Commit Graph

165 Commits

Author SHA1 Message Date
Christian Heimes 892d66e422
bpo-31429: Define TLS cipher suite on build time (#3532)
Until now Python used a hard coded white list of default TLS cipher
suites. The old approach has multiple downsides. OpenSSL's default
selection was completely overruled. Python did neither benefit from new
cipher suites (ChaCha20, TLS 1.3 suites) nor blacklisted cipher suites.
For example we used to re-enable 3DES.

Python now defaults to OpenSSL DEFAULT cipher suite selection and black
lists all unwanted ciphers. Downstream vendors can override the default
cipher list with --with-ssl-default-suites.

Signed-off-by: Christian Heimes <christian@python.org>
2018-01-29 14:10:18 +01:00
Christian Heimes 61d478c71c
bpo-31399: Let OpenSSL verify hostname and IP address (#3462)
bpo-31399: Let OpenSSL verify hostname and IP

The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and
X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses.

* Remove match_hostname calls
* Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host()
* Add documentation for OpenSSL 1.0.2 requirement
* Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform.
* Add hostname_checks_common_name

Signed-off-by: Christian Heimes <christian@python.org>
2018-01-27 15:51:38 +01:00
Mads Jensen 746cc75541 bpo-31853: Replaced socket.method calls with super() in SSLSocket. (#4048) 2018-01-27 13:34:28 +01:00
Mandeep Singh ede2ac913e bpo-23033: Improve SSL Certificate handling (GH-937)
Wildcard is now supported in hostname when it is one and only character in
the leftmost segment.
2017-11-26 14:31:27 -08:00
INADA Naoki b75a228af8 bpo-31659: Use simple slicing to format PEM cert (GH-3849)
DER_cert_to_PEM_cert() used textwrap.fill() to format PEM.
But it's library to wrap lines on word boundary, while PEM is
base64 encoded string.

Additionally, importing textwrap is little slow.
2017-10-02 16:33:42 +09:00
Christian Heimes a170fa162d bpo-31346: Use PROTOCOL_TLS_CLIENT/SERVER (#3058)
Replaces PROTOCOL_TLSv* and PROTOCOL_SSLv23 with PROTOCOL_TLS_CLIENT and
PROTOCOL_TLS_SERVER.

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-15 20:27:30 +02:00
Christian Heimes 4df60f18c6 bpo-31386: Custom wrap_bio and wrap_socket type (#3426)
SSLSocket.wrap_bio() and SSLSocket.wrap_socket() hard-code SSLObject and
SSLSocket as return types. In the light of future deprecation of
ssl.wrap_socket() module function and direct instantiation of SSLSocket,
it is desirable to make the return type of SSLSocket.wrap_bio() and
SSLSocket.wrap_socket() customizable.

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-15 20:26:05 +02:00
Christian Heimes b3ad0e5127 bpo-28182: Expose OpenSSL verification results (#3412)
The SSL module now raises SSLCertVerificationError when OpenSSL fails to
verify the peer's certificate. The exception contains more information about
the error.

Original patch by Chi Hsuan Yen

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-08 12:00:19 -07:00
Christian Heimes cb5b68abde bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (#1363)
* bpo-29136: Add TLS 1.3 support

TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
AES-GCM and ChaCha20 suites.

Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
now.

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-07 18:07:00 -07:00
Christian Heimes 888bbdc192 bpo-27340: Use memoryview in SSLSocket.sendall() (#3384)
* bpo-27340: Use memoryview in SSLSocket.sendall()

SSLSocket.sendall() now uses memoryview to create slices of data. This fix
support for all bytes-like object. It is also more efficient and avoids
costly copies.

Signed-off-by: Christian Heimes <christian@python.org>

* Cast view to bytes, fix typo

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-07 14:18:21 -07:00
Christian Heimes 5fe668c672 Issue #28085: Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContext 2016-09-12 00:01:11 +02:00
Christian Heimes 99a6570295 Issue #19500: Add client-side SSL session resumption to the ssl module. 2016-09-10 23:44:53 +02:00
Christian Heimes d04863771b Issue #28022: Deprecate ssl-related arguments in favor of SSLContext.
The deprecation include manual creation of SSLSocket and certfile/keyfile
(or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib.

