Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-10-31 05:31:20 +00:00
Code Issues Projects Releases Packages Wiki Activity
124821 commits 7 branches 633 tags 3.6 GiB
Commit graph

208 commits

Author SHA1 Message Date
Donald Stufft
79ccaa2cad Issue #20995: Enhance default ciphers used by the ssl module 
Closes #20995 by Enabling better security by prioritizing ciphers
such that:

* Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
* Prefer ECDHE over DHE for better performance
* Prefer any AES-GCM over any AES-CBC for better performance and security
* Then Use HIGH cipher suites as a fallback
* Then Use 3DES as fallback which is secure but slow
* Finally use RC4 as a fallback which is problematic but needed for
  compatibility some times.
* Disable NULL authentication, NULL encryption, and MD5 MACs for security
  reasons
 2014-03-21 21:33:34 -04:00
Victor Stinner
7fa767e517 Issue #20976: pyflakes: Remove unused imports 2014-03-20 09:16:38 +01:00
Antoine Pitrou
e6d2f159fc Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. 2013-12-28 17:30:51 +01:00
Antoine Pitrou
3e86ba4e32 Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. 2013-12-28 17:26:33 +01:00
Christian Heimes
1da3ba8697 Issue #19509: Don't close the socket in do_handshake() when hostname verification fails. 2013-12-04 20:46:20 +01:00
Christian Heimes
a02c69a73b add check_hostname arg to ssl._create_stdlib_context() 2013-12-02 20:59:28 +01:00
Christian Heimes
1aa9a75fbf Issue #19509: Add SSLContext.check_hostname to match the peer's certificate 
with server_hostname on handshake.
 2013-12-02 02:41:19 +01:00
Christian Heimes
dec813f118 ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME 2013-11-28 08:06:54 +01:00
Christian Heimes
67986f9431 Issue #19735: Implement private function ssl._create_stdlib_context() to 
create SSLContext objects in Python's stdlib module. It provides a single
configuration point and makes use of SSLContext.load_default_certs().
 2013-11-23 22:43:47 +01:00
Christian Heimes
4c05b472dd Issue #19689: Add ssl.create_default_context() factory function. It creates 
a new SSLContext object with secure default settings.
 2013-11-23 15:58:30 +01:00
Christian Heimes
72d28500b3 Issue #19292: Add SSLContext.load_default_certs() to load default root CA 
certificates from default stores or system stores. By default the method
loads CA certs for authentication of server certs.
 2013-11-23 13:56:58 +01:00
Christian Heimes
44109d7de7 Issue #17134: Finalize interface to Windows' certificate store. Cert and 
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
 2013-11-22 01:51:30 +01:00
Christian Heimes
225877917e Issue #8813: Add SSLContext.verify_flags to change the verification flags 
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
 2013-11-21 23:56:13 +01:00
Christian Heimes
a6bc95aa02 Issue #19448: Add private API to SSL module to lookup ASN.1 objects by OID, NID, short name and long name. 2013-11-17 19:59:14 +01:00
Georg Brandl
72c98d3a76 Issue #17997: Change behavior of `ssl.match_hostname()` to follow RFC 6125, 
for security reasons.  It now doesn't match multiple wildcards nor wildcards
inside IDN fragments.
 2013-10-27 07:16:53 +01:00
Georg Brandl
b89b5df9c9 merge with 3.3 2013-10-27 07:46:09 +01:00
Ezio Melotti
9a3777e525 #18705: merge with 3.3. 2013-08-17 15:53:55 +03:00
Ezio Melotti
30b9d5d3af #18705: fix a number of typos. Patch by Févry Thibault. 2013-08-17 15:50:46 +03:00
Antoine Pitrou
60a26e0516 Issue #9177: Calling read() or write() now raises ValueError, not AttributeError, on a closed SSL socket. 
Patch by Senko Rasic.
 2013-07-20 19:35:16 +02:00
Brett Cannon
cd171c8e92 Issue #18200: Back out usage of ModuleNotFoundError (8d28d44f3a9a) 2013-07-04 17:43:24 -04:00
Brett Cannon
0a140668fa Issue #18200: Update the stdlib (except tests) to use 
ModuleNotFoundError.
 2013-06-13 20:57:26 -04:00
Christian Heimes
46bebee25f Issue #17134: Add ssl.enum_cert_store() as interface to Windows' cert store. 2013-06-09 19:03:31 +02:00
Christian Heimes
6d7ad13a45 Issue #18143: Implement ssl.get_default_verify_paths() in order to debug 
the default locations for cafile and capath.
 2013-06-09 18:02:55 +02:00
Antoine Pitrou
636f93c63b Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). 2013-05-18 17:56:42 +02:00
Antoine Pitrou
31fb419908 Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). 2013-05-18 17:59:12 +02:00
Antoine Pitrou
