Benjamin Peterson
5915b0f924
also use openssl envvars to find certs on windows ( closes #22449 )
...
Patch by Christian Heimes and Alex Gaynor.
2014-10-03 17:27:05 -04:00
Antoine Pitrou
47e40429fb
Issue #20421 : Add a .version() method to SSL sockets exposing the actual protocol version in use.
2014-09-04 21:00:10 +02:00
Charles-François Natali
6e20460dc6
Issue #21566 : Make use of socket.listen() default backlog.
2014-07-23 19:28:13 +01:00
Antoine Pitrou
26408df88f
Issue #21976 : Fix test_ssl to accept LibreSSL version strings.
...
Thanks to William Orr.
2014-07-21 18:37:36 -04:00
Antoine Pitrou
dfab935c74
Issue #21976 : Fix test_ssl to accept LibreSSL version strings.
...
Thanks to William Orr.
2014-07-21 18:35:01 -04:00
Giampaolo Rodola'
915d14190e
fix issue #17552 : add socket.sendfile() method allowing to send a file over a socket by using high-performance os.sendfile() on UNIX. Patch by Giampaolo Rodola'·
2014-06-11 03:54:30 +02:00
Antoine Pitrou
b4bebdafe3
Issue #20951 : SSLSocket.send() now raises either SSLWantReadError or SSLWantWriteError on a non-blocking socket if the operation would block. Previously, it would return 0.
...
Patch by Nikolaus Rath.
2014-04-29 10:03:28 +02:00
Antoine Pitrou
c695c95626
Issue #19940 : ssl.cert_time_to_seconds() now interprets the given time string in the UTC timezone (as specified in RFC 5280), not the local timezone.
...
Patch by Akira.
2014-04-28 20:57:36 +02:00
Antoine Pitrou
172f025bed
Issue #21068 : The ssl.PROTOCOL* constants are now enum members.
2014-04-18 20:33:08 +02:00
Antoine Pitrou
c043061667
Try to fix buildbot failures on old OpenSSLs (< 1.0.0) - followup to issue #21015
2014-04-16 18:33:39 +02:00
Antoine Pitrou
94a5b663bf
Issue #20896 : ssl.get_server_certificate() now uses PROTOCOL_SSLv23, not PROTOCOL_SSLv3, for maximum compatibility.
2014-04-16 18:56:28 +02:00
Donald Stufft
6a2ba94908
Issue #21013 : Enhance ssl.create_default_context() for server side contexts
...
Closes #21013 by modfying ssl.create_default_context() to:
* Move the restricted ciphers to only apply when using
ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
is the lack of RC4 in the restricted. However there are servers that exist
that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
socket the context will prioritize our ciphers which have been carefully
selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
that end users can more easily determine if they need to unset
ssl.OP_NO_SSLv3.
2014-03-23 19:05:28 -04:00
Antoine Pitrou
0bebbc33fa
Issue #21015 : SSL contexts will now automatically select an elliptic curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to "prime256v1".
...
(should also fix a buildbot failure introduced by #20995 )
2014-03-22 18:13:50 +01:00
Benjamin Peterson
10b93cc29c
merge 3.3 ( #20896 )
2014-03-12 18:10:57 -05:00
Benjamin Peterson
d0fc83d5eb
merge 3.2 ( #20896 )
2014-03-12 18:10:47 -05:00
Benjamin Peterson
cf25c5caae
use ssl.PROTOCOL_SSLv23 for maximum compatibility ( closes #20896 )
2014-03-12 18:05:53 -05:00
Antoine Pitrou
ba44860c11
Try to fix test_ssl failures on some buildbots
2014-01-09 21:30:17 +01:00
Antoine Pitrou
32c4915b23
Try to fix test_ssl failures on some buildbots
2014-01-09 21:28:48 +01:00
Antoine Pitrou
78ace81c93
Issue #20207 : Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
2014-01-09 20:09:03 +01:00
Antoine Pitrou
cd3d7cabef
Issue #20207 : Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
2014-01-09 20:02:20 +01:00
Antoine Pitrou
3e86ba4e32
Issue #19422 : Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
2013-12-28 17:26:33 +01:00
Antoine Pitrou
e6d2f159fc
Issue #19422 : Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
2013-12-28 17:30:51 +01:00
Victor Stinner
36e96b8716
(Merge 3.3) Issue #20025 : ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now
...
raise a ValueError if num is negative (instead of raising a SystemError).
2013-12-19 16:47:25 +01:00
Victor Stinner
1e81a399a2
Issue #20025 : ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now raise a
...
ValueError if num is negative (instead of raising a SystemError).
2013-12-19 16:47:04 +01:00
Christian Heimes
bd9cbb0691
Issue #19919 : Fix flacky SSL test. connect_ex() sometimes returns
...
EWOULDBLOCK on Windows or VMs hosted on Windows.
2013-12-16 21:16:45 +01:00
Christian Heimes
de57074874
Issue #19919 : Fix flacky SSL test. connect_ex() sometimes returns
...
EWOULDBLOCK on Windows or VMs hosted on Windows.
2013-12-16 21:15:44 +01:00
Christian Heimes
575596e19a
test_ssl: skip tests when SNI is not available
2013-12-15 21:49:17 +01:00
Christian Heimes
8e7f394282
Test SSLSock's context getter and setter
2013-12-05 07:41:08 +01:00
Christian Heimes
a02c69a73b
add check_hostname arg to ssl._create_stdlib_context()
2013-12-02 20:59:28 +01:00
Christian Heimes
1aa9a75fbf
Issue #19509 : Add SSLContext.check_hostname to match the peer's certificate
...
with server_hostname on handshake.
