Christian Heimes 
								
							 
						 
						
							
							
							
							
								
							
							
								824f7f366d 
								
							 
						 
						
							
							
								
								Issue  #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes  
							
							... 
							
							
							
							inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI). 
							
						 
						
							2013-08-17 00:54:47 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Christian Heimes 
								
							 
						 
						
							
							
							
							
								
							
							
								9bfcaa6fb3 
								
							 
						 
						
							
							
								
								Check return value of PyLong_FromLong(X509_get_version()). It might be NULL if  
							
							... 
							
							
							
							X509_get_version() grows beyond our small int cache.
CID 1058279 
							
						 
						
							2013-07-26 15:51:35 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Christian Heimes 
								
							 
						 
						
							
							
							
							
								
							
							
								5962bef8aa 
								
							 
						 
						
							
							
								
								Check return value of PyLong_FromLong(X509_get_version()). It might be NULL if  
							
							... 
							
							
							
							X509_get_version() grows beyond our small int cache.
CID 1058279 
							
						 
						
							2013-07-26 15:51:18 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Victor Stinner 
								
							 
						 
						
							
							
							
							
								
							
							
								11ebff2757 
								
							 
						 
						
							
							
								
								Issue  #18203 : Replace malloc() with PyMem_Malloc() in _ssl for the password  
							
							
							
						 
						
							2013-07-07 17:07:52 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Victor Stinner 
								
							 
						 
						
							
							
							
							
								
							
							
								b64049183c 
								
							 
						 
						
							
							
								
								Issue  #18203 : Replace malloc() with PyMem_Malloc() in Python modules  
							
							... 
							
							
							
							Replace malloc() with PyMem_Malloc() when the GIL is held, or with
PyMem_RawMalloc() otherwise. 
							
						 
						
							2013-07-07 16:21:41 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Victor Stinner 
								
							 
						 
						
							
							
							
							
								
							
							
								7e00151e1f 
								
							 
						 
						
							
							
								
								_ssl.c: strip trailing spaces  
							
							
							
						 
						
							2013-06-25 00:44:31 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Victor Stinner 
								
							 
						 
						
							
							
							
							
								
							
							
								86073dc3c2 
								
							 
						 
						
							
							
								
								(Merge 3.3) Issue  #18135 : ssl.SSLSocket.write() now raises an OverflowError if  
							
							... 
							
							
							
							the input string in longer than 2 gigabytes, and
ssl.SSLContext.load_cert_chain() raises a ValueError if the password is longer
than 2 gigabytes. The ssl module does not support partial write. 
							
						 
						
							2013-06-25 00:43:47 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Victor Stinner 
								
							 
						 
						
							
							
							
							
								
							
							
								6efa965a27 
								
							 
						 
						
							
							
								
								Issue  #18135 : ssl.SSLSocket.write() now raises an OverflowError if the input  
							
							... 
							
							
							
							string in longer than 2 gigabytes, and ssl.SSLContext.load_cert_chain() raises
a ValueError if the password is longer than 2 gigabytes. The ssl module does
not support partial write. 
							
						 
						
							2013-06-25 00:42:31 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Victor Stinner 
								
							 
						 
						
							
							
							
							
								
							
							
								8cfd67cfe7 
								
							 
						 
						
							
							
								
								(Merge 3.3) Issue  #18135 : Fix a possible integer overflow in  
							
							... 
							
							
							
							ssl.SSLSocket.write() and in ssl.SSLContext.load_cert_chain() for strings and
passwords longer than 2 gigabytes. 
							
						 
						
							2013-06-23 15:09:26 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Victor Stinner 
								
							 
						 
						
							
							
							
							
								
							
							
								9ee0203057 
								
							 
						 
						
							
							
								
								Issue  #18135 : Fix a possible integer overflow in ssl.SSLSocket.write()  
							
							... 
							
							
							
							and in ssl.SSLContext.load_cert_chain() for strings and passwords longer
than 2 gigabytes. 
							
						 
						
							2013-06-23 15:08:23 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Victor Stinner 
								
							 
						 
						
							
							
							
							
								
							
							
								4569cd5eab 
								
							 
						 
						
							
							
								
								_ssl.c: strip trailing spaces  
							
							
							
						 
						
							2013-06-23 14:58:43 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Christian Heimes 
								
							 
						 
						
							
							
							
							
								
							
							
								9a5395ae2b 
								
							 
						 
						
							
							
								
								Issue  #18147 : Add diagnostic functions to ssl.SSLContext().  
							
							... 
							
							
							
							get_ca_list() lists all loaded CA certificates and cert_store_stats() returns
amount of loaded X.509 certs, X.509 CA certs and CRLs. 
							
						 
						
							2013-06-17 15:44:12 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Christian Heimes 
								
							 
						 
						
							
							
							
							
								
							
							
								200bb1b08c 
								
							 
						 
						
							
							
								
								Simplify return value of ssl.get_default_verify_paths  
							
							... 
							
