Commit Graph

471 Commits

Author SHA1 Message Date
Benjamin Peterson 5915b0f924 also use openssl envvars to find certs on windows (closes #22449)
Patch by Christian Heimes and Alex Gaynor.
2014-10-03 17:27:05 -04:00
Antoine Pitrou 47e40429fb Issue #20421: Add a .version() method to SSL sockets exposing the actual protocol version in use. 2014-09-04 21:00:10 +02:00
Charles-François Natali 6e20460dc6 Issue #21566: Make use of socket.listen() default backlog. 2014-07-23 19:28:13 +01:00
Antoine Pitrou 26408df88f Issue #21976: Fix test_ssl to accept LibreSSL version strings.
Thanks to William Orr.
2014-07-21 18:37:36 -04:00
Antoine Pitrou dfab935c74 Issue #21976: Fix test_ssl to accept LibreSSL version strings.
Thanks to William Orr.
2014-07-21 18:35:01 -04:00
Giampaolo Rodola' 915d14190e fix issue #17552: add socket.sendfile() method allowing to send a file over a socket by using high-performance os.sendfile() on UNIX. Patch by Giampaolo Rodola'· 2014-06-11 03:54:30 +02:00
Antoine Pitrou b4bebdafe3 Issue #20951: SSLSocket.send() now raises either SSLWantReadError or SSLWantWriteError on a non-blocking socket if the operation would block. Previously, it would return 0.
Patch by Nikolaus Rath.
2014-04-29 10:03:28 +02:00
Antoine Pitrou c695c95626 Issue #19940: ssl.cert_time_to_seconds() now interprets the given time string in the UTC timezone (as specified in RFC 5280), not the local timezone.
Patch by Akira.
2014-04-28 20:57:36 +02:00
Antoine Pitrou 172f025bed Issue #21068: The ssl.PROTOCOL* constants are now enum members. 2014-04-18 20:33:08 +02:00
Antoine Pitrou c043061667 Try to fix buildbot failures on old OpenSSLs (< 1.0.0) - followup to issue #21015 2014-04-16 18:33:39 +02:00
Antoine Pitrou 94a5b663bf Issue #20896: ssl.get_server_certificate() now uses PROTOCOL_SSLv23, not PROTOCOL_SSLv3, for maximum compatibility. 2014-04-16 18:56:28 +02:00
Donald Stufft 6a2ba94908 Issue #21013: Enhance ssl.create_default_context() for server side contexts
Closes #21013 by modfying ssl.create_default_context() to:

