Commit Graph

143 Commits

Author SHA1 Message Date
Antoine Pitrou 3b36fb1f53 Issue #14837: SSL errors now have `library` and `reason` attributes describing precisely what happened and in which OpenSSL submodule.
The str() of a SSLError is also enhanced accordingly.

NOTE: this commit creates a reference leak.  The leak seems tied to the
use of PyType_FromSpec() to create the SSLError type.  The leak is on the
type object when it is instantiated:

>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
35
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
36
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
37
2012-06-22 21:11:52 +02:00
Antoine Pitrou d5d17eb653 Issue #14204: The ssl module now has support for the Next Protocol Negotiation extension, if available in the underlying OpenSSL library.
Patch by Colin Marc.
2012-03-22 00:23:03 +01:00
Antoine Pitrou c135fa424e Fix last remaining build issues of _ssl under old OpenSSLs. Patch by Vinay. 2012-02-19 21:22:39 +01:00
Antoine Pitrou a9bf2ac726 Try to really fix compilation failures of the _ssl module under very old OpenSSLs. 2012-02-17 18:47:54 +01:00
Antoine Pitrou e9fccb360f Fix compilation when SSL_OP_SINGLE_ECDH_USE isn't defined 2012-02-17 11:53:10 +01:00
Antoine Pitrou 04d4ee4e56 Issue #13014: Fix a possible reference leak in SSLSocket.getpeercert(). 2012-02-15 22:28:21 +01:00
Antoine Pitrou 2f5a163dfc Issue #13014: Fix a possible reference leak in SSLSocket.getpeercert(). 2012-02-15 22:25:27 +01:00
Antoine Pitrou 9e2e5329dc Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. 2012-01-27 09:53:29 +01:00
Antoine Pitrou 3f366314e8 Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. 2012-01-27 09:50:45 +01:00
Antoine Pitrou f2bf8a6ac5 Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. 2012-01-27 09:48:47 +01:00
Antoine Pitrou 0e576f1f50 Issue #13626: Add support for SSL Diffie-Hellman key exchange, through the
SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option.
2011-12-22 10:03:38 +01:00
Antoine Pitrou 501da61671 Fix ssl module compilation if ECDH support was disabled in the OpenSSL build.
(followup to issue #13627)
2011-12-21 09:27:41 +01:00
Antoine Pitrou 8abdb8abd8 Issue #13634: Add support for querying and disabling SSL compression. 2011-12-20 10:13:40 +01:00
Antoine Pitrou 923df6f22a Issue #13627: Add support for SSL Elliptic Curve-based Diffie-Hellman
key exchange, through the SSLContext.set_ecdh_curve() method and the
ssl.OP_SINGLE_ECDH_USE option.
2011-12-19 17:16:51 +01:00
Antoine Pitrou 6db4944cc5 Issue #13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
choose the cipher based on their own preferences, rather than on the
client's.
2011-12-19 13:27:11 +01:00
Antoine Pitrou bc53032408 Issue #13458: Fix a memory leak in the ssl module when decoding a certificate with a subjectAltName.
Patch by Robert Xiao.
2011-11-23 01:42:52 +01:00
Antoine Pitrou 116d6b98bf Issue #13458: Fix a memory leak in the ssl module when decoding a certificate with a subjectAltName.
Patch by Robert Xiao.
2011-11-23 01:39:19 +01:00
Antoine Pitrou 41032a69c1 Issue #11183: Add finer-grained exceptions to the ssl module, so that
you don't have to inspect the exception's attributes in the common case.
2011-10-27 23:56:55 +02:00
Antoine Pitrou a0e0e23299 Add a docstring to SSLError 2011-10-22 23:41:52 +02:00
Antoine Pitrou b7705b7792 Use PyExc_OSError directly instead of grabbing it from the socket module API 2011-10-22 23:37:51 +02:00
Antoine Pitrou a02a12c517 Issue #13034: When decoding some SSL certificates, the subjectAltName extension could be unreported. 2011-10-01 19:22:30 +02:00
Antoine Pitrou d8c347a8de Issue #13034: When decoding some SSL certificates, the subjectAltName extension could be unreported. 2011-10-01 19:20:25 +02:00
Charles-François Natali ac7e9e058d Issue #12287: Fix a stack corruption in ossaudiodev module when the FD is
greater than FD_SETSIZE.
2011-08-28 18:10:27 +02:00
Charles-François Natali aa26b27503 Issue #12287: Fix a stack corruption in ossaudiodev module when the FD is
greater than FD_SETSIZE.
2011-08-28 17:51:43 +02:00
Antoine Pitrou 4fd1e6a3ba Issue #12803: SSLContext.load_cert_chain() now accepts a password argument
to be used if the private key is encrypted.  Patch by Adam Simpkins.
2011-08-25 14:39:44 +02:00
Antoine Pitrou d649480739 Issue #12551: Provide a get_channel_binding() method on SSL sockets so as
to get channel binding data for the current SSL session (only the
"tls-unique" channel binding is implemented).  This allows the
implementation of certain authentication mechanisms such as SCRAM-SHA-1-PLUS.

