| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
(GH-12101)
…mum_version (GH-11894).
(cherry picked from commit ae2ea33d5da34a777e77d489b700ff45d753934f)
Co-authored-by: Zhiming Wang <i@zhimingwang.org>
|
|
|
|
|
| |
(cherry picked from commit e483f02423917dc4dfd25f46e5b9e6fce304777d)
Co-authored-by: Stéphane Wirtel <stephane@wirtel.be>
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-9830)
Replace "Availability: xxx" with ".. availability:: xxx" in the doc.
Original patch by Georg Brandl.
Co-Authored-By: Georg Brandl <georg@python.org>
(cherry picked from commit 2d6097d027e0dd3debbabc702aa9c98d94ba32a3)
Co-authored-by: Cheryl Sabella <cheryl.sabella@gmail.com>
|
|
|
|
|
| |
(cherry picked from commit 07fbbfde1b300369b4f8d1cfb80045fbb23b7091)
Co-authored-by: Stéphane Wirtel <stephane@wirtel.be>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add SSLContext.post_handshake_auth and
SSLSocket.verify_client_post_handshake for TLS 1.3 post-handshake
authentication.
Signed-off-by: Christian Heimes <christian@python.org>q
https://bugs.python.org/issue34670.
(cherry picked from commit 9fb051f032c36b9f6086b79086b4d6b7755a3d70)
Co-authored-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue34670
|
|
|
|
|
| |
(cherry picked from commit 9c5ba097485c8c643b670acd4026f4382bc92f4b)
Co-authored-by: Marcin Niemira <marcin@niemira.net>
|
|
|
|
|
| |
(cherry picked from commit 5092439c2cb32112a5869b138011d38491db90a9)
Co-authored-by: Andrés Delfino <adelfino@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The documentation for CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED were
misleading and partly wrong. It fails to explain that OpenSSL behaves
differently in client and server mode. Also OpenSSL does validate the
cert chain everytime. With SSL_VERIFY_NONE a validation error is not
fatal in client mode and does not request a client cert in server mode.
Also discourage people from using CERT_OPTIONAL in client mode.
(cherry picked from commit ef24b6c54d40e7820456873a6eab6ef57d2bd0db)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
|
|
| |
(cherry picked from commit 9ef1b0690b90c526798b6b3125b0fa7ae98319a2)
Co-authored-by: Mayank Singhal <17mayank.singhal@gmail.com>
|
|
|
|
|
|
| |
85% of them are already links.
(cherry picked from commit 0a36ac1a09587735237c5978ebd046313922869c)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS
client cert auth are now handled after the initialy handshake. Tests now
either send/recv data to trigger session and client certs. Or tests
ignore ConnectionResetError / BrokenPipeError on the server side to
handle clients that force-close the socket fd.
To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR
https://github.com/openssl/openssl/pull/6340) is required.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 529525fb5a8fd9b96ab4021311a598c77588b918)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
default.
Also update multissltests and Travis config to test with latest OpenSSL.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit e8eb6cb7920ded66abc5d284319a8539bdc2bae3)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
|
|
| |
The ssl module now contains OP_NO_RENEGOTIATION constant, available with
OpenSSL 1.1.0h or 1.1.1.
Note, OpenSSL 1.1.0h hasn't been released yet.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 67c48016638aac9a15afe6fd6754d53d2bdd6b76)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
| |
(GH-6814) (GH-6872)
(cherry picked from commit 19177fbd5d6d9b29ccc302d65f9d9417ece082ce)
Co-authored-by: Stéphane Wirtel <stephane@wirtel.be>
|
|
|
|
|
| |
(cherry picked from commit 9cf8c42f3231d3f066670d087a997bd1278482a0)
Co-authored-by: Matt Eaton <agnosticdev@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL 1.1 has introduced a new API to set the minimum and maximum
supported protocol version. The API is easier to use than the old
OP_NO_TLS1 option flags, too.
Since OpenSSL has no call to set minimum version to highest supported,
the implementation emulate maximum_version = MINIMUM_SUPPORTED and
minimum_version = MAXIMUM_SUPPORTED by figuring out the minumum and
maximum supported version at compile time.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 698dde16f60729d9e3f53c23a4ddb8e5ffe818bf)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Direct instantiation of SSLSocket and SSLObject objects is now prohibited.