* Move the restricted ciphers to only apply when using
  ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
  is the lack of RC4 in the restricted. However there are servers that exist
  that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
  will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
  of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
  socket the context will prioritize our ciphers which have been carefully
  selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
  that end users can more easily determine if they need to unset
  ssl.OP_NO_SSLv3.
2014-03-23 19:05:28 -04:00
Antoine Pitrou 0bebbc33fa Issue #21015: SSL contexts will now automatically select an elliptic curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to "prime256v1".
(should also fix a buildbot failure introduced by #20995)
2014-03-22 18:13:50 +01:00
Benjamin Peterson 10b93cc29c merge 3.3 (#20896) 2014-03-12 18:10:57 -05:00
Benjamin Peterson d0fc83d5eb merge 3.2 (#20896) 2014-03-12 18:10:47 -05:00
Benjamin Peterson cf25c5caae use ssl.PROTOCOL_SSLv23 for maximum compatibility (closes #20896) 2014-03-12 18:05:53 -05:00
Antoine Pitrou ba44860c11 Try to fix test_ssl failures on some buildbots 2014-01-09 21:30:17 +01:00
Antoine Pitrou 32c4915b23 Try to fix test_ssl failures on some buildbots 2014-01-09 21:28:48 +01:00
Antoine Pitrou 78ace81c93 Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for. 2014-01-09 20:09:03 +01:00
Antoine Pitrou cd3d7cabef Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for. 2014-01-09 20:02:20 +01:00
Antoine Pitrou 3e86ba4e32 Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. 2013-12-28 17:26:33 +01:00
Antoine Pitrou e6d2f159fc Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. 2013-12-28 17:30:51 +01:00
Victor Stinner 36e96b8716 (Merge 3.3) Issue #20025: ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now
raise a ValueError if num is negative (instead of raising a SystemError).
2013-12-19 16:47:25 +01:00
Victor Stinner 1e81a399a2 Issue #20025: ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now raise a
ValueError if num is negative (instead of raising a SystemError).
2013-12-19 16:47:04 +01:00
Christian Heimes bd9cbb0691 Issue #19919: Fix flacky SSL test. connect_ex() sometimes returns
EWOULDBLOCK on Windows or VMs hosted on Windows.
2013-12-16 21:16:45 +01:00
Christian Heimes de57074874 Issue #19919: Fix flacky SSL test. connect_ex() sometimes returns
EWOULDBLOCK on Windows or VMs hosted on Windows.
2013-12-16 21:15:44 +01:00
Christian Heimes 575596e19a test_ssl: skip tests when SNI is not available 2013-12-15 21:49:17 +01:00
Christian Heimes 8e7f394282 Test SSLSock's context getter and setter 2013-12-05 07:41:08 +01:00
Christian Heimes a02c69a73b add check_hostname arg to ssl._create_stdlib_context() 2013-12-02 20:59:28 +01:00
Christian Heimes 1aa9a75fbf Issue #19509: Add SSLContext.check_hostname to match the peer's certificate
with server_hostname on handshake.
2013-12-02 02:41:19 +01:00
Christian Heimes 67986f9431 Issue #19735: Implement private function ssl._create_stdlib_context() to
create SSLContext objects in Python's stdlib module. It provides a single
configuration point and makes use of SSLContext.load_default_certs().
2013-11-23 22:43:47 +01:00
Christian Heimes 4c05b472dd Issue #19689: Add ssl.create_default_context() factory function. It creates
a new SSLContext object with secure default settings.
2013-11-23 15:58:30 +01:00
Christian Heimes 72d28500b3 Issue #19292: Add SSLContext.load_default_certs() to load default root CA
certificates from default stores or system stores. By default the method
loads CA certs for authentication of server certs.
2013-11-23 13:56:58 +01:00
Christian Heimes 2427b50fdd Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
2013-11-23 11:24:32 +01:00
Christian Heimes 5398e1a56e Issue #19448: report name / NID in exception message of ASN1Object 2013-11-22 16:20:53 +01:00
Christian Heimes c2d65e1e93 Issue #17134: check certs of CA and ROOT system store 2013-11-22 16:13:55 +01:00
Christian Heimes 32f0c7a67b or VERIFY_CRL_CHECK_LEAF to verify_flags 2013-11-22 03:43:48 +01:00
Christian Heimes 44109d7de7 Issue #17134: Finalize interface to Windows' certificate store. Cert and
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
2013-11-22 01:51:30 +01:00
Christian Heimes d6dc952e17 one CERT_REQUIRED is enough 2013-11-22 00:39:38 +01:00
Christian Heimes 225877917e Issue #8813: Add SSLContext.verify_flags to change the verification flags
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
2013-11-21 23:56:13 +01:00
Christian Heimes bd3a7f90b5 Issue #18379: SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP
and CRL distribution points.
2013-11-21 03:40:15 +01:00
Christian Heimes efff7060f8 Issue #18138: Implement cadata argument of SSLContext.load_verify_location()
to load CA certificates and CRL from memory. It supports PEM and DER
encoded strings.
2013-11-21 03:35:02 +01:00
Christian Heimes a6bc95aa02 Issue #19448: Add private API to SSL module to lookup ASN.1 objects by OID, NID, short name and long name. 2013-11-17 19:59:14 +01:00
Georg Brandl ec3c103520 Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for ``rfc822Name`` (email), ``dNSName`` (DNS) and
``uniformResourceIdentifier`` (URI).
2014-09-30 14:04:51 +02:00
Georg Brandl 72c98d3a76 Issue #17997: Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,
for security reasons.  It now doesn't match multiple wildcards nor wildcards
inside IDN fragments.
2013-10-27 07:16:53 +01:00
Georg Brandl b89b5df9c9 merge with 3.3 2013-10-27 07:46:09 +01:00
Antoine Pitrou 20b85557f2 Issue #19095: SSLSocket.getpeercert() now raises ValueError when the SSL handshake hasn't been done. 2013-09-29 19:50:53 +02:00
Christian Heimes 2769d44827 Issue #18709: Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger 2013-08-25 14:12:50 +02:00