2013-12-02 02:41:19 +01:00
Christian Heimes
67986f9431
Issue #19735 : Implement private function ssl._create_stdlib_context() to
...
create SSLContext objects in Python's stdlib module. It provides a single
configuration point and makes use of SSLContext.load_default_certs().
2013-11-23 22:43:47 +01:00
Christian Heimes
4c05b472dd
Issue #19689 : Add ssl.create_default_context() factory function. It creates
...
a new SSLContext object with secure default settings.
2013-11-23 15:58:30 +01:00
Christian Heimes
72d28500b3
Issue #19292 : Add SSLContext.load_default_certs() to load default root CA
...
certificates from default stores or system stores. By default the method
loads CA certs for authentication of server certs.
2013-11-23 13:56:58 +01:00
Christian Heimes
2427b50fdd
Issue #8813 : X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
...
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
2013-11-23 11:24:32 +01:00
Christian Heimes
5398e1a56e
Issue #19448 : report name / NID in exception message of ASN1Object
2013-11-22 16:20:53 +01:00
Christian Heimes
c2d65e1e93
Issue #17134 : check certs of CA and ROOT system store
2013-11-22 16:13:55 +01:00
Christian Heimes
32f0c7a67b
or VERIFY_CRL_CHECK_LEAF to verify_flags
2013-11-22 03:43:48 +01:00
Christian Heimes
44109d7de7
Issue #17134 : Finalize interface to Windows' certificate store. Cert and
...
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
2013-11-22 01:51:30 +01:00
Christian Heimes
d6dc952e17
one CERT_REQUIRED is enough
2013-11-22 00:39:38 +01:00
Christian Heimes
225877917e
Issue #8813 : Add SSLContext.verify_flags to change the verification flags
...
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
2013-11-21 23:56:13 +01:00
Christian Heimes
bd3a7f90b5
Issue #18379 : SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP
...
and CRL distribution points.
2013-11-21 03:40:15 +01:00
Christian Heimes
efff7060f8
Issue #18138 : Implement cadata argument of SSLContext.load_verify_location()
...
to load CA certificates and CRL from memory. It supports PEM and DER
encoded strings.
2013-11-21 03:35:02 +01:00
Christian Heimes
a6bc95aa02
Issue #19448 : Add private API to SSL module to lookup ASN.1 objects by OID, NID, short name and long name.
2013-11-17 19:59:14 +01:00
Georg Brandl
ec3c103520
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for ``rfc822Name`` (email), ``dNSName`` (DNS) and
``uniformResourceIdentifier`` (URI).
2014-09-30 14:04:51 +02:00
Georg Brandl
72c98d3a76
Issue #17997 : Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,
...
for security reasons. It now doesn't match multiple wildcards nor wildcards
inside IDN fragments.
2013-10-27 07:16:53 +01:00
Georg Brandl
b89b5df9c9
merge with 3.3
2013-10-27 07:46:09 +01:00
Antoine Pitrou
20b85557f2
Issue #19095 : SSLSocket.getpeercert() now raises ValueError when the SSL handshake hasn't been done.
2013-09-29 19:50:53 +02:00
Christian Heimes
2769d44827
Issue #18709 : Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
2013-08-25 14:12:50 +02:00
Christian Heimes
157c9834b4
Issue #18709 : Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
2013-08-25 14:12:41 +02:00
Christian Heimes
6acbe2aaa3
Issue #18747 : Re-seed OpenSSL's pseudo-random number generator after fork.
...
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:34 +02:00
Christian Heimes
f77b4b20e9
Issue #18747 : Re-seed OpenSSL's pseudo-random number generator after fork.
...
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:05 +02:00
Christian Heimes
e06d47c70c
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:58:00 +02:00
Christian Heimes
824f7f366d
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:54:47 +02:00
Antoine Pitrou
2894073e1a
test_ssl: use a bytestring here
2013-07-20 19:36:15 +02:00
Antoine Pitrou
60a26e0516
Issue #9177 : Calling read() or write() now raises ValueError, not AttributeError, on a closed SSL socket.
...
Patch by Senko Rasic.
2013-07-20 19:35:16 +02:00
Christian Heimes
9a5395ae2b
Issue #18147 : Add diagnostic functions to ssl.SSLContext().
...
get_ca_list() lists all loaded CA certificates and cert_store_stats() returns
amount of loaded X.509 certs, X.509 CA certs and CRLs.
2013-06-17 15:44:12 +02:00
Christian Heimes
9424bb4aea
Issue #18207 : Fix test_ssl for some versions of OpenSSL that ignore seconds
...
in ASN1_TIME fields.
2013-06-17 15:32:57 +02:00
Christian Heimes
46bebee25f
Issue #17134 : Add ssl.enum_cert_store() as interface to Windows' cert store.
2013-06-09 19:03:31 +02:00
Christian Heimes
6d7ad13a45
Issue #18143 : Implement ssl.get_default_verify_paths() in order to debug
...
the default locations for cafile and capath.
2013-06-09 18:02:55 +02:00
Antoine Pitrou
86d53cadda
Issue #17980 : Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
2013-05-18 17:56:42 +02:00
Antoine Pitrou
636f93c63b
Issue #17980 : Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
2013-05-18 17:56:42 +02:00
Antoine Pitrou
31fb419908
Issue #17980 : Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
2013-05-18 17:59:12 +02:00
Antoine Pitrou
242db728e2
Issue #13721 : SSLSocket.getpeercert() and SSLSocket.do_handshake() now raise an OSError with ENOTCONN, instead of an AttributeError, when the SSLSocket is not connected.