Patch by Jacek Konieczny.
2011-07-21 01:11:30 +02:00
Antoine Pitrou 7128f95bd2 Issue #12440: When testing whether some bits in SSLContext.options can be
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
2011-07-08 18:49:07 +02:00
Antoine Pitrou b9ac25d1c3 Issue #12440: When testing whether some bits in SSLContext.options can be
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
2011-07-08 18:47:06 +02:00
Victor Stinner 99c8b16143 Issue #12049: Add RAND_bytes() and RAND_pseudo_bytes() functions to the ssl
module.
2011-05-24 12:05:19 +02:00
Victor Stinner 17ca323e7c (Merge 3.1) Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.

Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 00:48:41 +02:00
Victor Stinner ee18b6f2fd Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.

Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 00:38:00 +02:00
Victor Stinner 3de49192aa Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.

Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-09 00:42:58 +02:00
Antoine Pitrou a7caec74aa Merge fix for issue #11746 2011-04-03 18:16:50 +02:00
Antoine Pitrou 9c25486093 Issue #11746: Fix SSLContext.load_cert_chain() to accept elliptic curve private keys. 2011-04-03 18:15:34 +02:00
Brett Cannon b94767ff44 Issue #8914: fix various warnings from the Clang static analyzer v254. 2011-02-22 20:15:44 +00:00
Victor Stinner 80f75e684e Issue #10989: Fix a crash on SSLContext.load_verify_locations(None, True).
Patch reviewed by Antoine Pitrou, okayed by Georg Brandl.
2011-01-29 11:31:20 +00:00
Hirokazu Yamamoto 8e63c687ef Merged revisions 87140 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r87140 | hirokazu.yamamoto | 2010-12-09 19:49:00 +0900 (木, 09 12 2010) | 2 lines

  Should call Py_INCREF for Py_None (Modules/_ssl.c: PySSL_cipher)
........
2010-12-09 12:30:05 +00:00
Hirokazu Yamamoto 524f10359b Should call Py_INCREF for Py_None (Modules/_ssl.c: PySSL_cipher) 2010-12-09 10:49:00 +00:00
Antoine Pitrou c4df784514 Issue #10272: The ssl module now raises socket.timeout instead of a generic
SSLError on socket timeouts.
2010-12-03 19:59:41 +00:00
Antoine Pitrou 664c2d1fc0 Issue #10443: Add the SSLContext.set_default_verify_paths() method. 2010-11-17 20:29:42 +00:00
Antoine Pitrou fb0469112f Issue #10022: The dictionary returned by the `getpeercert()` method
of SSL sockets now has additional items such as `issuer` and `notBefore`.
2010-11-09 20:21:19 +00:00
Antoine Pitrou d532321f7b Issue #5639: Add a *server_hostname* argument to `SSLContext.wrap_socket`
in order to support the TLS SNI extension.  `HTTPSConnection` and
`urlopen()` also use this argument, so that HTTPS virtual hosts are now
supported.
2010-10-22 18:19:07 +00:00
Benjamin Peterson 31370951c0 Merged revisions 85432 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r85432 | benjamin.peterson | 2010-10-13 17:06:39 -0500 (Wed, 13 Oct 2010) | 1 line

  constify to appease compiler warnings
........
2010-10-13 22:20:48 +00:00
Benjamin Peterson eb1410fc40 constify to appease compiler warnings 2010-10-13 22:06:39 +00:00
Antoine Pitrou fc113eeb7d Define a "session_id_context" at context creation. This is recommended
for the OpenSSL server-side session cache.
2010-10-13 12:46:13 +00:00
Gregory P. Smith bd4dacb3f9 Fix compile on NetBSD 5.0 (or anything else using an old 0.9.9-dev OpenSSL). 2010-10-13 03:53:21 +00:00
Antoine Pitrou b0182c8ca5 Issue #10075: Add a session_stats() method to SSLContext objects. 2010-10-12 20:09:02 +00:00
Antoine Pitrou 10c4c23a25 Merged revisions 84464 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r84464 | antoine.pitrou | 2010-09-03 20:38:17 +0200 (ven., 03 sept. 2010) | 3 lines

  Issue #3805: clean up implementation of the _read method in _ssl.c.
........
2010-09-03 18:39:47 +00:00
Antoine Pitrou 24e561ae04 Issue #3805: clean up implementation of the _read method in _ssl.c. 2010-09-03 18:38:17 +00:00
Antoine Pitrou 67e8e5633e Try to fix some buildbot failures on test_ssl 2010-09-01 20:55:41 +00:00