Christian Heimes 157c9834b4 Issue #18709: Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger 2013-08-25 14:12:41 +02:00
Christian Heimes 6acbe2aaa3 Issue #18747: Re-seed OpenSSL's pseudo-random number generator after fork.
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:34 +02:00
Christian Heimes f77b4b20e9 Issue #18747: Re-seed OpenSSL's pseudo-random number generator after fork.
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:05 +02:00
Christian Heimes e06d47c70c Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:58:00 +02:00
Christian Heimes 824f7f366d Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:54:47 +02:00
Antoine Pitrou 2894073e1a test_ssl: use a bytestring here 2013-07-20 19:36:15 +02:00
Antoine Pitrou 60a26e0516 Issue #9177: Calling read() or write() now raises ValueError, not AttributeError, on a closed SSL socket.
Patch by Senko Rasic.
2013-07-20 19:35:16 +02:00
Christian Heimes 9a5395ae2b Issue #18147: Add diagnostic functions to ssl.SSLContext().
get_ca_list() lists all loaded CA certificates and cert_store_stats() returns
amount of loaded X.509 certs, X.509 CA certs and CRLs.
2013-06-17 15:44:12 +02:00
Christian Heimes 9424bb4aea Issue #18207: Fix test_ssl for some versions of OpenSSL that ignore seconds
in ASN1_TIME fields.
2013-06-17 15:32:57 +02:00
Christian Heimes 46bebee25f Issue #17134: Add ssl.enum_cert_store() as interface to Windows' cert store. 2013-06-09 19:03:31 +02:00
Christian Heimes 6d7ad13a45 Issue #18143: Implement ssl.get_default_verify_paths() in order to debug
the default locations for cafile and capath.
2013-06-09 18:02:55 +02:00
Antoine Pitrou 86d53cadda Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). 2013-05-18 17:56:42 +02:00
Antoine Pitrou 636f93c63b Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). 2013-05-18 17:56:42 +02:00
Antoine Pitrou 31fb419908 Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). 2013-05-18 17:59:12 +02:00
Antoine Pitrou 242db728e2 Issue #13721: SSLSocket.getpeercert() and SSLSocket.do_handshake() now raise an OSError with ENOTCONN, instead of an AttributeError, when the SSLSocket is not connected. 2013-05-01 20:52:07 +02:00
Antoine Pitrou 50b24d0d7c Fix a crash when setting a servername callback on a SSL server socket and the client doesn't send a server name.
Patch by Kazuhiro Yoshida.
(originally issue #8109)
2013-04-11 20:48:42 +02:00
Antoine Pitrou 609ef01b02 In search of TLS 1.1 bug: add debugging output in verbose mode 2013-03-29 18:09:06 +01:00
Antoine Pitrou 972d5bb763 Use a subtest in test_ssl.test_echo 2013-03-29 17:56:03 +01:00
Antoine Pitrou 2463e5fee4 Issue #16692: The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù. 2013-03-28 22:24:43 +01:00
Nadeem Vawda 6386e17f39 Issue #13898: test_ssl no longer prints a spurious stack trace on Ubuntu. 2013-03-03 22:48:15 +01:00
Nadeem Vawda ad246bfb71 Issue #13898: test_ssl no longer prints a spurious stack trace on Ubuntu. 2013-03-03 22:44:22 +01:00
Nadeem Vawda 7b39b9b51b Issue #13898: test_ssl no longer prints a spurious stack trace on Ubuntu. 2013-03-03 22:31:21 +01:00
Antoine Pitrou da23259f99 Issue #17107: Test client-side SNI support in urllib.request thanks to the new server-side SNI support in the ssl module.
Initial patch by Daniel Black.
2013-02-05 21:20:51 +01:00
Antoine Pitrou 6b4e2a9c02 In test_ssl, threaded tests shouldn't need the network resource to be enabled 2013-01-12 22:00:54 +01:00
Antoine Pitrou db5012ab47 In test_ssl, threaded tests shouldn't need the "network" resource to be enabled 2013-01-12 22:00:09 +01:00
Antoine Pitrou e9bb4733d9 Issue #16923: Fix ResourceWarnings in test_ssl. 2013-01-12 21:56:56 +01:00
Antoine Pitrou e1ceb50cdf Issue #16923: Fix ResourceWarnings in test_ssl. 2013-01-12 21:54:44 +01:00
Benjamin Peterson f86b3c394c merge 3.3 (#16900) 2013-01-10 14:16:42 -06:00
Benjamin Peterson 36f7b97787 remove __del__ because it's evil and also prevents the ResourceWarning on the socket from happening (closes #16900) 2013-01-10 14:16:20 -06:00
Antoine Pitrou 58ddc9d743 Issue #8109: The ssl module now has support for server-side SNI, thanks to a :meth:`SSLContext.set_servername_callback` method.
Patch by Daniel Black.
2013-01-05 21:20:29 +01:00
Antoine Pitrou 49f7e58778 Forward port new test for SSLSocket.connect_ex() 2012-12-28 19:09:41 +01:00
Antoine Pitrou 6464b84b3e Forward port new test for SSLSocket.connect_ex() 2012-12-28 19:08:49 +01:00
Antoine Pitrou ddb87ab1b4 Forward port new test for SSLSocket.connect_ex() 2012-12-28 19:07:43 +01:00
Antoine Pitrou 40f12ab0c5 Backport Python 3.2 fix for issue #12065, and add another test for SSLSocket.connect_ex(). 2012-12-28 19:03:43 +01:00
Andrew Svetlov f7a17b48d7 Replace IOError with OSError (#16715) 2012-12-25 16:47:37 +02:00
Andrew Svetlov 0832af6628 Issue #16717: get rid of socket.error, replace with OSError 2012-12-18 23:10:48 +02:00
Antoine Pitrou 73e9bd4d25 Issue #16357: fix calling accept() on a SSLSocket created through SSLContext.wrap_socket().
Original patch by Jeff McNeil.
2012-11-11 01:27:33 +01:00
Antoine Pitrou 5c89b4ec55 Issue #16357: fix calling accept() on a SSLSocket created through SSLContext.wrap_socket().
Original patch by Jeff McNeil.
2012-11-11 01:25:36 +01:00
Jesus Cea b7a2800831 MERGE: Closes #15793: Stack corruption in ssl.RAND_egd() 2012-09-11 02:08:48 +02:00
Jesus Cea c8754a13e6 Closes #15793: Stack corruption in ssl.RAND_egd() 2012-09-11 02:00:58 +02:00
Jesus Cea a8a5b397c1 Closes #15793: Stack corruption in ssl.RAND_egd(). Python 2.7 hasn't any issue about this, but add a test just to be sure 2012-09-11 01:55:04 +02:00
Antoine Pitrou 3b36fb1f53 Issue #14837: SSL errors now have `library` and `reason` attributes describing precisely what happened and in which OpenSSL submodule.
The str() of a SSLError is also enhanced accordingly.

