Commit Graph

428 Commits

Author SHA1 Message Date
Mike 53f7a7c281 bpo-32297: Few misspellings found in Python source code comments. (#4803)
* Fix multiple typos in code comments

* Add spacing in comments (test_logging.py, test_math.py)

* Fix spaces at the beginning of comments in test_logging.py
2017-12-14 13:04:53 +02:00
Mandeep Singh ede2ac913e bpo-23033: Improve SSL Certificate handling (GH-937)
Wildcard is now supported in hostname when it is one and only character in
the leftmost segment.
2017-11-26 14:31:27 -08:00
Christian Heimes e82c034496 bpo-31431: SSLContext.check_hostname auto-sets CERT_REQUIRED (#3531)
Signed-off-by: Christian Heimes <christian@python.org>
2017-09-15 20:29:57 +02:00
Christian Heimes a170fa162d bpo-31346: Use PROTOCOL_TLS_CLIENT/SERVER (#3058)
Replaces PROTOCOL_TLSv* and PROTOCOL_SSLv23 with PROTOCOL_TLS_CLIENT and
PROTOCOL_TLS_SERVER.

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-15 20:27:30 +02:00
Christian Heimes 4df60f18c6 bpo-31386: Custom wrap_bio and wrap_socket type (#3426)
SSLSocket.wrap_bio() and SSLSocket.wrap_socket() hard-code SSLObject and
SSLSocket as return types. In the light of future deprecation of
ssl.wrap_socket() module function and direct instantiation of SSLSocket,
it is desirable to make the return type of SSLSocket.wrap_bio() and
SSLSocket.wrap_socket() customizable.

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-15 20:26:05 +02:00
Victor Stinner 50a72af657 test_ssl: Implement timeout in ssl_io_loop() (#3500)
The timeout parameter was not used.
2017-09-11 09:34:24 -07:00
Christian Heimes b3ad0e5127 bpo-28182: Expose OpenSSL verification results (#3412)
The SSL module now raises SSLCertVerificationError when OpenSSL fails to
verify the peer's certificate. The exception contains more information about
the error.

Original patch by Chi Hsuan Yen

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-08 12:00:19 -07:00
Christian Heimes cb5b68abde bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (#1363)
* bpo-29136: Add TLS 1.3 support

TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
AES-GCM and ChaCha20 suites.

Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
now.

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-07 18:07:00 -07:00
Christian Heimes 888bbdc192 bpo-27340: Use memoryview in SSLSocket.sendall() (#3384)
* bpo-27340: Use memoryview in SSLSocket.sendall()

SSLSocket.sendall() now uses memoryview to create slices of data. This fix
support for all bytes-like object. It is also more efficient and avoids
costly copies.

Signed-off-by: Christian Heimes <christian@python.org>

* Cast view to bytes, fix typo

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-07 14:18:21 -07:00
Antoine Pitrou a6a4dc816d bpo-31370: Remove support for threads-less builds (#3385)
* Remove Setup.config
* Always define WITH_THREAD for compatibility.
2017-09-07 18:56:24 +02:00
Christian Heimes 6877111648 bpo-29781: Fix SSLObject.version before handshake (#3364)
SSLObject.version() now correctly returns None when handshake over BIO has
not been performed yet.

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-05 21:55:40 -07:00
Christian Heimes 305e56c27a bpo-31320: No traceback to sys.stderr in test_ssl (#3360)
In case PROTOCOL_TLS_SERVER is used for both client context and server
context, the test thread dies with OSError. Catch OSError to avoid
traceback on sys.stderr

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-05 16:37:09 -07:00
Christian Heimes 002d64039b bpo-25674: remove sha256.tbs-internet.com ssl test (#3297)
Signed-off-by: Christian Heimes <christian@python.org>
2017-09-04 22:26:01 +02:00
Victor Stinner 8687101589 bpo-31323: Fix reference leak in test_ssl (#3263)
Store exceptions as string rather than object to prevent reference
cycles which cause leaking dangling threads.
2017-09-02 00:26:17 +02:00
Christian Heimes 7b40cb7293 bpo-30714: ALPN changes for OpenSSL 1.1.0f (#2305)
OpenSSL 1.1.0 to 1.1.0e aborted the handshake when server and client
could not agree on a protocol using ALPN. OpenSSL 1.1.0f changed that.
The most recent version now behaves like OpenSSL 1.0.2 again. The ALPN
callback can pretend to not been set.