2013-05-01 20:52:07 +02:00
Antoine Pitrou
50b24d0d7c
Fix a crash when setting a servername callback on a SSL server socket and the client doesn't send a server name.
...
Patch by Kazuhiro Yoshida.
(originally issue #8109 )
2013-04-11 20:48:42 +02:00
Antoine Pitrou
609ef01b02
In search of TLS 1.1 bug: add debugging output in verbose mode
2013-03-29 18:09:06 +01:00
Antoine Pitrou
972d5bb763
Use a subtest in test_ssl.test_echo
2013-03-29 17:56:03 +01:00
Antoine Pitrou
2463e5fee4
Issue #16692 : The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù.
2013-03-28 22:24:43 +01:00
Nadeem Vawda
6386e17f39
Issue #13898 : test_ssl no longer prints a spurious stack trace on Ubuntu.
2013-03-03 22:48:15 +01:00
Nadeem Vawda
ad246bfb71
Issue #13898 : test_ssl no longer prints a spurious stack trace on Ubuntu.
2013-03-03 22:44:22 +01:00
Nadeem Vawda
7b39b9b51b
Issue #13898 : test_ssl no longer prints a spurious stack trace on Ubuntu.
2013-03-03 22:31:21 +01:00
Antoine Pitrou
da23259f99
Issue #17107 : Test client-side SNI support in urllib.request thanks to the new server-side SNI support in the ssl module.
...
Initial patch by Daniel Black.
2013-02-05 21:20:51 +01:00
Antoine Pitrou
6b4e2a9c02
In test_ssl, threaded tests shouldn't need the network resource to be enabled
2013-01-12 22:00:54 +01:00
Antoine Pitrou
db5012ab47
In test_ssl, threaded tests shouldn't need the "network" resource to be enabled
2013-01-12 22:00:09 +01:00
Antoine Pitrou
e9bb4733d9
Issue #16923 : Fix ResourceWarnings in test_ssl.
2013-01-12 21:56:56 +01:00
Antoine Pitrou
e1ceb50cdf
Issue #16923 : Fix ResourceWarnings in test_ssl.
2013-01-12 21:54:44 +01:00
Benjamin Peterson
f86b3c394c
merge 3.3 ( #16900 )
2013-01-10 14:16:42 -06:00
Benjamin Peterson
36f7b97787
remove __del__ because it's evil and also prevents the ResourceWarning on the socket from happening ( closes #16900 )
2013-01-10 14:16:20 -06:00
Antoine Pitrou
58ddc9d743
Issue #8109 : The ssl module now has support for server-side SNI, thanks to a :meth:`SSLContext.set_servername_callback` method.
...
Patch by Daniel Black.
2013-01-05 21:20:29 +01:00
Antoine Pitrou
49f7e58778
Forward port new test for SSLSocket.connect_ex()
2012-12-28 19:09:41 +01:00
Antoine Pitrou
6464b84b3e
Forward port new test for SSLSocket.connect_ex()
2012-12-28 19:08:49 +01:00
Antoine Pitrou
ddb87ab1b4
Forward port new test for SSLSocket.connect_ex()
2012-12-28 19:07:43 +01:00
Antoine Pitrou
40f12ab0c5
Backport Python 3.2 fix for issue #12065 , and add another test for SSLSocket.connect_ex().
2012-12-28 19:03:43 +01:00
Andrew Svetlov
f7a17b48d7
Replace IOError with OSError ( #16715 )
2012-12-25 16:47:37 +02:00
Andrew Svetlov
0832af6628
Issue #16717 : get rid of socket.error, replace with OSError
2012-12-18 23:10:48 +02:00
Antoine Pitrou
73e9bd4d25
Issue #16357 : fix calling accept() on a SSLSocket created through SSLContext.wrap_socket().
...
Original patch by Jeff McNeil.
2012-11-11 01:27:33 +01:00
Antoine Pitrou
5c89b4ec55
Issue #16357 : fix calling accept() on a SSLSocket created through SSLContext.wrap_socket().
...
Original patch by Jeff McNeil.
2012-11-11 01:25:36 +01:00
Jesus Cea
b7a2800831
MERGE: Closes #15793 : Stack corruption in ssl.RAND_egd()
2012-09-11 02:08:48 +02:00
Jesus Cea
c8754a13e6
Closes #15793 : Stack corruption in ssl.RAND_egd()
2012-09-11 02:00:58 +02:00
Jesus Cea
a8a5b397c1
Closes #15793 : Stack corruption in ssl.RAND_egd(). Python 2.7 hasn't any issue about this, but add a test just to be sure
2012-09-11 01:55:04 +02:00
Antoine Pitrou
3b36fb1f53
Issue #14837 : SSL errors now have `library` and `reason` attributes describing precisely what happened and in which OpenSSL submodule.
...
The str() of a SSLError is also enhanced accordingly.
NOTE: this commit creates a reference leak. The leak seems tied to the
use of PyType_FromSpec() to create the SSLError type. The leak is on the
type object when it is instantiated:
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
35
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
36
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
37
2012-06-22 21:11:52 +02:00
Antoine Pitrou
c642f67c63
Skip test_algorithms (known remote hosts need SNI, which is only available on 3.2+)
2012-05-04 16:33:30 +02:00
Antoine Pitrou
f340c21ca9
Fix test connecting to sha256.tbs-internet.com.
...
The certificate has changed and the test now needs SNI to pass.
2012-05-04 16:26:56 +02:00
Antoine Pitrou
16f6f8338b
Fix test connecting to sha256.tbs-internet.com.
...