NOTE: this commit creates a reference leak.  The leak seems tied to the
use of PyType_FromSpec() to create the SSLError type.  The leak is on the
type object when it is instantiated:

>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
35
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
36
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
37
2012-06-22 21:11:52 +02:00
Antoine Pitrou c642f67c63 Skip test_algorithms (known remote hosts need SNI, which is only available on 3.2+) 2012-05-04 16:33:30 +02:00
Antoine Pitrou f340c21ca9 Fix test connecting to sha256.tbs-internet.com.
The certificate has changed and the test now needs SNI to pass.
2012-05-04 16:26:56 +02:00
Antoine Pitrou 16f6f8338b Fix test connecting to sha256.tbs-internet.com.
The certificate has changed and the test now needs SNI to pass.
2012-05-04 16:26:02 +02:00
Antoine Pitrou d5d17eb653 Issue #14204: The ssl module now has support for the Next Protocol Negotiation extension, if available in the underlying OpenSSL library.
Patch by Colin Marc.
2012-03-22 00:23:03 +01:00
Antoine Pitrou c135fa424e Fix last remaining build issues of _ssl under old OpenSSLs. Patch by Vinay. 2012-02-19 21:22:39 +01:00
Antoine Pitrou ce816a5111 Issue #13895: fix test_ssl hanging under Ubuntu 2012-01-28 17:40:23 +01:00
Antoine Pitrou eba63c4203 Issue #13895: fix test_ssl hanging under Ubuntu 2012-01-28 17:38:34 +01:00
Antoine Pitrou 6636887104 Fix intermittent test_ssl failure. 2012-01-27 17:34:56 +01:00
Antoine Pitrou eced82ecbf Fix intermittent test_ssl failure. 2012-01-27 17:33:01 +01:00
Antoine Pitrou 7a556846d4 Fix intermittent test_ssl failure. 2012-01-27 17:33:01 +01:00
Antoine Pitrou d76088d972 Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
2012-01-03 22:46:48 +01:00
Antoine Pitrou 8f85f907e3 Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
2012-01-03 22:46:48 +01:00
Antoine Pitrou 65a3f4b8c5 Use context managers in test_ssl to simplify test writing. 2011-12-21 16:52:40 +01:00
Antoine Pitrou 5b95eb90a7 Use context managers in test_ssl to simplify test writing. 2011-12-21 16:52:40 +01:00
Antoine Pitrou 72aeec35a1 Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
2012-01-03 22:49:08 +01:00
Antoine Pitrou 0e576f1f50 Issue #13626: Add support for SSL Diffie-Hellman key exchange, through the
SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option.
2011-12-22 10:03:38 +01:00
Antoine Pitrou 6b15c90fd8 Use context managers in test_ssl to simplify test writing. 2011-12-21 16:54:45 +01:00
Antoine Pitrou 501da61671 Fix ssl module compilation if ECDH support was disabled in the OpenSSL build.
(followup to issue #13627)
2011-12-21 09:27:41 +01:00
Antoine Pitrou 8691bff6db Fix for buggy test 2011-12-20 10:47:42 +01:00
Antoine Pitrou 8abdb8abd8 Issue #13634: Add support for querying and disabling SSL compression. 2011-12-20 10:13:40 +01:00
Antoine Pitrou 923df6f22a Issue #13627: Add support for SSL Elliptic Curve-based Diffie-Hellman
key exchange, through the SSLContext.set_ecdh_curve() method and the
ssl.OP_SINGLE_ECDH_USE option.
2011-12-19 17:16:51 +01:00
Antoine Pitrou 6db4944cc5 Issue #13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
choose the cipher based on their own preferences, rather than on the
client's.
2011-12-19 13:27:11 +01:00
Antoine Pitrou cf9943de97 Backout redundant changeset 1de4d92cd6a4 2011-10-31 20:23:00 +01:00
Barry Warsaw 39aec0171d test_protocol_sslv2(): Skip this test if ssl.PROTOCOL_SSLv2 is not
defined (as is the case with Ubuntu 11.10).
2011-10-31 14:08:15 -04:00
Antoine Pitrou 6361ea2b07 Remove unstable SSL tests in the absence of ssl.OP_NO_{SSLv2,SSLv3,TLSv1} 2011-10-30 21:31:34 +01:00
Barry Warsaw be83698f21 - Issue #13218: Fix test_ssl failures on Debian/Ubuntu. 2011-10-28 16:14:44 -04:00
Barry Warsaw c21a81bf76 - Issue #13218: Fix test_ssl failures on Debian/Ubuntu. 2011-10-28 17:08:12 -04:00
Barry Warsaw 46ae0efce1 - Issue #13218: Fix test_ssl failures on Debian/Ubuntu. 2011-10-28 16:52:17 -04:00
Antoine Pitrou 41032a69c1 Issue #11183: Add finer-grained exceptions to the ssl module, so that
you don't have to inspect the exception's attributes in the common case.
2011-10-27 23:56:55 +02:00
Antoine Pitrou f06eb46918 Issue #13034: When decoding some SSL certificates, the subjectAltName extension could be unreported. 2011-10-01 19:30:58 +02:00
Antoine Pitrou a02a12c517 Issue #13034: When decoding some SSL certificates, the subjectAltName extension could be unreported. 2011-10-01 19:22:30 +02:00
Antoine Pitrou d8c347a8de Issue #13034: When decoding some SSL certificates, the subjectAltName extension could be unreported. 2011-10-01 19:20:25 +02:00
Nick Coghlan 513886aabb Fix #12835: prevent use of the unencrypted sendmsg/recvmsg APIs on SSL wrapped sockets (Patch by David Watson) 2011-08-28 00:00:27 +10:00
Antoine Pitrou 4fd1e6a3ba Issue #12803: SSLContext.load_cert_chain() now accepts a password argument
to be used if the private key is encrypted.  Patch by Adam Simpkins.
2011-08-25 14:39:44 +02:00
Nick Coghlan 5fab03fd15 Remove the SSLSocket versions of sendmsg/recvmsg due to lack of proper tests and documentation in conjunction with lack of any known use cases (see issue #6560 for details) 2011-08-23 22:26:44 +10:00
Nick Coghlan 96fe56abec Add support for the send/recvmsg API to the socket module. Patch by David Watson and Heiko Wundram. (Closes #6560) 2011-08-22 11:55:57 +10:00
Antoine Pitrou d649480739 Issue #12551: Provide a get_channel_binding() method on SSL sockets so as
to get channel binding data for the current SSL session (only the
"tls-unique" channel binding is implemented).  This allows the
implementation of certain authentication mechanisms such as SCRAM-SHA-1-PLUS.