See https://github.com/openssl/openssl/pull/3158 for more details

Signed-off-by: Christian Heimes <christian@python.org>
2017-08-15 10:33:43 +02:00
Steve Dower 68d663cf85 [bpo-30916] Pre-build OpenSSL and Tcl/Tk for Windows (#2688)
Updates ssl and tkinter projects to use pre-built externals
2017-07-17 11:15:48 +02:00
Nathaniel J. Smith 59fdf0f3ba Add a test for bad IDNA in ssl server_hostname (#1997)
See discussion:
  https://github.com/python/cpython/pull/1992#issuecomment-307024778
2017-06-09 11:35:16 +02:00
Victor Stinner 1dae7450c6 bpo-30199: test_ssl closes all asyncore channels (#1381)
AsyncoreEchoServer of test_ssl now calls
asyncore.close_all(ignore_all=True) to ensure that
asyncore.socket_map is cleared once the test completes, even if
ConnectionHandler was not correctly unregistered.

Fix the following warning:

Warning -- asyncore.socket_map was modified by test_ssl
  Before: {}
  After:  {6: <test.test_ssl.AsyncoreEchoServer.EchoServer.ConnectionHandler>}
2017-05-02 13:12:02 +02:00
Serhiy Storchaka 70d28a184c Remove unused imports. 2016-12-16 20:00:15 +02:00
Martin Panter b1321fba53 Issue #28394: More typo fixes for 3.6+ 2016-10-10 00:38:21 +00:00
Christian Heimes a5d0765990 Finish GC code for SSLSession and increase test coverage 2016-09-24 10:48:05 +02:00
Martin Panter 22ecc4b36d Issue #28221: Merge SSL test cleanup from 3.5 into 3.6 2016-09-24 03:03:07 +00:00
Martin Panter 8609cda961 Issue #28221: Remove unused assignment from test_asyncore_server()
The later value of FOO is fine. The test just needs to verify that the server
converted it to lowercase.
2016-09-23 23:45:56 +00:00
Martin Panter 3217b1243e Merge socketserver fixes from 3.5 into 3.6 2016-09-22 10:33:51 +00:00
Martin Panter 463ef2b3cf Fix references to Python 3’s socketserver (lowercase) module 2016-09-22 09:37:56 +00:00
Christian Heimes 9017ec1ea0 Issue #28093: Check more invalid combinations of PROTOCOL_TLS_CLIENT / PROTOCOL_TLS_SERVER 2016-09-12 10:48:20 +02:00
Christian Heimes 5fe668c672 Issue #28085: Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContext 2016-09-12 00:01:11 +02:00
Christian Heimes 99a6570295 Issue #19500: Add client-side SSL session resumption to the ssl module. 2016-09-10 23:44:53 +02:00
Christian Heimes d04863771b Issue #28022: Deprecate ssl-related arguments in favor of SSLContext.
The deprecation include manual creation of SSLSocket and certfile/keyfile
(or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib.

ssl.wrap_socket() is not marked as deprecated yet.
2016-09-10 23:23:33 +02:00
Christian Heimes 358cfd426c Issue 28043: SSLContext has improved default settings
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
2016-09-10 22:43:48 +02:00
Christian Heimes 1c03abd026 Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs. 2016-09-06 23:25:35 +02:00
Christian Heimes 598894ff48 Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. 2016-09-05 23:19:05 +02:00
R David Murray 44b548dda8 #27364: fix "incorrect" uses of escape character in the stdlib.
And most of the tools.

