Commit Graph

72 Commits

Author SHA1 Message Date
Antoine Pitrou 72aeec35a1 Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
2012-01-03 22:49:08 +01:00
Antoine Pitrou 8f85f907e3 Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
2012-01-03 22:46:48 +01:00
Antoine Pitrou 0e576f1f50 Issue #13626: Add support for SSL Diffie-Hellman key exchange, through the
SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option.
2011-12-22 10:03:38 +01:00
Antoine Pitrou 501da61671 Fix ssl module compilation if ECDH support was disabled in the OpenSSL build.
(followup to issue #13627)
2011-12-21 09:27:41 +01:00
Antoine Pitrou 8abdb8abd8 Issue #13634: Add support for querying and disabling SSL compression. 2011-12-20 10:13:40 +01:00
Antoine Pitrou 923df6f22a Issue #13627: Add support for SSL Elliptic Curve-based Diffie-Hellman
key exchange, through the SSLContext.set_ecdh_curve() method and the
ssl.OP_SINGLE_ECDH_USE option.
2011-12-19 17:16:51 +01:00
Antoine Pitrou 6db4944cc5 Issue #13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
choose the cipher based on their own preferences, rather than on the
client's.
2011-12-19 13:27:11 +01:00
Antoine Pitrou 41032a69c1 Issue #11183: Add finer-grained exceptions to the ssl module, so that
you don't have to inspect the exception's attributes in the common case.
2011-10-27 23:56:55 +02:00
Nick Coghlan 513886aabb Fix #12835: prevent use of the unencrypted sendmsg/recvmsg APIs on SSL wrapped sockets (Patch by David Watson) 2011-08-28 00:00:27 +10:00
Nick Coghlan 5fab03fd15 Remove the SSLSocket versions of sendmsg/recvmsg due to lack of proper tests and documentation in conjunction with lack of any known use cases (see issue #6560 for details) 2011-08-23 22:26:44 +10:00
Nick Coghlan 96fe56abec Add support for the send/recvmsg API to the socket module. Patch by David Watson and Heiko Wundram. (Closes #6560) 2011-08-22 11:55:57 +10:00
Antoine Pitrou d649480739 Issue #12551: Provide a get_channel_binding() method on SSL sockets so as
to get channel binding data for the current SSL session (only the
"tls-unique" channel binding is implemented).  This allows the
implementation of certain authentication mechanisms such as SCRAM-SHA-1-PLUS.

Patch by Jacek Konieczny.
2011-07-21 01:11:30 +02:00
Antoine Pitrou 7128f95bd2 Issue #12440: When testing whether some bits in SSLContext.options can be
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
2011-07-08 18:49:07 +02:00
Antoine Pitrou b9ac25d1c3 Issue #12440: When testing whether some bits in SSLContext.options can be
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
2011-07-08 18:47:06 +02:00
Victor Stinner 99c8b16143 Issue #12049: Add RAND_bytes() and RAND_pseudo_bytes() functions to the ssl
module.
2011-05-24 12:05:19 +02:00
Antoine Pitrou 7a616f2fc5 Issue #12065: connect_ex() on an SSL socket now returns the original errno
when the socket's timeout expires (it used to return None).
2011-05-18 18:52:20 +02:00
Antoine Pitrou b4410dbea6 Issue #12065: connect_ex() on an SSL socket now returns the original errno
when the socket's timeout expires (it used to return None).
2011-05-18 18:51:06 +02:00
Victor Stinner 17ca323e7c (Merge 3.1) Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.

Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 00:48:41 +02:00
Victor Stinner ee18b6f2fd Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.

Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 00:38:00 +02:00
Victor Stinner 3de49192aa Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.

Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-09 00:42:58 +02:00
Antoine Pitrou ff9bfca482 Issue #12000: When a SSL certificate has a subjectAltName without any
dNSName entry, ssl.match_hostname() should use the subject's commonName.
Patch by Nicolas Bareil.
2011-05-06 15:20:55 +02:00
Antoine Pitrou 1c86b44506 Issue #12000: When a SSL certificate has a subjectAltName without any
dNSName entry, ssl.match_hostname() should use the subject's commonName.
Patch by Nicolas Bareil.
2011-05-06 15:19:49 +02:00
Antoine Pitrou 15399c3f09 Issue #11811: ssl.get_server_certificate() is now IPv6-compatible. Patch
by Charles-François Natali.
2011-04-28 19:23:55 +02:00
Antoine Pitrou 86cbfec50a Merged revisions 88664 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r88664 | antoine.pitrou | 2011-02-27 00:24:06 +0100 (dim., 27 févr. 2011) | 4 lines

  Issue #11326: Add the missing connect_ex() implementation for SSL sockets,
  and make it work for non-blocking connects.
........
2011-02-26 23:25:34 +00:00
Antoine Pitrou e93bf7aed2 Issue #11326: Add the missing connect_ex() implementation for SSL sockets,
and make it work for non-blocking connects.
2011-02-26 23:24:06 +00:00
Antoine Pitrou d532321f7b Issue #5639: Add a *server_hostname* argument to `SSLContext.wrap_socket`
in order to support the TLS SNI extension.  `HTTPSConnection` and
`urlopen()` also use this argument, so that HTTPS virtual hosts are now
supported.
2010-10-22 18:19:07 +00:00
Antoine Pitrou 59fdd6736b Issue #1589: Add ssl.match_hostname(), to help implement server identity
verification for higher-level protocols.
2010-10-08 10:37:08 +00:00
Antoine Pitrou 5974cdd5f5 Merged revisions 84807 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r84807 | antoine.pitrou | 2010-09-14 16:43:44 +0200 (mar., 14 sept. 2010) | 4 lines

  Issue #9853: Fix the signature of SSLSocket.recvfrom() and
  SSLSocket.sendto() to match the corresponding socket methods.
........
2010-09-14 14:47:08 +00:00
Antoine Pitrou a468adc76d Issue #9853: Fix the signature of SSLSocket.recvfrom() and
SSLSocket.sendto() to match the corresponding socket methods.
2010-09-14 14:43:44 +00:00
Antoine Pitrou 10c4c23a25 Merged revisions 84464 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r84464 | antoine.pitrou | 2010-09-03 20:38:17 +0200 (ven., 03 sept. 2010) | 3 lines

  Issue #3805: clean up implementation of the _read method in _ssl.c.
........
2010-09-03 18:39:47 +00:00
Antoine Pitrou 24e561ae04 Issue #3805: clean up implementation of the _read method in _ssl.c. 2010-09-03 18:38:17 +00:00
Giampaolo Rodolà 8b7da623ce Fix issue #9711: raise ValueError is SSLConnection constructor is invoked with keyfile and not certfile. 2010-08-30 18:28:05 +00:00
Giampaolo Rodolà 745ab3807e Fix issue issue9706: provides a better error handling for various SSL operations 2010-08-29 19:25:49 +00:00
Giampaolo Rodolà 374f835316 Raise ValuError if non-zero flag argument is provided for sendall() method for conformity with send(), recv() and recv_into() 2010-08-29 12:08:09 +00:00
Antoine Pitrou 6e451df800 Followup to r83869 and issue #8524: rename socket.forget() to socket.detach()
and make it return the file descriptor.
2010-08-09 20:39:54 +00:00
Antoine Pitrou e43f9d0ed6 Issue #8524: Add a forget() method to socket objects, so as to put the
socket into the closed state without closing the underlying file
descriptor.
2010-08-08 23:24:50 +00:00
Antoine Pitrou b52187710e Issue #4870: Add an `options` attribute to SSL contexts, as well as
several ``OP_*`` constants to the `ssl` module.  This allows to selectively
disable protocol versions, when used in combination with `PROTOCOL_SSLv23`.
2010-05-21 09:56:06 +00:00
Antoine Pitrou 152efa2ae2 Issue #8550: Add first class `SSLContext` objects to the ssl module. 2010-05-16 18:19:27 +00:00
Antoine Pitrou f07d5589c0 Merged revisions 80517 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r80517 | antoine.pitrou | 2010-04-27 01:06:26 +0200 (mar., 27 avril 2010) | 3 lines

  Remove unused import
........
2010-04-26 23:08:35 +00:00
Antoine Pitrou 90e6d04071 Remove unused import 2010-04-26 23:06:26 +00:00
Antoine Pitrou 28f7ab6402 Merged revisions 80515 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r80515 | antoine.pitrou | 2010-04-27 00:17:47 +0200 (mar., 27 avril 2010) | 4 lines