Patch by Jacek Konieczny.
2011-07-21 01:11:30 +02:00
Antoine Pitrou 7128f95bd2 Issue #12440: When testing whether some bits in SSLContext.options can be
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
2011-07-08 18:49:07 +02:00
Antoine Pitrou b9ac25d1c3 Issue #12440: When testing whether some bits in SSLContext.options can be
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
2011-07-08 18:47:06 +02:00
Victor Stinner 2e2baa9208 Issue #12049: test_ssl now checks also that RAND_bytes() raises an error if
there is not enough entropy.
2011-05-25 11:15:16 +02:00
Victor Stinner 99c8b16143 Issue #12049: Add RAND_bytes() and RAND_pseudo_bytes() functions to the ssl
module.
2011-05-24 12:05:19 +02:00
Victor Stinner 2e7f39e889 Issue #12012: test_ssl uses test_support.import_module()
Skip the whole file if the SSL module is missing. It was already the case,
except that the SkipTest exception was raised in test_main().

This commit fixes an error in test_ssl if the ssl module is missing.
2011-05-22 13:22:28 +02:00
Antoine Pitrou 7a616f2fc5 Issue #12065: connect_ex() on an SSL socket now returns the original errno
when the socket's timeout expires (it used to return None).
2011-05-18 18:52:20 +02:00
Antoine Pitrou b4410dbea6 Issue #12065: connect_ex() on an SSL socket now returns the original errno
when the socket's timeout expires (it used to return None).
2011-05-18 18:51:06 +02:00
Victor Stinner b1241f9619 (Merge 3.1) Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.

Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 01:52:03 +02:00
Victor Stinner 17ca323e7c (Merge 3.1) Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.

Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 00:48:41 +02:00
Victor Stinner ee18b6f2fd Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.

Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 00:38:00 +02:00
Victor Stinner 3de49192aa Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.

Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-09 00:42:58 +02:00
Antoine Pitrou ff9bfca482 Issue #12000: When a SSL certificate has a subjectAltName without any
dNSName entry, ssl.match_hostname() should use the subject's commonName.
Patch by Nicolas Bareil.
2011-05-06 15:20:55 +02:00
Antoine Pitrou 1c86b44506 Issue #12000: When a SSL certificate has a subjectAltName without any
dNSName entry, ssl.match_hostname() should use the subject's commonName.
Patch by Nicolas Bareil.
2011-05-06 15:19:49 +02:00
Antoine Pitrou 5aefa6637c Fix whitespace 2011-04-28 19:24:46 +02:00
Antoine Pitrou 15399c3f09 Issue #11811: ssl.get_server_certificate() is now IPv6-compatible. Patch
by Charles-François Natali.
2011-04-28 19:23:55 +02:00
Antoine Pitrou 8ef3907044 Merged revisions 88671 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r88671 | antoine.pitrou | 2011-02-27 16:44:12 +0100 (dim., 27 févr. 2011) | 3 lines

  Follow up to r88664: non-blocking connect-ex() can return EWOULDBLOCK under Windows
........
2011-02-27 15:45:22 +00:00
Antoine Pitrou d1c9845b54 Merged revisions 88671 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r88671 | antoine.pitrou | 2011-02-27 16:44:12 +0100 (dim., 27 févr. 2011) | 3 lines

  Follow up to r88664: non-blocking connect-ex() can return EWOULDBLOCK under Windows
........
2011-02-27 15:45:16 +00:00
Antoine Pitrou 8a14a0c88b Follow up to r88664: non-blocking connect-ex() can return EWOULDBLOCK under Windows 2011-02-27 15:44:12 +00:00
Antoine Pitrou d3f6ea1d1e Merged revisions 88664 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r88664 | antoine.pitrou | 2011-02-27 00:24:06 +0100 (dim., 27 févr. 2011) | 4 lines

  Issue #11326: Add the missing connect_ex() implementation for SSL sockets,
  and make it work for non-blocking connects.
........
2011-02-26 23:35:27 +00:00
Antoine Pitrou 86cbfec50a Merged revisions 88664 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r88664 | antoine.pitrou | 2011-02-27 00:24:06 +0100 (dim., 27 févr. 2011) | 4 lines

  Issue #11326: Add the missing connect_ex() implementation for SSL sockets,
  and make it work for non-blocking connects.
........
2011-02-26 23:25:34 +00:00
Antoine Pitrou e93bf7aed2 Issue #11326: Add the missing connect_ex() implementation for SSL sockets,
and make it work for non-blocking connects.
2011-02-26 23:24:06 +00:00
Victor Stinner 80f75e684e Issue #10989: Fix a crash on SSLContext.load_verify_locations(None, True).
Patch reviewed by Antoine Pitrou, okayed by Georg Brandl.
2011-01-29 11:31:20 +00:00
Antoine Pitrou d43245a965 Merged revisions 87861,87863 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r87861 | antoine.pitrou | 2011-01-08 11:23:29 +0100 (sam., 08 janv. 2011) | 3 lines