							
							
							prefix function with PySSL_, too. Other module level functions have a prefix, too. 
							
						 
						
							2013-06-14 15:14:29 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Christian Heimes 
								
							 
						 
						
							
							
							
							
								
							
							
								75b8426698 
								
							 
						 
						
							
							
								
								fixd refleak  
							
							
							
						 
						
							2013-06-10 10:47:22 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Christian Heimes 
								
							 
						 
						
							
							
							
							
								
							
							
								46bebee25f 
								
							 
						 
						
							
							
								
								Issue  #17134 : Add ssl.enum_cert_store() as interface to Windows' cert store.  
							
							
							
						 
						
							2013-06-09 19:03:31 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Christian Heimes 
								
							 
						 
						
							
							
							
							
								
							
							
								142ec2c014 
								
							 
						 
						
							
							
								
								get_default_verify_paths doesn't belong inside the ifdef block  
							
							
							
						 
						
							2013-06-09 18:29:54 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Christian Heimes 
								
							 
						 
						
							
							
							
							
								
							
							
								6d7ad13a45 
								
							 
						 
						
							
							
								
								Issue  #18143 : Implement ssl.get_default_verify_paths() in order to debug  
							
							... 
							
							
							
							the default locations for cafile and capath. 
							
						 
						
							2013-06-09 18:02:55 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								19fef69b75 
								
							 
						 
						
							
							
								
								Fix compilation under MSVC: ssl_set_mode() is a macro, and the MSVC preprocessor doesn't process #ifdef's inside a macro argument list.  
							
							... 
							
							
							
							(found explanation at http://www.tech-archive.net/Archive/VC/microsoft.public.vc.language/2007-05/msg00385.html ) 
							
						 
						
							2013-05-25 13:23:03 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								3a65ad7f08 
								
							 
						 
						
							
							
								
								Issue  #8240 : Set the SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag on SSL sockets.  
							
							
							
						 
						
							2013-05-25 13:02:32 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								50b24d0d7c 
								
							 
						 
						
							
							
								
								Fix a crash when setting a servername callback on a SSL server socket and the client doesn't send a server name.  
							
							... 
							
							
							
							Patch by Kazuhiro Yoshida.
(originally issue #8109 ) 
							
						 
						
							2013-04-11 20:48:42 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								ce852cb8b9 
								
							 
						 
						
							
							
								
								Fix comment about the OpenSSL version in which SNI version was introduced.  
							
							
							
						 
						
							2013-03-30 16:45:04 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								edbc18e9d0 
								
							 
						 
						
							
							
								
								Improve set_servername_callback docstring.  
							
							
							
						 
						
							2013-03-30 16:40:27 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								a596338bb8 
								
							 
						 
						
							
							
								
								Fix previous fix (the cause was actually a misplaced #endif, or so it seems)  
							
							
							
						 
						
							2013-03-30 16:39:00 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								41f8c4f5e4 
								
							 
						 
						
							
							
								
								Further compiling fixes (issue  #17581 )  
							
							
							
						 
						
							2013-03-30 16:36:54 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								912fbff105 
								
							 
						 
						
							
							
								
								Issue  #17581 : try to fix building on old OpenSSL versions  
							
							
							
						 
						
							2013-03-30 16:29:32 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								2463e5fee4 
								
							 
						 
						
							
							
								
								Issue  #16692 : The ssl module now supports TLS 1.1 and TLS 1.2.  Initial patch by Michele Orrù.  
							
							
							
						 
						
							2013-03-28 22:24:43 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Stefan Krah 
								
							 
						 
						
							
							
							
							
								
							
							
								20d60803d5 
								
							 
						 
						
							
							
								
								Issue  #16982 : Fix --without-threads build failure.  
							
							
							
						 
						
							2013-01-17 17:07:17 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								1e37e9efa9 
								
							 
						 
						
							
							
								
								SSLContext.load_dh_params() now properly closes the input file.  
							
							
							
						 
						
							2013-01-12 21:44:33 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								457a2292ca 
								
							 
						 
						
							
							
								
								SSLContext.load_dh_params() now properly closes the input file.  
							
							
							
						 
						
							2013-01-12 21:43:45 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								5dd12a5978 
								
							 
						 
						
							
							
								
								Fix returning uninitialized variable (issue  #8109 ).  
							
							... 
							
							
							
							Found by Christian with Coverity. 
							
						 
						
							2013-01-06 15:25:36 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								58ddc9d743 
								
							 
						 
						
							
							
								
								Issue  #8109 : The ssl module now has support for server-side SNI, thanks to a :meth:SSLContext.set_servername_callback method.  
							
							... 
							
							
							
							Patch by Daniel Black. 
							