  Hopefully fix sporadic Windows issue by avoiding calling getpeername()
  on a freshly dup'ed socket.
........
2010-04-26 22:37:59 +00:00
Antoine Pitrou fa2b9380c0 Hopefully fix sporadic Windows issue by avoiding calling getpeername()
on a freshly dup'ed socket.
2010-04-26 22:17:47 +00:00
Antoine Pitrou 365171d8f6 Merged revisions 80509 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

................
  r80509 | antoine.pitrou | 2010-04-26 19:29:05 +0200 (lun., 26 avril 2010) | 10 lines

  Merged revisions 80507 via svnmerge from
  svn+ssh://pythondev@svn.python.org/python/trunk

  ........
    r80507 | antoine.pitrou | 2010-04-26 19:23:33 +0200 (lun., 26 avril 2010) | 4 lines

    When calling getpeername() in SSLSocket.__init__, only silence exceptions
    caused by the "socket not connected" condition.
  ........
................
2010-04-26 17:32:49 +00:00
Antoine Pitrou de8cf32ec8 Merged revisions 80507 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r80507 | antoine.pitrou | 2010-04-26 19:23:33 +0200 (lun., 26 avril 2010) | 4 lines

  When calling getpeername() in SSLSocket.__init__, only silence exceptions
  caused by the "socket not connected" condition.
........
2010-04-26 17:29:05 +00:00
Antoine Pitrou c2203f92ff Merged revisions 80456 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r80456 | antoine.pitrou | 2010-04-25 00:04:40 +0200 (dim., 25 avril 2010) | 5 lines

  Issue #8524: When creating an SSL socket, the timeout value of the
  original socket wasn't retained (instead, a socket with a positive timeout
  would be turned into a non-blocking SSL socket).
........
2010-04-24 22:07:51 +00:00
Antoine Pitrou 40f0874b55 Issue #8524: When creating an SSL socket, the timeout value of the
original socket wasn't retained (instead, a socket with a positive timeout
would be turned into a non-blocking SSL socket).
2010-04-24 22:04:40 +00:00
Antoine Pitrou 2d9cb9c1cb Merged revisions 80151 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r80151 | antoine.pitrou | 2010-04-17 19:10:38 +0200 (sam., 17 avril 2010) | 4 lines

  Issue #8322: Add a *ciphers* argument to SSL sockets, so as to change the
  available cipher list.  Helps fix test_ssl with OpenSSL 1.0.0.
........
2010-04-17 17:40:45 +00:00
Antoine Pitrou 04f6a32dff Merged revisions 79812 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r79812 | antoine.pitrou | 2010-04-05 23:35:07 +0200 (lun., 05 avril 2010) | 5 lines

  Issue #8321: Give access to OpenSSL version numbers from the `ssl` module,
  using the new attributes `ssl.OPENSSL_VERSION`, `ssl.OPENSSL_VERSION_INFO`
  and `ssl.OPENSSL_VERSION_NUMBER`.
........
2010-04-05 21:40:07 +00:00
Antoine Pitrou a06bfd87da Merged revisions 79287,79289 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

................
  r79287 | antoine.pitrou | 2010-03-22 15:49:10 +0100 (lun., 22 mars 2010) | 13 lines

  Merged revisions 79226,79286 via svnmerge from
  svn+ssh://pythondev@svn.python.org/python/trunk

  ........
    r79226 | antoine.pitrou | 2010-03-21 20:33:38 +0100 (dim., 21 mars 2010) | 4 lines

    Issue #3890: Fix recv() and recv_into() on non-blocking SSL sockets.
  ........
    r79286 | antoine.pitrou | 2010-03-22 15:41:48 +0100 (lun., 22 mars 2010) | 3 lines

    Fix an occasional test_ftplib failure, following r79226.
  ........
................
  r79289 | antoine.pitrou | 2010-03-22 16:07:09 +0100 (lun., 22 mars 2010) | 3 lines

  Fix a blunder in r79287.  This part is, obviously, poorly tested (if at all).
................
2010-03-22 15:09:31 +00:00
Antoine Pitrou 37c1f18a72 Fix a blunder in r79287. This part is, obviously, poorly tested (if at all). 2010-03-22 15:07:09 +00:00