  Fix test_ssl after r87849
........
  r87863 | antoine.pitrou | 2011-01-08 11:28:11 +0100 (sam., 08 janv. 2011) | 3 lines

  Add EHOSTUNREACH ('No route to host') to the errnos trapped by transient_internet().
........
2011-01-08 10:32:51 +00:00
Antoine Pitrou 50778ab4c2 Merged revisions 87861,87863 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r87861 | antoine.pitrou | 2011-01-08 11:23:29 +0100 (sam., 08 janv. 2011) | 3 lines

  Fix test_ssl after r87849
........
  r87863 | antoine.pitrou | 2011-01-08 11:28:11 +0100 (sam., 08 janv. 2011) | 3 lines

  Add EHOSTUNREACH ('No route to host') to the errnos trapped by transient_internet().
........
2011-01-08 10:31:09 +00:00
Antoine Pitrou 160fd938ed Fix test_ssl after r87849 2011-01-08 10:23:29 +00:00
Victor Stinner f332abbf15 test_ssl: test SHA256 using sha256.tbs-internet.com instead of sha2.hboeck.de 2011-01-08 03:16:05 +00:00
Antoine Pitrou c4df784514 Issue #10272: The ssl module now raises socket.timeout instead of a generic
SSLError on socket timeouts.
2010-12-03 19:59:41 +00:00
Ezio Melotti ed3a7d2d60 #10273: Rename assertRegexpMatches and assertRaisesRegexp to assertRegex and assertRaisesRegex. 2010-12-01 02:32:32 +00:00
Georg Brandl f55aa80b37 Merged revisions 85820,85823,85825,85840,85843-85845,85849-85851,85855,85867,85875,85907-85908,85911,85914 via svnmerge from
svn+ssh://svn.python.org/python/branches/py3k

........
  r85820 | georg.brandl | 2010-10-24 16:20:22 +0200 (So, 24 Okt 2010) | 1 line

  Remove usage of exception indexing.
........
  r85823 | georg.brandl | 2010-10-24 16:32:45 +0200 (So, 24 Okt 2010) | 1 line

  Fix style.
........
  r85825 | georg.brandl | 2010-10-24 17:16:02 +0200 (So, 24 Okt 2010) | 1 line

  Add documentation about the default warnings filters.
........
  r85840 | georg.brandl | 2010-10-25 19:50:20 +0200 (Mo, 25 Okt 2010) | 1 line

  #3018: tkinter demo fixes for py3k.
........
  r85843 | georg.brandl | 2010-10-26 08:59:23 +0200 (Di, 26 Okt 2010) | 1 line

  Markup fix.
........
  r85844 | georg.brandl | 2010-10-26 12:39:14 +0200 (Di, 26 Okt 2010) | 1 line

  Work a bit more on tkinter demos.
........
  r85845 | georg.brandl | 2010-10-26 12:42:16 +0200 (Di, 26 Okt 2010) | 1 line

  faqwiz is removed.
........
  r85849 | georg.brandl | 2010-10-26 21:31:06 +0200 (Di, 26 Okt 2010) | 1 line

  #10200: typo.
........
  r85850 | georg.brandl | 2010-10-26 21:58:11 +0200 (Di, 26 Okt 2010) | 1 line

  #10200: typo.
........
  r85851 | georg.brandl | 2010-10-26 22:12:37 +0200 (Di, 26 Okt 2010) | 1 line

  Fix import.
........
  r85855 | georg.brandl | 2010-10-27 09:21:54 +0200 (Mi, 27 Okt 2010) | 1 line

  Encoding fix.
........
  r85867 | georg.brandl | 2010-10-27 22:01:51 +0200 (Mi, 27 Okt 2010) | 1 line

  Add David.
........
  r85875 | georg.brandl | 2010-10-28 10:38:30 +0200 (Do, 28 Okt 2010) | 1 line

  Fix bytes/str issues in get-remote-certificate.py.
........
  r85907 | georg.brandl | 2010-10-29 06:54:13 +0200 (Fr, 29 Okt 2010) | 1 line

  #10222: fix for overzealous AIX compiler.
........
  r85908 | georg.brandl | 2010-10-29 07:22:17 +0200 (Fr, 29 Okt 2010) | 1 line

  send_bytes obviously needs bytes...
........
  r85911 | georg.brandl | 2010-10-29 07:36:28 +0200 (Fr, 29 Okt 2010) | 1 line

  Fix markup error and update false positive entries from "make suspicious".
........
  r85914 | georg.brandl | 2010-10-29 08:17:38 +0200 (Fr, 29 Okt 2010) | 1 line