The certificate has changed and the test now needs SNI to pass.
2012-05-04 16:26:02 +02:00
Antoine Pitrou
d5d17eb653
Issue #14204 : The ssl module now has support for the Next Protocol Negotiation extension, if available in the underlying OpenSSL library.
...
Patch by Colin Marc.
2012-03-22 00:23:03 +01:00
Antoine Pitrou
c135fa424e
Fix last remaining build issues of _ssl under old OpenSSLs. Patch by Vinay.
2012-02-19 21:22:39 +01:00
Antoine Pitrou
ce816a5111
Issue #13895 : fix test_ssl hanging under Ubuntu
2012-01-28 17:40:23 +01:00
Antoine Pitrou
eba63c4203
Issue #13895 : fix test_ssl hanging under Ubuntu
2012-01-28 17:38:34 +01:00
Antoine Pitrou
6636887104
Fix intermittent test_ssl failure.
2012-01-27 17:34:56 +01:00
Antoine Pitrou
eced82ecbf
Fix intermittent test_ssl failure.
2012-01-27 17:33:01 +01:00
Antoine Pitrou
7a556846d4
Fix intermittent test_ssl failure.
2012-01-27 17:33:01 +01:00
Antoine Pitrou
d76088d972
Issue #13636 : Weak ciphers are now disabled by default in the ssl module
...
(except when SSLv2 is explicitly asked for).
2012-01-03 22:46:48 +01:00
Antoine Pitrou
8f85f907e3
Issue #13636 : Weak ciphers are now disabled by default in the ssl module
...
(except when SSLv2 is explicitly asked for).
2012-01-03 22:46:48 +01:00
Antoine Pitrou
65a3f4b8c5
Use context managers in test_ssl to simplify test writing.
2011-12-21 16:52:40 +01:00
Antoine Pitrou
5b95eb90a7
Use context managers in test_ssl to simplify test writing.
2011-12-21 16:52:40 +01:00
Antoine Pitrou
72aeec35a1
Issue #13636 : Weak ciphers are now disabled by default in the ssl module
...
(except when SSLv2 is explicitly asked for).
2012-01-03 22:49:08 +01:00
Antoine Pitrou
0e576f1f50
Issue #13626 : Add support for SSL Diffie-Hellman key exchange, through the
...
SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option.
2011-12-22 10:03:38 +01:00
Antoine Pitrou
6b15c90fd8
Use context managers in test_ssl to simplify test writing.
2011-12-21 16:54:45 +01:00
Antoine Pitrou
501da61671
Fix ssl module compilation if ECDH support was disabled in the OpenSSL build.
...
(followup to issue #13627 )
2011-12-21 09:27:41 +01:00
Antoine Pitrou
8691bff6db
Fix for buggy test
2011-12-20 10:47:42 +01:00
Antoine Pitrou
8abdb8abd8
Issue #13634 : Add support for querying and disabling SSL compression.
2011-12-20 10:13:40 +01:00
Antoine Pitrou
923df6f22a
Issue #13627 : Add support for SSL Elliptic Curve-based Diffie-Hellman
...
key exchange, through the SSLContext.set_ecdh_curve() method and the
ssl.OP_SINGLE_ECDH_USE option.
2011-12-19 17:16:51 +01:00
Antoine Pitrou
6db4944cc5
Issue #13635 : Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
...
choose the cipher based on their own preferences, rather than on the
client's.
2011-12-19 13:27:11 +01:00
Antoine Pitrou
cf9943de97
Backout redundant changeset 1de4d92cd6a4
2011-10-31 20:23:00 +01:00
Barry Warsaw
39aec0171d
test_protocol_sslv2(): Skip this test if ssl.PROTOCOL_SSLv2 is not
...
defined (as is the case with Ubuntu 11.10).
2011-10-31 14:08:15 -04:00
Antoine Pitrou
6361ea2b07
Remove unstable SSL tests in the absence of ssl.OP_NO_{SSLv2,SSLv3,TLSv1}
2011-10-30 21:31:34 +01:00
Barry Warsaw
be83698f21
- Issue #13218 : Fix test_ssl failures on Debian/Ubuntu.
2011-10-28 16:14:44 -04:00
Barry Warsaw
c21a81bf76
- Issue #13218 : Fix test_ssl failures on Debian/Ubuntu.
2011-10-28 17:08:12 -04:00
Barry Warsaw
46ae0efce1
- Issue #13218 : Fix test_ssl failures on Debian/Ubuntu.
2011-10-28 16:52:17 -04:00
Antoine Pitrou
41032a69c1
Issue #11183 : Add finer-grained exceptions to the ssl module, so that
...
you don't have to inspect the exception's attributes in the common case.
2011-10-27 23:56:55 +02:00
Antoine Pitrou
f06eb46918
Issue #13034 : When decoding some SSL certificates, the subjectAltName extension could be unreported.
2011-10-01 19:30:58 +02:00
Antoine Pitrou
a02a12c517
Issue #13034 : When decoding some SSL certificates, the subjectAltName extension could be unreported.
2011-10-01 19:22:30 +02:00
Antoine Pitrou
d8c347a8de
Issue #13034 : When decoding some SSL certificates, the subjectAltName extension could be unreported.
2011-10-01 19:20:25 +02:00
Nick Coghlan
513886aabb
Fix #12835 : prevent use of the unencrypted sendmsg/recvmsg APIs on SSL wrapped sockets (Patch by David Watson)
2011-08-28 00:00:27 +10:00
Antoine Pitrou
4fd1e6a3ba
Issue #12803 : SSLContext.load_cert_chain() now accepts a password argument
...
to be used if the private key is encrypted. Patch by Adam Simpkins.