						 
						
							2013-01-05 21:20:29 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Christian Heimes 
								
							 
						 
						
							
							
							
							
								
							
							
								5cb31c9277 
								
							 
						 
						
							
							
								
								Issue  #15977 : Fix memory leak in Modules/_ssl.c when the function _set_npn_protocols() is called multiple times  
							
							
							
						 
						
							2012-09-20 12:42:54 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jesus Cea 
								
							 
						 
						
							
							
							
							
								
							
							
								b7a2800831 
								
							 
						 
						
							
							
								
								MERGE:  Closes   #15793 : Stack corruption in ssl.RAND_egd()  
							
							
							
						 
						
							2012-09-11 02:08:48 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jesus Cea 
								
							 
						 
						
							
							
							
							
								
							
							
								c8754a13e6 
								
							 
						 
						
							
							
								
								Closes   #15793 : Stack corruption in ssl.RAND_egd()  
							
							
							
						 
						
							2012-09-11 02:00:58 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								721738fbee 
								
							 
						 
						
							
							
								
								Issue  #15604 : Update uses of PyObject_IsTrue() to check for and handle errors correctly.  
							
							... 
							
							
							
							Patch by Serhiy Storchaka. 
							
						 
						
							2012-08-15 23:20:39 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								6f430e4963 
								
							 
						 
						
							
							
								
								Issue  #15604 : Update uses of PyObject_IsTrue() to check for and handle errors correctly.  
							
							... 
							
							
							
							Patch by Serhiy Storchaka. 
							
						 
						
							2012-08-15 23:18:25 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								3b36fb1f53 
								
							 
						 
						
							
							
								
								Issue  #14837 : SSL errors now have library and reason attributes describing precisely what happened and in which OpenSSL submodule.  
							
							... 
							
							
							
							The str() of a SSLError is also enhanced accordingly.
NOTE: this commit creates a reference leak.  The leak seems tied to the
use of PyType_FromSpec() to create the SSLError type.  The leak is on the
type object when it is instantiated:
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
35
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
36
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
37 
							
						 
						
							2012-06-22 21:11:52 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								d5d17eb653 
								
							 
						 
						
							
							
								
								Issue  #14204 : The ssl module now has support for the Next Protocol Negotiation extension, if available in the underlying OpenSSL library.  
							
							... 
							
							
							
							Patch by Colin Marc. 
							
						 
						
							2012-03-22 00:23:03 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								c135fa424e 
								
							 
						 
						
							
							
								
								Fix last remaining build issues of _ssl under old OpenSSLs. Patch by Vinay.  
							
							
							
						 
						
							2012-02-19 21:22:39 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								a9bf2ac726 
								
							 
						 
						
							
							
								
								Try to really fix compilation failures of the _ssl module under very old OpenSSLs.  
							
							
							
						 
						
							2012-02-17 18:47:54 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								e9fccb360f 
								
							 
						 
						
							
							
								
								Fix compilation when SSL_OP_SINGLE_ECDH_USE isn't defined  
							
							
							
						 
						
							2012-02-17 11:53:10 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								04d4ee4e56 
								
							 
						 
						
							
							
								
								Issue  #13014 : Fix a possible reference leak in SSLSocket.getpeercert().  
							
							
							
						 
						
							2012-02-15 22:28:21 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								2f5a163dfc 
								
							 
						 
						
							
							
								
								Issue  #13014 : Fix a possible reference leak in SSLSocket.getpeercert().  
							
							
							
						 
						
							2012-02-15 22:25:27 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								9e2e5329dc 
								
							 
						 
						
							
							
								
								Issue  #13885 : CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.  
							
							
							
						 
						
							2012-01-27 09:53:29 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								3f366314e8 
								
							 
						 
						
							
							
								
								Issue  #13885 : CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.  
							
							
							
						 
						
							2012-01-27 09:50:45 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								f2bf8a6ac5 
								
							 
						 
						
							
							
								
								Issue  #13885 : CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.  
							
							
							
						 
						
							2012-01-27 09:48:47 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								0e576f1f50 
								
							 
						 
						
							
							
								
								Issue  #13626 : Add support for SSL Diffie-Hellman key exchange, through the  
							
							... 
							
							
							
							SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option. 
							
						 
						
							2011-12-22 10:03:38 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								501da61671 
								
							 
						 
						
							
							
								
								Fix ssl module compilation if ECDH support was disabled in the OpenSSL build.  
							
							... 
							
							
							
							(followup to issue #13627 ) 
							
						 
						
							2011-12-21 09:27:41 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								8abdb8abd8 
								
							 
						 
						
							
							
								
								Issue  #13634 : Add support for querying and disabling SSL compression.  
							
							
							
						 
						
							2011-12-20 10:13:40 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Antoine Pitrou 
								
							 
						 
						
							
							
							
							
								
							
							
								923df6f22a 
								
							 
						 
						
							
							
								
								Issue  #13627 : Add support for SSL Elliptic Curve-based Diffie-Hellman  
							
							... 
							
							
							
							key exchange, through the SSLContext.set_ecdh_curve() method and the
ssl.OP_SINGLE_ECDH_USE option. 
							
						 
						
							2011-12-19 17:16:51 +01:00