20995 )
2014-03-22 18:13:50 +01:00
10b93cc29c
merge 3.3 ( #20896 )
2014-03-12 18:10:57 -05:00
ba44860c11
Try to fix test_ssl failures on some buildbots
2014-01-09 21:30:17 +01:00
32c4915b23
Try to fix test_ssl failures on some buildbots
2014-01-09 21:28:48 +01:00
78ace81c93
Issue #20207 : Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
2014-01-09 20:09:03 +01:00
cd3d7cabef
Issue #20207 : Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
2014-01-09 20:02:20 +01:00
3e86ba4e32
Issue #19422 : Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
2013-12-28 17:26:33 +01:00
e6d2f159fc
Issue #19422 : Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
2013-12-28 17:30:51 +01:00
36e96b8716
(Merge 3.3) Issue #20025 : ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now
...
raise a ValueError if num is negative (instead of raising a SystemError).
2013-12-19 16:47:25 +01:00
1e81a399a2
Issue #20025 : ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now raise a
...
ValueError if num is negative (instead of raising a SystemError).
2013-12-19 16:47:04 +01:00
bd9cbb0691
Issue #19919 : Fix flacky SSL test. connect_ex() sometimes returns
...
EWOULDBLOCK on Windows or VMs hosted on Windows.
2013-12-16 21:16:45 +01:00
de57074874
Issue #19919 : Fix flacky SSL test. connect_ex() sometimes returns
...
EWOULDBLOCK on Windows or VMs hosted on Windows.
2013-12-16 21:15:44 +01:00
575596e19a
test_ssl: skip tests when SNI is not available
2013-12-15 21:49:17 +01:00
8e7f394282
Test SSLSock's context getter and setter
2013-12-05 07:41:08 +01:00
a02c69a73b
add check_hostname arg to ssl._create_stdlib_context()
2013-12-02 20:59:28 +01:00
1aa9a75fbf
Issue #19509 : Add SSLContext.check_hostname to match the peer's certificate
...
with server_hostname on handshake.
2013-12-02 02:41:19 +01:00
67986f9431
Issue #19735 : Implement private function ssl._create_stdlib_context() to
...
create SSLContext objects in Python's stdlib module. It provides a single
configuration point and makes use of SSLContext.load_default_certs().
2013-11-23 22:43:47 +01:00
4c05b472dd
Issue #19689 : Add ssl.create_default_context() factory function. It creates
...
a new SSLContext object with secure default settings.
2013-11-23 15:58:30 +01:00
72d28500b3
Issue #19292 : Add SSLContext.load_default_certs() to load default root CA
...
certificates from default stores or system stores. By default the method
loads CA certs for authentication of server certs.
2013-11-23 13:56:58 +01:00
2427b50fdd
Issue #8813 : X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
...
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
2013-11-23 11:24:32 +01:00
5398e1a56e
Issue #19448 : report name / NID in exception message of ASN1Object
2013-11-22 16:20:53 +01:00
c2d65e1e93
Issue #17134 : check certs of CA and ROOT system store
2013-11-22 16:13:55 +01:00
32f0c7a67b
or VERIFY_CRL_CHECK_LEAF to verify_flags
2013-11-22 03:43:48 +01:00
44109d7de7
Issue #17134 : Finalize interface to Windows' certificate store. Cert and
...
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
2013-11-22 01:51:30 +01:00
d6dc952e17
one CERT_REQUIRED is enough
2013-11-22 00:39:38 +01:00
225877917e
Issue #8813 : Add SSLContext.verify_flags to change the verification flags
...
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
2013-11-21 23:56:13 +01:00
bd3a7f90b5
Issue #18379 : SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP
...
and CRL distribution points.
2013-11-21 03:40:15 +01:00
efff7060f8
Issue #18138 : Implement cadata argument of SSLContext.load_verify_location()
...
to load CA certificates and CRL from memory. It supports PEM and DER
encoded strings.
2013-11-21 03:35:02 +01:00
a6bc95aa02
Issue #19448 : Add private API to SSL module to lookup ASN.1 objects by OID, NID, short name and long name.
2013-11-17 19:59:14 +01:00
72c98d3a76
Issue #17997 : Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,
...
for security reasons. It now doesn't match multiple wildcards nor wildcards
inside IDN fragments.
2013-10-27 07:16:53 +01:00
b89b5df9c9
merge with 3.3
2013-10-27 07:46:09 +01:00
20b85557f2
Issue #19095 : SSLSocket.getpeercert() now raises ValueError when the SSL handshake hasn't been done.
2013-09-29 19:50:53 +02:00
2769d44827
Issue #18709 : Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
2013-08-25 14:12:50 +02:00
157c9834b4
Issue #18709 : Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
2013-08-25 14:12:41 +02:00
Benjamin Peterson
Berker Peksag
Ned Deily
Victor Stinner
Antoine Pitrou
Donald Stufft
Christian Heimes
Georg Brandl