2011-08-25 14:39:44 +02:00
Nick Coghlan
5fab03fd15
Remove the SSLSocket versions of sendmsg/recvmsg due to lack of proper tests and documentation in conjunction with lack of any known use cases (see issue #6560 for details)
2011-08-23 22:26:44 +10:00
Nick Coghlan
96fe56abec
Add support for the send/recvmsg API to the socket module. Patch by David Watson and Heiko Wundram. ( Closes #6560 )
2011-08-22 11:55:57 +10:00
Antoine Pitrou
d649480739
Issue #12551 : Provide a get_channel_binding() method on SSL sockets so as
...
to get channel binding data for the current SSL session (only the
"tls-unique" channel binding is implemented). This allows the
implementation of certain authentication mechanisms such as SCRAM-SHA-1-PLUS.
Patch by Jacek Konieczny.
2011-07-21 01:11:30 +02:00
Antoine Pitrou
7128f95bd2
Issue #12440 : When testing whether some bits in SSLContext.options can be
...
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
2011-07-08 18:49:07 +02:00
Antoine Pitrou
b9ac25d1c3
Issue #12440 : When testing whether some bits in SSLContext.options can be
...
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
2011-07-08 18:47:06 +02:00
Victor Stinner
2e2baa9208
Issue #12049 : test_ssl now checks also that RAND_bytes() raises an error if
...
there is not enough entropy.
2011-05-25 11:15:16 +02:00
Victor Stinner
99c8b16143
Issue #12049 : Add RAND_bytes() and RAND_pseudo_bytes() functions to the ssl
...
module.
2011-05-24 12:05:19 +02:00
Victor Stinner
2e7f39e889
Issue #12012 : test_ssl uses test_support.import_module()
...
Skip the whole file if the SSL module is missing. It was already the case,
except that the SkipTest exception was raised in test_main().
This commit fixes an error in test_ssl if the ssl module is missing.
2011-05-22 13:22:28 +02:00
Antoine Pitrou
7a616f2fc5
Issue #12065 : connect_ex() on an SSL socket now returns the original errno
...
when the socket's timeout expires (it used to return None).
2011-05-18 18:52:20 +02:00
Antoine Pitrou
b4410dbea6
Issue #12065 : connect_ex() on an SSL socket now returns the original errno
...
when the socket's timeout expires (it used to return None).
2011-05-18 18:51:06 +02:00
Victor Stinner
b1241f9619
(Merge 3.1) Issue #12012 : ssl.PROTOCOL_SSLv2 becomes optional
...
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 01:52:03 +02:00
Victor Stinner
17ca323e7c
(Merge 3.1) Issue #12012 : ssl.PROTOCOL_SSLv2 becomes optional
...
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 00:48:41 +02:00
Victor Stinner
ee18b6f2fd
Issue #12012 : ssl.PROTOCOL_SSLv2 becomes optional
...
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 00:38:00 +02:00
Victor Stinner
3de49192aa
Issue #12012 : ssl.PROTOCOL_SSLv2 becomes optional
...
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-09 00:42:58 +02:00
Antoine Pitrou
ff9bfca482
Issue #12000 : When a SSL certificate has a subjectAltName without any
...
dNSName entry, ssl.match_hostname() should use the subject's commonName.
Patch by Nicolas Bareil.
2011-05-06 15:20:55 +02:00
Antoine Pitrou
1c86b44506
Issue #12000 : When a SSL certificate has a subjectAltName without any
...
dNSName entry, ssl.match_hostname() should use the subject's commonName.
Patch by Nicolas Bareil.
2011-05-06 15:19:49 +02:00
Antoine Pitrou
5aefa6637c
Fix whitespace
2011-04-28 19:24:46 +02:00
Antoine Pitrou
15399c3f09
Issue #11811 : ssl.get_server_certificate() is now IPv6-compatible. Patch
...
by Charles-François Natali.
2011-04-28 19:23:55 +02:00
Antoine Pitrou
8ef3907044
Merged revisions 88671 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r88671 | antoine.pitrou | 2011-02-27 16:44:12 +0100 (dim., 27 févr. 2011) | 3 lines
Follow up to r88664: non-blocking connect-ex() can return EWOULDBLOCK under Windows
........
2011-02-27 15:45:22 +00:00
Antoine Pitrou
d1c9845b54
Merged revisions 88671 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r88671 | antoine.pitrou | 2011-02-27 16:44:12 +0100 (dim., 27 févr. 2011) | 3 lines
Follow up to r88664: non-blocking connect-ex() can return EWOULDBLOCK under Windows
........
2011-02-27 15:45:16 +00:00
Antoine Pitrou
8a14a0c88b
Follow up to r88664: non-blocking connect-ex() can return EWOULDBLOCK under Windows
2011-02-27 15:44:12 +00:00
Antoine Pitrou
d3f6ea1d1e
Merged revisions 88664 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r88664 | antoine.pitrou | 2011-02-27 00:24:06 +0100 (dim., 27 févr. 2011) | 4 lines
Issue #11326 : Add the missing connect_ex() implementation for SSL sockets,
and make it work for non-blocking connects.
........
2011-02-26 23:35:27 +00:00
Antoine Pitrou
86cbfec50a
Merged revisions 88664 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r88664 | antoine.pitrou | 2011-02-27 00:24:06 +0100 (dim., 27 févr. 2011) | 4 lines
Issue #11326 : Add the missing connect_ex() implementation for SSL sockets,
and make it work for non-blocking connects.
........
