delta/cpython-git.git/Modules/_ssl, branch master

bpo-43908: Mark ssl, hash, and hmac types as immutable (GH-25792)

2021-05-02T07:47:45+00:00

Signed-off-by: Christian Heimes

bpo-18233: Add internal methods to access peer chain (GH-25467)

2021-04-26T13:01:40+00:00

The internal `_ssl._SSLSocket` object now provides methods to retrieve
the peer cert chain and verified cert chain as a list of Certificate
objects. Certificate objects have methods to convert the cert to a dict,
PEM, or DER (ASN.1).

These are private APIs for now. There is a slim chance to stabilize the
approach and provide a public API for 3.10. Otherwise I'll provide a
stable API in 3.11.

Signed-off-by: Christian Heimes

bpo-42333: Port _ssl extension to multiphase initialization (PEP 489) (GH-23253)

2021-04-17T18:06:38+00:00

- Introduce sslmodule_slots
- Introduce sslmodulestate
- Use sslmodulestate
- Get rid of PyState_FindModule
- Move new structs and helpers to header file
- Use macros to access state
- Keep a strong ref to socket type

bpo-43669: PEP 644: Require OpenSSL 1.1.1 or newer (GH-23014)

2021-04-17T09:36:35+00:00

- Remove HAVE_X509_VERIFY_PARAM_SET1_HOST check
- Update hashopenssl to require OpenSSL 1.1.1
- multissltests only OpenSSL > 1.1.0
- ALPN is always supported
- SNI is always supported
- Remove deprecated NPN code. Python wrappers are no-op.
- ECDH is always supported
- Remove OPENSSL_VERSION_1_1 macro
- Remove locking callbacks
- Drop PY_OPENSSL_1_1_API macro
- Drop HAVE_SSL_CTX_CLEAR_OPTIONS macro
- SSL_CTRL_GET_MAX_PROTO_VERSION is always defined now
- security level is always available now
- get_num_tickets is available with TLS 1.3
- X509_V_ERR MISMATCH is always available now
- Always set SSL_MODE_RELEASE_BUFFERS
- X509_V_FLAG_TRUSTED_FIRST is always available
- get_ciphers is always supported
- SSL_CTX_set_keylog_callback is always available
- Update Modules/Setup with static link example
- Mention PEP in whatsnew
- Drop 1.0.2 and 1.1.0 from GHA tests

bpo-43577: Fix deadlock with SSLContext._msg_callback and sni_callback (GH-24957)

2021-03-21T15:13:09+00:00

OpenSSL copies the internal message callback from SSL_CTX->msg_callback to
SSL->msg_callback. SSL_set_SSL_CTX() does not update SSL->msg_callback
to use the callback value of the new context.

PySSL_set_context() now resets the callback and _PySSL_msg_callback()
resets thread state in error path.

Signed-off-by: Christian Heimes

bpo-41056: Fix a NULL pointer dereference on MemoryError within the ssl module. (GH-21009)

2020-06-20T19:15:03+00:00

Detected by Coverity.

bpo-34271: Fix compatibility with 1.0.2 (GH-13728)

2019-06-03T18:40:15+00:00

Fix various compatibility issues with LibreSSL and OpenSSL 1.0.2
introduced by bpo-34271.

Signed-off-by: Christian Heimes

bpo-34271: Add ssl debugging helpers (GH-10031)

2019-05-31T09:44:05+00:00

The ssl module now can dump key material to a keylog file and trace TLS
protocol messages with a tracing callback. The default and stdlib
contexts also support SSLKEYLOGFILE env var.

The msg_callback and related enums are private members. The feature
is designed for internal debugging and not for end users.

Signed-off-by: Christian Heimes