  (?:...) is a non-capturing, but still grouping construct.
........
2010-11-26 08:59:40 +00:00
Antoine Pitrou 664c2d1fc0 Issue #10443: Add the SSLContext.set_default_verify_paths() method. 2010-11-17 20:29:42 +00:00
Antoine Pitrou fb0469112f Issue #10022: The dictionary returned by the `getpeercert()` method
of SSL sockets now has additional items such as `issuer` and `notBefore`.
2010-11-09 20:21:19 +00:00
Antoine Pitrou 942d554c5b Don't fail in test_ssl when svn.python.org is unavailable 2010-10-31 13:26:53 +00:00
Antoine Pitrou d2eca37cc5 Clean up socket closing in test_ssl and test.ssl_servers 2010-10-29 23:41:37 +00:00
Georg Brandl b75b639a8b Remove usage of exception indexing. 2010-10-24 14:20:22 +00:00
Antoine Pitrou eb585adbde Fix test_ssl on Ubuntu buildbot with patched OpenSSL 2010-10-22 18:24:20 +00:00
Antoine Pitrou d532321f7b Issue #5639: Add a *server_hostname* argument to `SSLContext.wrap_socket`
in order to support the TLS SNI extension.  `HTTPSConnection` and
`urlopen()` also use this argument, so that HTTPS virtual hosts are now
supported.
2010-10-22 18:19:07 +00:00
Antoine Pitrou 05d936d2ce Let test_ssl fail gracefully if ssl support is not available 2010-10-13 11:38:36 +00:00
Antoine Pitrou 803e6d670c Issue #9003: http.client.HTTPSConnection, urllib.request.HTTPSHandler and
urllib.request.urlopen now take optional arguments to allow for
server certificate checking, as recommended in public uses of HTTPS.
2010-10-13 10:36:15 +00:00
Antoine Pitrou b0182c8ca5 Issue #10075: Add a session_stats() method to SSLContext objects. 2010-10-12 20:09:02 +00:00
Antoine Pitrou 81564093a1 Issue #1051: Add a script (Lib/test/make_ssl_certs.py) to generate the
custom certificate and private key files used by SSL-related certs.
2010-10-08 23:06:24 +00:00
Antoine Pitrou 59fdd6736b Issue #1589: Add ssl.match_hostname(), to help implement server identity
verification for higher-level protocols.
2010-10-08 10:37:08 +00:00
Giampaolo Rodolà 977c707b42 Fix issue 6706: adds new handle_accepted() method to asyncore.dispatcher 2010-10-04 21:08:36 +00:00
Antoine Pitrou 5974cdd5f5 Merged revisions 84807 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r84807 | antoine.pitrou | 2010-09-14 16:43:44 +0200 (mar., 14 sept. 2010) | 4 lines

  Issue #9853: Fix the signature of SSLSocket.recvfrom() and
  SSLSocket.sendto() to match the corresponding socket methods.
........
2010-09-14 14:47:08 +00:00
Antoine Pitrou a468adc76d Issue #9853: Fix the signature of SSLSocket.recvfrom() and
SSLSocket.sendto() to match the corresponding socket methods.
2010-09-14 14:43:44 +00:00
Antoine Pitrou f7f390a251 Issue #9729: Fix the signature of SSLSocket.recvfrom() and
SSLSocket.sendto() to match the corresponding socket methods.  Also,
fix various SSLSocket methods to raise socket.error rather than an
unhelpful TypeError when called on an unconnected socket.  Original patch
by Andrew Bennetts.

NOTE: obviously, these methods are untested and unused in the real world...
2010-09-14 14:37:18 +00:00
Antoine Pitrou de30f7042f Some tests didn't get executed (because of the merge in r83728) 2010-09-14 12:54:08 +00:00
Antoine Pitrou 4e406d8ff4 Merged revisions 84650 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r84650 | antoine.pitrou | 2010-09-09 15:31:46 +0200 (jeu., 09 sept. 2010) | 4 lines

  Use transient_internet() where appropriate in test_ssl
  (svn.python.org is sometimes unavailable)
........
2010-09-09 13:35:44 +00:00
Antoine Pitrou 78d8946d19 Merged revisions 84650 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r84650 | antoine.pitrou | 2010-09-09 15:31:46 +0200 (jeu., 09 sept. 2010) | 4 lines

  Use transient_internet() where appropriate in test_ssl
  (svn.python.org is sometimes unavailable)
........
2010-09-09 13:33:33 +00:00
Antoine Pitrou 350c7229be Use transient_internet() where appropriate in test_ssl
(svn.python.org is sometimes unavailable)
2010-09-09 13:31:46 +00:00
Antoine Pitrou c818ed4d61 Merged revisions 84597-84599 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r84597 | antoine.pitrou | 2010-09-07 22:42:19 +0200 (mar., 07 sept. 2010) | 5 lines

  Issue #8574: better implementation of test.support.transient_internet().
  Original patch by Victor.
........
  r84598 | antoine.pitrou | 2010-09-07 23:05:49 +0200 (mar., 07 sept. 2010) | 6 lines

  Issue #9792: In case of connection failure, socket.create_connection()
  would swallow the exception and raise a new one, making it impossible
  to fetch the original errno, or to filter timeout errors.  Now the
  original error is re-raised.
........
  r84599 | antoine.pitrou | 2010-09-07 23:09:09 +0200 (mar., 07 sept. 2010) | 4 lines

  Improve transient_internet() again to detect more network errors,
  and use it in test_robotparser. Fixes #8574.
........
2010-09-07 21:40:25 +00:00
Antoine Pitrou 4d7979be72 Merged revisions 84597-84599 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r84597 | antoine.pitrou | 2010-09-07 22:42:19 +0200 (mar., 07 sept. 2010) | 5 lines

  Issue #8574: better implementation of test.support.transient_internet().
  Original patch by Victor.
........
  r84598 | antoine.pitrou | 2010-09-07 23:05:49 +0200 (mar., 07 sept. 2010) | 6 lines