2011-02-26 23:25:34 +00:00
Antoine Pitrou
e93bf7aed2
Issue #11326 : Add the missing connect_ex() implementation for SSL sockets,
...
and make it work for non-blocking connects.
2011-02-26 23:24:06 +00:00
Victor Stinner
80f75e684e
Issue #10989 : Fix a crash on SSLContext.load_verify_locations(None, True).
...
Patch reviewed by Antoine Pitrou, okayed by Georg Brandl.
2011-01-29 11:31:20 +00:00
Antoine Pitrou
d43245a965
Merged revisions 87861,87863 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r87861 | antoine.pitrou | 2011-01-08 11:23:29 +0100 (sam., 08 janv. 2011) | 3 lines
Fix test_ssl after r87849
........
r87863 | antoine.pitrou | 2011-01-08 11:28:11 +0100 (sam., 08 janv. 2011) | 3 lines
Add EHOSTUNREACH ('No route to host') to the errnos trapped by transient_internet().
........
2011-01-08 10:32:51 +00:00
Antoine Pitrou
50778ab4c2
Merged revisions 87861,87863 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r87861 | antoine.pitrou | 2011-01-08 11:23:29 +0100 (sam., 08 janv. 2011) | 3 lines
Fix test_ssl after r87849
........
r87863 | antoine.pitrou | 2011-01-08 11:28:11 +0100 (sam., 08 janv. 2011) | 3 lines
Add EHOSTUNREACH ('No route to host') to the errnos trapped by transient_internet().
........
2011-01-08 10:31:09 +00:00
Antoine Pitrou
160fd938ed
Fix test_ssl after r87849
2011-01-08 10:23:29 +00:00
Victor Stinner
f332abbf15
test_ssl: test SHA256 using sha256.tbs-internet.com instead of sha2.hboeck.de
2011-01-08 03:16:05 +00:00
Antoine Pitrou
c4df784514
Issue #10272 : The ssl module now raises socket.timeout instead of a generic
...
SSLError on socket timeouts.
2010-12-03 19:59:41 +00:00
Ezio Melotti
ed3a7d2d60
#10273 : Rename assertRegexpMatches and assertRaisesRegexp to assertRegex and assertRaisesRegex.
2010-12-01 02:32:32 +00:00
Georg Brandl
f55aa80b37
Merged revisions 85820,85823,85825,85840,85843-85845,85849-85851,85855,85867,85875,85907-85908,85911,85914 via svnmerge from
...
svn+ssh://svn.python.org/python/branches/py3k
........
r85820 | georg.brandl | 2010-10-24 16:20:22 +0200 (So, 24 Okt 2010) | 1 line
Remove usage of exception indexing.
........
r85823 | georg.brandl | 2010-10-24 16:32:45 +0200 (So, 24 Okt 2010) | 1 line
Fix style.
........
r85825 | georg.brandl | 2010-10-24 17:16:02 +0200 (So, 24 Okt 2010) | 1 line
Add documentation about the default warnings filters.
........
r85840 | georg.brandl | 2010-10-25 19:50:20 +0200 (Mo, 25 Okt 2010) | 1 line
#3018 : tkinter demo fixes for py3k.
........
r85843 | georg.brandl | 2010-10-26 08:59:23 +0200 (Di, 26 Okt 2010) | 1 line
Markup fix.
........
r85844 | georg.brandl | 2010-10-26 12:39:14 +0200 (Di, 26 Okt 2010) | 1 line
Work a bit more on tkinter demos.
........
r85845 | georg.brandl | 2010-10-26 12:42:16 +0200 (Di, 26 Okt 2010) | 1 line
faqwiz is removed.
........
r85849 | georg.brandl | 2010-10-26 21:31:06 +0200 (Di, 26 Okt 2010) | 1 line
#10200 : typo.
........
r85850 | georg.brandl | 2010-10-26 21:58:11 +0200 (Di, 26 Okt 2010) | 1 line
#10200 : typo.
........
r85851 | georg.brandl | 2010-10-26 22:12:37 +0200 (Di, 26 Okt 2010) | 1 line
Fix import.
........
r85855 | georg.brandl | 2010-10-27 09:21:54 +0200 (Mi, 27 Okt 2010) | 1 line
Encoding fix.
........
r85867 | georg.brandl | 2010-10-27 22:01:51 +0200 (Mi, 27 Okt 2010) | 1 line
Add David.
........
r85875 | georg.brandl | 2010-10-28 10:38:30 +0200 (Do, 28 Okt 2010) | 1 line
Fix bytes/str issues in get-remote-certificate.py.
........
r85907 | georg.brandl | 2010-10-29 06:54:13 +0200 (Fr, 29 Okt 2010) | 1 line
#10222 : fix for overzealous AIX compiler.
........
r85908 | georg.brandl | 2010-10-29 07:22:17 +0200 (Fr, 29 Okt 2010) | 1 line
send_bytes obviously needs bytes...
........
r85911 | georg.brandl | 2010-10-29 07:36:28 +0200 (Fr, 29 Okt 2010) | 1 line
Fix markup error and update false positive entries from "make suspicious".
........
r85914 | georg.brandl | 2010-10-29 08:17:38 +0200 (Fr, 29 Okt 2010) | 1 line
(?:...) is a non-capturing, but still grouping construct.
........
2010-11-26 08:59:40 +00:00
Antoine Pitrou
664c2d1fc0
Issue #10443 : Add the SSLContext.set_default_verify_paths() method.
2010-11-17 20:29:42 +00:00
Antoine Pitrou
fb0469112f
Issue #10022 : The dictionary returned by the `getpeercert()` method
...
of SSL sockets now has additional items such as `issuer` and `notBefore`.