The constructors were never documented, tested, or designed as public
constructors. The SSLSocket constructor had limitations. For example it was
not possible to enabled hostname verification except was
ssl_version=PROTOCOL_TLS_CLIENT with cert_reqs=CERT_REQUIRED.
SSLContext.wrap_socket() and SSLContext.wrap_bio are the recommended API
to construct SSLSocket and SSLObject instances. ssl.wrap_socket() is
also deprecated.
The only test case for direct instantiation was added a couple of days
ago for IDNA testing.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 9d50ab563df6307cabbcc9883cb8c52c614b0f22)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
|
| |
The ssl module function ssl.wrap_socket() has been de-emphasized
and deprecated in favor of the more secure and efficient
SSLContext.wrap_socket() method.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 90f05a527c7d439f1d0cba80f2eb32e60ee20fc3)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes
Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and
TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
default. Some test cases only apply to TLS 1.2. Other tests currently
fail because the threaded or async test servers stop after failure.
I'm going to address these issues when OpenSSL 1.1.1 reaches beta.
OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
1.3. The feature is enabled by default for maximum compatibility with
broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
it to verify default options.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 05d9fe32a1245b9a798e49e0c1eb91f110935b69)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
| |
The ssl module now detects missing NPN support in LibreSSL.
Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org>
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 6cdb7954b0a578d899e4b78b868ea59eef08480a)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, the ssl module stored international domain names (IDNs)
as U-labels. This is problematic for a number of reasons -- for
example, it made it impossible for users to use a different version
of IDNA than the one built into Python.
After this change, we always convert to A-labels as soon as possible,
and use them for all internal processing. In particular, server_hostname
attribute is now an A-label, and on the server side there's a new
sni_callback that receives the SNI servername as an A-label rather than
a U-label.
(cherry picked from commit 11a1493bc4198f1def5e572049485779cf54dc57)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
| |
It's bad form to pin to an old version of TLS. ssl.SSLContext has the right
protocol default, so let's not pass anyway.
(cherry picked from commit e9edee0b65650c4f9db90cefc2e9a8125bad762c)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bpo-31399: Let OpenSSL verify hostname and IP
The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and
X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses.
* Remove match_hostname calls
* Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host()
* Add documentation for OpenSSL 1.0.2 requirement
* Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform.
* Add hostname_checks_common_name
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
| |
Fixes some redirection links in docs.
|
| |
|
| |
|
|
|
|
| |
Wildcard is now supported in hostname when it is one and only character in
the leftmost segment.
|
| |
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
| |
SSLSocket.wrap_bio() and SSLSocket.wrap_socket() hard-code SSLObject and
SSLSocket as return types. In the light of future deprecation of
ssl.wrap_socket() module function and direct instantiation of SSLSocket,
it is desirable to make the return type of SSLSocket.wrap_bio() and
SSLSocket.wrap_socket() customizable.
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
| |
The SSL module now raises SSLCertVerificationError when OpenSSL fails to
verify the peer's certificate. The exception contains more information about
the error.
Original patch by Chi Hsuan Yen
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-29136: Add TLS 1.3 support
TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
AES-GCM and ChaCha20 suites.
Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
now.
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL 1.1.0 to 1.1.0e aborted the handshake when server and client
could not agree on a protocol using ALPN. OpenSSL 1.1.0f changed that.
The most recent version now behaves like OpenSSL 1.0.2 again. The ALPN
callback can pretend to not been set.
See https://github.com/openssl/openssl/pull/3158 for more details
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
SSLObject has recv() and send(), but they don't do any network io.
|
|
|
|
|
| |
* RFC 1750 has been been obsoleted by RFC 4086.
* RFC 3280 has been obsoleted by RFC 5280.
* RFC 4366 has been obsoleted by RFC 6066.
|
|
|
|
| |
transition (#1355)
|
| |
|
| |
|
| |
|
| |
|
|\ |
|
| | |
|
|\ \
| |/ |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|