  Issue #9792: In case of connection failure, socket.create_connection()
  would swallow the exception and raise a new one, making it impossible
  to fetch the original errno, or to filter timeout errors.  Now the
  original error is re-raised.
........
  r84599 | antoine.pitrou | 2010-09-07 23:09:09 +0200 (mar., 07 sept. 2010) | 4 lines

  Improve transient_internet() again to detect more network errors,
  and use it in test_robotparser. Fixes #8574.
........
2010-09-07 21:22:56 +00:00
Antoine Pitrou a88c83cbab Issue #8574: better implementation of test.support.transient_internet().
Original patch by Victor.
2010-09-07 20:42:19 +00:00
Giampaolo Rodolà 8b7da623ce Fix issue #9711: raise ValueError is SSLConnection constructor is invoked with keyfile and not certfile. 2010-08-30 18:28:05 +00:00
Giampaolo Rodolà 4a656ebe05 dedent some lines in test_ssl so that they are actually executed 2010-08-29 22:50:39 +00:00
Giampaolo Rodolà cd9dfb919a in ssl tests rely on IOError.errno rather thanf IOError.strerror for better compatibility across platforms. 2010-08-29 20:56:56 +00:00
Giampaolo Rodolà 745ab3807e Fix issue issue9706: provides a better error handling for various SSL operations 2010-08-29 19:25:49 +00:00
Antoine Pitrou 982c018b32 Remove debug hack 2010-08-16 14:33:42 +00:00
Antoine Pitrou ed9863685f Add debug output to the asyncore test 2010-08-15 23:28:10 +00:00
Antoine Pitrou f4c7badc02 Put test_ciphers in NetworkedTests 2010-08-15 23:02:22 +00:00
Antoine Pitrou 968dc03f24 Following Ezio's suggestion, force verbose mode on test_ssl to diagnose freezes on 3.x 2010-08-15 22:16:23 +00:00
Antoine Pitrou b233b7d7b5 Merged revisions 84021-84023 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r84021 | antoine.pitrou | 2010-08-14 18:24:38 +0200 (sam., 14 août 2010) | 4 lines

  Add a reasonable timeout to network SSL tests, so as to avoid buildbot timeouts
  when the remote server doesn't answer.
........
  r84022 | antoine.pitrou | 2010-08-14 18:32:10 +0200 (sam., 14 août 2010) | 4 lines

  This is a better resolution than r84021 (because it will also affect
  ssl.get_server_certificate()).
........
  r84023 | antoine.pitrou | 2010-08-14 18:33:38 +0200 (sam., 14 août 2010) | 3 lines

  There doesn't seem to be a reason for this test to be disabled.
........
2010-08-14 17:28:36 +00:00
Antoine Pitrou 3554473309 Merged revisions 84021-84023 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r84021 | antoine.pitrou | 2010-08-14 18:24:38 +0200 (sam., 14 août 2010) | 4 lines

  Add a reasonable timeout to network SSL tests, so as to avoid buildbot timeouts
  when the remote server doesn't answer.
........
  r84022 | antoine.pitrou | 2010-08-14 18:32:10 +0200 (sam., 14 août 2010) | 4 lines

  This is a better resolution than r84021 (because it will also affect
  ssl.get_server_certificate()).
........
  r84023 | antoine.pitrou | 2010-08-14 18:33:38 +0200 (sam., 14 août 2010) | 3 lines

  There doesn't seem to be a reason for this test to be disabled.
........
2010-08-14 17:26:19 +00:00
Antoine Pitrou ab6190f9aa There doesn't seem to be a reason for this test to be disabled. 2010-08-14 16:33:38 +00:00
Antoine Pitrou d151e27446 This is a better resolution than r84021 (because it will also affect
ssl.get_server_certificate()).
2010-08-14 16:32:10 +00:00
Antoine Pitrou 35bebe12e0 Add a reasonable timeout to network SSL tests, so as to avoid buildbot timeouts
when the remote server doesn't answer.
2010-08-14 16:24:38 +00:00
Antoine Pitrou 969fbe3d91 Don't crash when the _ssl module isn't built 2010-08-05 01:30:23 +00:00
Antoine Pitrou d75efd9c56 Merged revisions 83727 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r83727 | antoine.pitrou | 2010-08-04 19:14:06 +0200 (mer., 04 août 2010) | 3 lines

  Try to fix issue #9415: skip some tests on broken Ubuntu OpenSSL
........
2010-08-04 17:38:33 +00:00
Antoine Pitrou 23df483cb6 Try to fix issue #9415: skip some tests on broken Ubuntu OpenSSL 2010-08-04 17:14:06 +00:00
Antoine Pitrou 15cee6209f In verbose mode, identify OpenSSL build and platform more precisely 2010-08-04 16:45:21 +00:00
Victor Stinner 313a120ab6 Issue #8969: On Windows, use mbcs codec in strict mode to encode and decode
filenames and enable os.fsencode().
2010-06-11 23:56:51 +00:00
Antoine Pitrou b52187710e Issue #4870: Add an `options` attribute to SSL contexts, as well as
several ``OP_*`` constants to the `ssl` module.  This allows to selectively
disable protocol versions, when used in combination with `PROTOCOL_SSLv23`.
2010-05-21 09:56:06 +00:00
Antoine Pitrou d7e4c1caa6 Typo (thanks Arfrever) 2010-05-17 14:13:10 +00:00
Antoine Pitrou d0919507f9 Try to fix buildbot failures with old OpenSSLs. 2010-05-17 10:30:00 +00:00