2010-11-09 20:21:19 +00:00
Antoine Pitrou
942d554c5b
Don't fail in test_ssl when svn.python.org is unavailable
2010-10-31 13:26:53 +00:00
Antoine Pitrou
d2eca37cc5
Clean up socket closing in test_ssl and test.ssl_servers
2010-10-29 23:41:37 +00:00
Georg Brandl
b75b639a8b
Remove usage of exception indexing.
2010-10-24 14:20:22 +00:00
Antoine Pitrou
eb585adbde
Fix test_ssl on Ubuntu buildbot with patched OpenSSL
2010-10-22 18:24:20 +00:00
Antoine Pitrou
d532321f7b
Issue #5639 : Add a *server_hostname* argument to `SSLContext.wrap_socket`
...
in order to support the TLS SNI extension. `HTTPSConnection` and
`urlopen()` also use this argument, so that HTTPS virtual hosts are now
supported.
2010-10-22 18:19:07 +00:00
Antoine Pitrou
05d936d2ce
Let test_ssl fail gracefully if ssl support is not available
2010-10-13 11:38:36 +00:00
Antoine Pitrou
803e6d670c
Issue #9003 : http.client.HTTPSConnection, urllib.request.HTTPSHandler and
...
urllib.request.urlopen now take optional arguments to allow for
server certificate checking, as recommended in public uses of HTTPS.
2010-10-13 10:36:15 +00:00
Antoine Pitrou
b0182c8ca5
Issue #10075 : Add a session_stats() method to SSLContext objects.
2010-10-12 20:09:02 +00:00
Antoine Pitrou
81564093a1
Issue #1051 : Add a script (Lib/test/make_ssl_certs.py) to generate the
...
custom certificate and private key files used by SSL-related certs.
2010-10-08 23:06:24 +00:00
Antoine Pitrou
59fdd6736b
Issue #1589 : Add ssl.match_hostname(), to help implement server identity
...
verification for higher-level protocols.
2010-10-08 10:37:08 +00:00
Giampaolo Rodolà
977c707b42
Fix issue 6706: adds new handle_accepted() method to asyncore.dispatcher
2010-10-04 21:08:36 +00:00
Antoine Pitrou
5974cdd5f5
Merged revisions 84807 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r84807 | antoine.pitrou | 2010-09-14 16:43:44 +0200 (mar., 14 sept. 2010) | 4 lines
Issue #9853 : Fix the signature of SSLSocket.recvfrom() and
SSLSocket.sendto() to match the corresponding socket methods.
........
2010-09-14 14:47:08 +00:00
Antoine Pitrou
a468adc76d
Issue #9853 : Fix the signature of SSLSocket.recvfrom() and
...
SSLSocket.sendto() to match the corresponding socket methods.
2010-09-14 14:43:44 +00:00
Antoine Pitrou
f7f390a251
Issue #9729 : Fix the signature of SSLSocket.recvfrom() and
...
SSLSocket.sendto() to match the corresponding socket methods. Also,
fix various SSLSocket methods to raise socket.error rather than an
unhelpful TypeError when called on an unconnected socket. Original patch
by Andrew Bennetts.
NOTE: obviously, these methods are untested and unused in the real world...
2010-09-14 14:37:18 +00:00
Antoine Pitrou
de30f7042f
Some tests didn't get executed (because of the merge in r83728)
2010-09-14 12:54:08 +00:00
Antoine Pitrou
4e406d8ff4
Merged revisions 84650 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r84650 | antoine.pitrou | 2010-09-09 15:31:46 +0200 (jeu., 09 sept. 2010) | 4 lines
Use transient_internet() where appropriate in test_ssl
(svn.python.org is sometimes unavailable)
........
2010-09-09 13:35:44 +00:00
Antoine Pitrou
78d8946d19
Merged revisions 84650 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r84650 | antoine.pitrou | 2010-09-09 15:31:46 +0200 (jeu., 09 sept. 2010) | 4 lines
Use transient_internet() where appropriate in test_ssl
(svn.python.org is sometimes unavailable)
........
2010-09-09 13:33:33 +00:00
Antoine Pitrou
350c7229be
Use transient_internet() where appropriate in test_ssl
...
(svn.python.org is sometimes unavailable)
2010-09-09 13:31:46 +00:00
Antoine Pitrou
c818ed4d61
Merged revisions 84597-84599 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r84597 | antoine.pitrou | 2010-09-07 22:42:19 +0200 (mar., 07 sept. 2010) | 5 lines
Issue #8574 : better implementation of test.support.transient_internet().
Original patch by Victor.
........
r84598 | antoine.pitrou | 2010-09-07 23:05:49 +0200 (mar., 07 sept. 2010) | 6 lines
Issue #9792 : In case of connection failure, socket.create_connection()
would swallow the exception and raise a new one, making it impossible
to fetch the original errno, or to filter timeout errors. Now the
original error is re-raised.
........
r84599 | antoine.pitrou | 2010-09-07 23:09:09 +0200 (mar., 07 sept. 2010) | 4 lines
Improve transient_internet() again to detect more network errors,
and use it in test_robotparser. Fixes #8574 .
........
2010-09-07 21:40:25 +00:00
Antoine Pitrou
4d7979be72
Merged revisions 84597-84599 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r84597 | antoine.pitrou | 2010-09-07 22:42:19 +0200 (mar., 07 sept. 2010) | 5 lines
Issue #8574 : better implementation of test.support.transient_internet().
Original patch by Victor.