242db728e2 Issue #13721: SSLSocket.getpeercert() and SSLSocket.do_handshake() now raise an OSError with ENOTCONN, instead of an AttributeError, when the SSLSocket is not connected. 2013-05-01 20:52:07 +02:00
Giampaolo Rodola'
06d0c1e72c remove uneffective 'while True' clause 2013-04-03 12:01:44 +02:00
Antoine Pitrou
2463e5fee4 Issue #16692: The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù. 2013-03-28 22:24:43 +01:00
Benjamin Peterson
f86b3c394c merge 3.3 (#16900) 2013-01-10 14:16:42 -06:00
Benjamin Peterson
36f7b97787 remove __del__ because it's evil and also prevents the ResourceWarning on the socket from happening (closes #16900) 2013-01-10 14:16:20 -06:00
Antoine Pitrou
58ddc9d743 Issue #8109: The ssl module now has support for server-side SNI, thanks to a :meth:SSLContext.set_servername_callback method. 
Patch by Daniel Black.
 2013-01-05 21:20:29 +01:00
Andrew Svetlov
0832af6628 Issue #16717: get rid of socket.error, replace with OSError 2012-12-18 23:10:48 +02:00
Antoine Pitrou
73e9bd4d25 Issue #16357: fix calling accept() on a SSLSocket created through SSLContext.wrap_socket(). 
Original patch by Jeff McNeil.
 2012-11-11 01:27:33 +01:00
Antoine Pitrou
5c89b4ec55 Issue #16357: fix calling accept() on a SSLSocket created through SSLContext.wrap_socket(). 
Original patch by Jeff McNeil.
 2012-11-11 01:25:36 +01:00
Antoine Pitrou
d5d17eb653 Issue #14204: The ssl module now has support for the Next Protocol Negotiation extension, if available in the underlying OpenSSL library. 
Patch by Colin Marc.
 2012-03-22 00:23:03 +01:00
Antoine Pitrou
a9bf2ac726 Try to really fix compilation failures of the _ssl module under very old OpenSSLs. 2012-02-17 18:47:54 +01:00
Antoine Pitrou
8f85f907e3 Issue #13636: Weak ciphers are now disabled by default in the ssl module 
(except when SSLv2 is explicitly asked for).
 2012-01-03 22:46:48 +01:00
Antoine Pitrou
72aeec35a1 Issue #13636: Weak ciphers are now disabled by default in the ssl module 
(except when SSLv2 is explicitly asked for).
 2012-01-03 22:49:08 +01:00
Antoine Pitrou
0e576f1f50 Issue #13626: Add support for SSL Diffie-Hellman key exchange, through the 
SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option.
 2011-12-22 10:03:38 +01:00
Antoine Pitrou
501da61671 Fix ssl module compilation if ECDH support was disabled in the OpenSSL build. 
(followup to issue #13627)
 2011-12-21 09:27:41 +01:00
Antoine Pitrou
8abdb8abd8 Issue #13634: Add support for querying and disabling SSL compression. 2011-12-20 10:13:40 +01:00
Antoine Pitrou
923df6f22a Issue #13627: Add support for SSL Elliptic Curve-based Diffie-Hellman 
key exchange, through the SSLContext.set_ecdh_curve() method and the
ssl.OP_SINGLE_ECDH_USE option.
 2011-12-19 17:16:51 +01:00
Antoine Pitrou
6db4944cc5 Issue #13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers 
choose the cipher based on their own preferences, rather than on the
client's.
 2011-12-19 13:27:11 +01:00
Antoine Pitrou
41032a69c1 Issue #11183: Add finer-grained exceptions to the ssl module, so that 
you don't have to inspect the exception's attributes in the common case.
 2011-10-27 23:56:55 +02:00
Nick Coghlan
513886aabb Fix #12835: prevent use of the unencrypted sendmsg/recvmsg APIs on SSL wrapped sockets (Patch by David Watson) 2011-08-28 00:00:27 +10:00
Nick Coghlan
5fab03fd15 Remove the SSLSocket versions of sendmsg/recvmsg due to lack of proper tests and documentation in conjunction with lack of any known use cases (see issue #6560 for details) 2011-08-23 22:26:44 +10:00
Nick Coghlan
96fe56abec Add support for the send/recvmsg API to the socket module. Patch by David Watson and Heiko Wundram. (Closes #6560) 2011-08-22 11:55:57 +10:00
Antoine Pitrou
d649480739 Issue #12551: Provide a get_channel_binding() method on SSL sockets so as 
to get channel binding data for the current SSL session (only the
"tls-unique" channel binding is implemented).  This allows the
implementation of certain authentication mechanisms such as SCRAM-SHA-1-PLUS.

Patch by Jacek Konieczny.
 2011-07-21 01:11:30 +02:00
Antoine Pitrou
7128f95bd2 Issue #12440: When testing whether some bits in SSLContext.options can be 
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
 2011-07-08 18:49:07 +02:00
Antoine Pitrou
b9ac25d1c3 Issue #12440: When testing whether some bits in SSLContext.options can be 
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
 2011-07-08 18:47:06 +02:00