ssl.wrap_socket() is not marked as deprecated yet.
2016-09-10 23:23:33 +02:00
Christian Heimes 358cfd426c Issue 28043: SSLContext has improved default settings
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
2016-09-10 22:43:48 +02:00
Christian Heimes 3aeacad561 Issue #28025: Convert all ssl module constants to IntEnum and IntFlags. 2016-09-10 00:19:35 +02:00
Christian Heimes ac041c0aa7 Issues #27850 and #27766: Remove 3DES from ssl default cipher list and add ChaCha20 Poly1305. 2016-09-06 20:07:58 +02:00
Christian Heimes 03d13c0cbf Issues #27850 and #27766: Remove 3DES from ssl default cipher list and add ChaCha20 Poly1305. 2016-09-06 20:06:47 +02:00
Christian Heimes 01113faef9 Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. 2016-09-05 23:23:24 +02:00
Christian Heimes 598894ff48 Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. 2016-09-05 23:19:05 +02:00
Steve Dower 48df37dbb8 Issue #27114: Fix SSLContext._load_windows_store_certs fails with PermissionError 2016-05-26 12:19:42 -07:00
Steve Dower 33bc4a2983 Issue #27114: Fix SSLContext._load_windows_store_certs fails with PermissionError 2016-05-26 12:18:12 -07:00
Martin Panter 519f91215b Issue #25951: Fix SSLSocket.sendall() to return None, by Aviv Palivoda 2016-04-03 02:12:54 +00:00
Martin Panter f6b1d66a3c Issue #23804: Fix SSL recv/read(0) to not return 1024 bytes 2016-03-28 00:22:09 +00:00
Steve Dower 8dd7aebc23 Issue #26313: ssl.py _load_windows_store_certs fails if windows cert store is empty. Patch by Baji. 2016-03-17 15:02:39 -07:00
Ethan Furman 24e837f231 issue23673
add private method to enum to support replacing global constants with Enum members:
- search for candidate constants via supplied filter
- create new enum class and members
- insert enum class and replace constants with members via supplied module name
- replace __reduce_ex__ with function that returns member name, so previous Python versions can unpickle
modify IntEnum classes to use new method
2015-03-18 17:27:57 -07:00
Benjamin Peterson 3e2500d6db merge 3.4 2015-03-04 23:20:23 -05:00
Benjamin Peterson 7bcf9a5588 use _import_symbols to import VERIFY_* constants 2015-03-04 23:18:57 -05:00
Benjamin Peterson 869311dd97 merge 3.4 (#23481) 2015-02-19 17:58:19 -05:00
Benjamin Peterson 500af332f4 remove rc4 from the default client ciphers (closes #23481) 2015-02-19 17:57:08 -05:00
Antoine Pitrou c481bfb3f6 Issue #23239: ssl.match_hostname() now supports matching of IP addresses. 2015-02-15 18:12:20 +01:00
Benjamin Peterson cca2732a82 add support for ALPN (closes #20188) 2015-01-23 16:35:37 -05:00
Benjamin Peterson c114e7db60 remove extra definite article 2015-01-11 15:22:07 -05:00
Benjamin Peterson 5318c7aa59 explain None can be returned 2015-01-07 11:26:50 -06:00
Benjamin Peterson 4cb17812d9 expose the client's cipher suites from the handshake (closes #23186) 2015-01-07 11:14:26 -06:00
Victor Stinner fcfed19913 Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. The
availability of the function is checked during the compilation. Patch written
by Bernard Spil.
2015-01-06 13:54:58 +01:00
Victor Stinner 9d01717f37 Issue #20896, #22935: The ssl.get_server_certificate() function now uses the
ssl.PROTOCOL_SSLv23 protocol by default, not ssl.PROTOCOL_SSLv3, for maximum
compatibility and support platforms where ssl.PROTOCOL_SSLv3 support is
disabled.
2015-01-06 12:21:26 +01:00
Victor Stinner 0041142785 Issue #22935: Fix ssl module when SSLv3 protocol is not supported 2014-12-12 12:23:09 +01:00
Benjamin Peterson 7243b574e5 don't require OpenSSL SNI to pass hostname to ssl functions (#22921)
Patch by Donald Stufft.
2014-11-23 17:04:34 -06:00
Victor Stinner beeb512fe1 Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. The
availability of the function is checked during the compilation.

Patch written by Bernard Spil.
2014-11-28 13:28:25 +01:00
Benjamin Peterson f9284ae8ed merge 3.4 (#22921) 2014-11-23 17:06:39 -06:00
Benjamin Peterson 1cca273669 merge 3.4 (#22417) 2014-11-03 14:36:48 -05:00
Benjamin Peterson 4ffb075271 PEP 476: enable HTTPS certificate verification by default (#22417)
Patch by Alex Gaynor with some modifications by me.
2014-11-03 14:29:33 -05:00
Berker Peksag 1ed2e69a4a Issue #22186: Fix typos in Lib/.
Patch by Févry Thibault.
2014-10-19 18:07:05 +03:00
Berker Peksag f23530f569 Issue #22186: Fix typos in Lib/.
Patch by Févry Thibault.
2014-10-19 18:04:38 +03:00
Antoine Pitrou a21de3d45e Issue #22638: SSLv3 is now disabled throughout the standard library.
It can still be enabled by instantiating a SSLContext manually.
2014-10-17 19:28:30 +02:00
Antoine Pitrou e4eda4d33f Issue #22638: SSLv3 is now disabled throughout the standard library.
It can still be enabled by instantiating a SSLContext manually.
2014-10-17 19:28:30 +02:00
Antoine Pitrou 3cb9379881 Remove unused "block" argument in SSLObject.do_handshake() (issue #21965) 2014-10-06 00:21:09 +02:00
Antoine Pitrou b1fdf47ff5 Issue #21965: Add support for in-memory SSL to the ssl module.
Patch by Geert Jansen.
2014-10-05 20:41:53 +02:00
Benjamin Peterson 8b9cfa1066 merge 3.4 (#22449) 2014-10-03 17:33:45 -04:00
Benjamin Peterson 5915b0f924 also use openssl envvars to find certs on windows (closes #22449)
Patch by Christian Heimes and Alex Gaynor.
2014-10-03 17:27:05 -04:00