Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-10-30 05:01:30 +00:00
Code Issues Projects Releases Packages Wiki Activity
104692 commits 7 branches 633 tags 3.5 GiB
Commit graph

464 commits

Author SHA1 Message Date
Antoine Pitrou
c695c95626 Issue #19940: ssl.cert_time_to_seconds() now interprets the given time string in the UTC timezone (as specified in RFC 5280), not the local timezone. 
Patch by Akira.
 2014-04-28 20:57:36 +02:00
Antoine Pitrou
172f025bed Issue #21068: The ssl.PROTOCOL* constants are now enum members. 2014-04-18 20:33:08 +02:00
Antoine Pitrou
c043061667 Try to fix buildbot failures on old OpenSSLs (< 1.0.0) - followup to issue #21015 2014-04-16 18:33:39 +02:00
Antoine Pitrou
94a5b663bf Issue #20896: ssl.get_server_certificate() now uses PROTOCOL_SSLv23, not PROTOCOL_SSLv3, for maximum compatibility. 2014-04-16 18:56:28 +02:00
Donald Stufft
6a2ba94908 Issue #21013: Enhance ssl.create_default_context() for server side contexts 
Closes #21013 by modfying ssl.create_default_context() to:

* Move the restricted ciphers to only apply when using
  ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
  is the lack of RC4 in the restricted. However there are servers that exist
  that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
  will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
  of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
  socket the context will prioritize our ciphers which have been carefully
  selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
  that end users can more easily determine if they need to unset
  ssl.OP_NO_SSLv3.
 2014-03-23 19:05:28 -04:00
Antoine Pitrou
0bebbc33fa Issue #21015: SSL contexts will now automatically select an elliptic curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to "prime256v1". 
(should also fix a buildbot failure introduced by #20995)
 2014-03-22 18:13:50 +01:00
Benjamin Peterson
10b93cc29c merge 3.3 (#20896) 2014-03-12 18:10:57 -05:00
Benjamin Peterson
d0fc83d5eb merge 3.2 (#20896) 2014-03-12 18:10:47 -05:00
Benjamin Peterson
cf25c5caae use ssl.PROTOCOL_SSLv23 for maximum compatibility (closes #20896) 2014-03-12 18:05:53 -05:00
Antoine Pitrou
ba44860c11 Try to fix test_ssl failures on some buildbots 2014-01-09 21:30:17 +01:00
Antoine Pitrou
32c4915b23 Try to fix test_ssl failures on some buildbots 2014-01-09 21:28:48 +01:00
Antoine Pitrou
78ace81c93 Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for. 2014-01-09 20:09:03 +01:00
Antoine Pitrou
cd3d7cabef Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for. 2014-01-09 20:02:20 +01:00
Antoine Pitrou
3e86ba4e32 Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. 2013-12-28 17:26:33 +01:00
Antoine Pitrou
e6d2f159fc Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. 2013-12-28 17:30:51 +01:00
Victor Stinner
36e96b8716 (Merge 3.3) Issue #20025: ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now 
raise a ValueError if num is negative (instead of raising a SystemError).
 2013-12-19 16:47:25 +01:00
Victor Stinner
1e81a399a2 Issue #20025: ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now raise a 
ValueError if num is negative (instead of raising a SystemError).
 2013-12-19 16:47:04 +01:00
Christian Heimes
bd9cbb0691 Issue #19919: Fix flacky SSL test. connect_ex() sometimes returns 
EWOULDBLOCK on Windows or VMs hosted on Windows.
 2013-12-16 21:16:45 +01:00
Christian Heimes
de57074874 Issue #19919: Fix flacky SSL test. connect_ex() sometimes returns 
EWOULDBLOCK on Windows or VMs hosted on Windows.
 2013-12-16 21:15:44 +01:00
Christian Heimes
575596e19a test_ssl: skip tests when SNI is not available 2013-12-15 21:49:17 +01:00
Christian Heimes
8e7f394282 Test SSLSock's context getter and setter 2013-12-05 07:41:08 +01:00
Christian Heimes
a02c69a73b add check_hostname arg to ssl._create_stdlib_context() 2013-12-02 20:59:28 +01:00
Christian Heimes
1aa9a75fbf Issue #19509: Add SSLContext.check_hostname to match the peer's certificate 
with server_hostname on handshake.
 2013-12-02 02:41:19 +01:00
Christian Heimes
67986f9431 Issue #19735: Implement private function ssl._create_stdlib_context() to 
create SSLContext objects in Python's stdlib module. It provides a single
configuration point and makes use of SSLContext.load_default_certs().