Patch by Emanual Barry, reviewed by me, Serhiy Storchaka, and
Martin Panter.
2016-09-08 13:59:53 -04:00
Christian Heimes fe3c9c1ee9 Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs. 2016-09-06 23:27:06 +02:00
Christian Heimes 582282b7d0 Issue 27866: relax get_cipher() test even more. Gentoo buildbot has no ECDHE 2016-09-06 11:27:25 +02:00
Christian Heimes ea9b2dc9e3 Issue 27866: relax test case for set_cipher() and allow more cipher suites 2016-09-06 10:45:44 +02:00
Christian Heimes 25bfcd5d9e Issue #27866: Add SSLContext.get_ciphers() method to get a list of all enabled ciphers. 2016-09-06 00:04:45 +02:00
Christian Heimes 01113faef9 Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. 2016-09-05 23:23:24 +02:00
Martin Panter 7386268ffd Issue #23804: Merge SSL recv() fix from 3.5 2016-07-11 01:32:09 +00:00
Martin Panter bed7f1a512 Issue #23804: Fix SSL zero-length recv() calls to not block and raise EOF 2016-07-11 00:17:13 +00:00
Larry Hastings c2f2ef8faa Merge from 3.5. 2016-06-26 20:00:51 -07:00
Matthias Klose f7c562439b Issue #26867: Ubuntu's openssl OP_NO_SSLv3 is forced on by default; fix test. 2016-06-12 23:40:00 -07:00
Martin Panter 519f91215b Issue #25951: Fix SSLSocket.sendall() to return None, by Aviv Palivoda 2016-04-03 02:12:54 +00:00
Martin Panter ef4bb1e994 Issue #23804: Merge SSL zero read fix from 3.5 2016-03-28 01:09:13 +00:00
Martin Panter f6b1d66a3c Issue #23804: Fix SSL recv/read(0) to not return 1024 bytes 2016-03-28 00:22:09 +00:00
Martin Panter afd465d497 Issue #26644: Merge SSL negative read fix from 3.5 2016-03-27 10:40:22 +00:00
Martin Panter 5503d4731e Issue #26644: Raise ValueError for negative SSLSocket.recv() and read() 2016-03-27 05:35:19 +00:00
Martin Panter 3840b2ac67 Issue #25940: Use internal local server more in test_ssl
Move many tests from NetworkedTests and NetworkedBIOTests to a new Simple-
BackgroundTests class, using the existing ThreadedEchoServer and SIGNED_
CERTFILE infrastructure.

For tests that cause the server to crash by rejecting its certificate,
separate them into independent test methods.

Added custom root certificate to capath with the following commands:

cp Lib/test/{pycacert.pem,capath/}
# Edit copy to remove part before certificate
c_rehash -v Lib/test/capath/
c_rehash -v -old Lib/test/capath/
# Note the generated file names
cp Lib/test/capath/{pycacert.pem,b1930218.0}
mv Lib/test/capath/{pycacert.pem,ceff1710.0}

Change to pure PEM version of SIGNING_CA because PEM_cert_to_DER_cert() does
not like the extra text at the start.

Moved test_connect_ex_error() into BasicSocketTests and rewrote it to connect
to a reserved localhost port.

NetworkedTests.test_get_server_certificate_ipv6() split out because it needs
to connect to an IPv6 DNS address.

The only reference left to self-signed.pythontest.net is test_timeout_
connect_ex(), which needs a remote server to reliably time out the
connection, but does not rely on the server running SSL.

Made ThreadedEchoServer call unwrap() by default when it sees the client has
shut the connection down, so that the client can cleanly call unwrap().
2016-03-27 01:53:46 +00:00
Victor Stinner e0b75b7e87 Fix test_ssl.test_refcycle()
Issue #26590: support.check_warnings() stores warnins, but ResourceWarning now
comes with a reference to the socket object which indirectly keeps the socket
alive.
2016-03-21 17:26:04 +01:00
Martin Panter 3464ea2807 Issue #26173: Separate bad cert file tests and client rejection test
Test test_wrong_cert() runs a server that rejects the client's certificate,
so ECONNRESET is reasonable in addition to SSLError. On the other hand, the
other three tests don't even need to run a server because they are just
testing the parsing of invalid certificate files.

Also fix a ResourceWarning by closing the wrapped socket.
2016-02-01 21:58:11 +00:00