........
r84598 | antoine.pitrou | 2010-09-07 23:05:49 +0200 (mar., 07 sept. 2010) | 6 lines
Issue #9792 : In case of connection failure, socket.create_connection()
would swallow the exception and raise a new one, making it impossible
to fetch the original errno, or to filter timeout errors. Now the
original error is re-raised.
........
r84599 | antoine.pitrou | 2010-09-07 23:09:09 +0200 (mar., 07 sept. 2010) | 4 lines
Improve transient_internet() again to detect more network errors,
and use it in test_robotparser. Fixes #8574 .
........
2010-09-07 21:22:56 +00:00
Antoine Pitrou
a88c83cbab
Issue #8574 : better implementation of test.support.transient_internet().
...
Original patch by Victor.
2010-09-07 20:42:19 +00:00
Giampaolo Rodolà
8b7da623ce
Fix issue #9711 : raise ValueError is SSLConnection constructor is invoked with keyfile and not certfile.
2010-08-30 18:28:05 +00:00
Giampaolo Rodolà
4a656ebe05
dedent some lines in test_ssl so that they are actually executed
2010-08-29 22:50:39 +00:00
Giampaolo Rodolà
cd9dfb919a
in ssl tests rely on IOError.errno rather thanf IOError.strerror for better compatibility across platforms.
2010-08-29 20:56:56 +00:00
Giampaolo Rodolà
745ab3807e
Fix issue issue9706: provides a better error handling for various SSL operations
2010-08-29 19:25:49 +00:00
Antoine Pitrou
982c018b32
Remove debug hack
2010-08-16 14:33:42 +00:00
Antoine Pitrou
ed9863685f
Add debug output to the asyncore test
2010-08-15 23:28:10 +00:00
Antoine Pitrou
f4c7badc02
Put test_ciphers in NetworkedTests
2010-08-15 23:02:22 +00:00
Antoine Pitrou
968dc03f24
Following Ezio's suggestion, force verbose mode on test_ssl to diagnose freezes on 3.x
2010-08-15 22:16:23 +00:00
Antoine Pitrou
b233b7d7b5
Merged revisions 84021-84023 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r84021 | antoine.pitrou | 2010-08-14 18:24:38 +0200 (sam., 14 août 2010) | 4 lines
Add a reasonable timeout to network SSL tests, so as to avoid buildbot timeouts
when the remote server doesn't answer.
........
r84022 | antoine.pitrou | 2010-08-14 18:32:10 +0200 (sam., 14 août 2010) | 4 lines
This is a better resolution than r84021 (because it will also affect
ssl.get_server_certificate()).
........
r84023 | antoine.pitrou | 2010-08-14 18:33:38 +0200 (sam., 14 août 2010) | 3 lines
There doesn't seem to be a reason for this test to be disabled.
........
2010-08-14 17:28:36 +00:00
Antoine Pitrou
3554473309
Merged revisions 84021-84023 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r84021 | antoine.pitrou | 2010-08-14 18:24:38 +0200 (sam., 14 août 2010) | 4 lines
Add a reasonable timeout to network SSL tests, so as to avoid buildbot timeouts
when the remote server doesn't answer.
........
r84022 | antoine.pitrou | 2010-08-14 18:32:10 +0200 (sam., 14 août 2010) | 4 lines
This is a better resolution than r84021 (because it will also affect
ssl.get_server_certificate()).
........
r84023 | antoine.pitrou | 2010-08-14 18:33:38 +0200 (sam., 14 août 2010) | 3 lines
There doesn't seem to be a reason for this test to be disabled.
........
2010-08-14 17:26:19 +00:00
Antoine Pitrou
ab6190f9aa
There doesn't seem to be a reason for this test to be disabled.
2010-08-14 16:33:38 +00:00
Antoine Pitrou
d151e27446
This is a better resolution than r84021 (because it will also affect
...
ssl.get_server_certificate()).
2010-08-14 16:32:10 +00:00
Antoine Pitrou
35bebe12e0
Add a reasonable timeout to network SSL tests, so as to avoid buildbot timeouts
...
when the remote server doesn't answer.
2010-08-14 16:24:38 +00:00
Antoine Pitrou
969fbe3d91
Don't crash when the _ssl module isn't built
2010-08-05 01:30:23 +00:00
Antoine Pitrou
d75efd9c56
Merged revisions 83727 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r83727 | antoine.pitrou | 2010-08-04 19:14:06 +0200 (mer., 04 août 2010) | 3 lines
Try to fix issue #9415 : skip some tests on broken Ubuntu OpenSSL
........
2010-08-04 17:38:33 +00:00
Antoine Pitrou
23df483cb6
Try to fix issue #9415 : skip some tests on broken Ubuntu OpenSSL
2010-08-04 17:14:06 +00:00
Antoine Pitrou
15cee6209f
In verbose mode, identify OpenSSL build and platform more precisely
2010-08-04 16:45:21 +00:00
Victor Stinner
313a120ab6
Issue #8969 : On Windows, use mbcs codec in strict mode to encode and decode
...
filenames and enable os.fsencode().
2010-06-11 23:56:51 +00:00
Antoine Pitrou
b52187710e
Issue #4870 : Add an `options` attribute to SSL contexts, as well as
...
several ``OP_*`` constants to the `ssl` module. This allows to selectively
disable protocol versions, when used in combination with `PROTOCOL_SSLv23`.
2010-05-21 09:56:06 +00:00
Antoine Pitrou
d7e4c1caa6
Typo (thanks Arfrever)
2010-05-17 14:13:10 +00:00
Antoine Pitrou
d0919507f9
Try to fix buildbot failures with old OpenSSLs.
2010-05-17 10:30:00 +00:00