 2013-11-23 22:43:47 +01:00
Christian Heimes
4c05b472dd Issue #19689: Add ssl.create_default_context() factory function. It creates 
a new SSLContext object with secure default settings.
 2013-11-23 15:58:30 +01:00
Christian Heimes
72d28500b3 Issue #19292: Add SSLContext.load_default_certs() to load default root CA 
certificates from default stores or system stores. By default the method
loads CA certs for authentication of server certs.
 2013-11-23 13:56:58 +01:00
Christian Heimes
2427b50fdd Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+ 
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
 2013-11-23 11:24:32 +01:00
Christian Heimes
5398e1a56e Issue #19448: report name / NID in exception message of ASN1Object 2013-11-22 16:20:53 +01:00
Christian Heimes
c2d65e1e93 Issue #17134: check certs of CA and ROOT system store 2013-11-22 16:13:55 +01:00
Christian Heimes
32f0c7a67b or VERIFY_CRL_CHECK_LEAF to verify_flags 2013-11-22 03:43:48 +01:00
Christian Heimes
44109d7de7 Issue #17134: Finalize interface to Windows' certificate store. Cert and 
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
 2013-11-22 01:51:30 +01:00
Christian Heimes
d6dc952e17 one CERT_REQUIRED is enough 2013-11-22 00:39:38 +01:00
Christian Heimes
225877917e Issue #8813: Add SSLContext.verify_flags to change the verification flags 
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
 2013-11-21 23:56:13 +01:00
Christian Heimes
bd3a7f90b5 Issue #18379: SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP 
and CRL distribution points.
 2013-11-21 03:40:15 +01:00
Christian Heimes
efff7060f8 Issue #18138: Implement cadata argument of SSLContext.load_verify_location() 
to load CA certificates and CRL from memory. It supports PEM and DER
encoded strings.
 2013-11-21 03:35:02 +01:00
Christian Heimes
a6bc95aa02 Issue #19448: Add private API to SSL module to lookup ASN.1 objects by OID, NID, short name and long name. 2013-11-17 19:59:14 +01:00
Georg Brandl
ec3c103520 Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes 
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for ``rfc822Name`` (email), ``dNSName`` (DNS) and
``uniformResourceIdentifier`` (URI).
 2014-09-30 14:04:51 +02:00
Georg Brandl
72c98d3a76 Issue #17997: Change behavior of `ssl.match_hostname()` to follow RFC 6125, 
for security reasons.  It now doesn't match multiple wildcards nor wildcards
inside IDN fragments.
 2013-10-27 07:16:53 +01:00
Georg Brandl
b89b5df9c9 merge with 3.3 2013-10-27 07:46:09 +01:00
Antoine Pitrou
20b85557f2 Issue #19095: SSLSocket.getpeercert() now raises ValueError when the SSL handshake hasn't been done. 2013-09-29 19:50:53 +02:00
Christian Heimes
2769d44827 Issue #18709: Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger 2013-08-25 14:12:50 +02:00
Christian Heimes
157c9834b4 Issue #18709: Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger 2013-08-25 14:12:41 +02:00
Christian Heimes
6acbe2aaa3 Issue #18747: Re-seed OpenSSL's pseudo-random number generator after fork. 
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
 2013-08-21 13:26:34 +02:00
Christian Heimes
f77b4b20e9 Issue #18747: Re-seed OpenSSL's pseudo-random number generator after fork. 
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
 2013-08-21 13:26:05 +02:00
Christian Heimes
e06d47c70c Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes 
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
 2013-08-17 00:58:00 +02:00
Christian Heimes
824f7f366d Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes 
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
 2013-08-17 00:54:47 +02:00
Antoine Pitrou
2894073e1a test_ssl: use a bytestring here 2013-07-20 19:36:15 +02:00
Antoine Pitrou
60a26e0516 Issue #9177: Calling read() or write() now raises ValueError, not AttributeError, on a closed SSL socket. 
Patch by Senko Rasic.
 2013-07-20 19:35:16 +02:00
Christian Heimes
9a5395ae2b Issue #18147: Add diagnostic functions to ssl.SSLContext(). 
get_ca_list() lists all loaded CA certificates and cert_store_stats() returns
amount of loaded X.509 certs, X.509 CA certs and CRLs.
 2013-06-17 15:44:12 +02:00
Christian Heimes
9424bb4aea Issue #18207: Fix test_ssl for some versions of OpenSSL that ignore seconds 
in ASN1_TIME fields.
 2013-06-17 15:32:57 +02:00