| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
Include ``openssl/dh.h`` header file to fix implicit function declaration of ``DH_free()``.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>.
(cherry picked from commit b3a271fc0ce3e13e427be8914decfc205a220ca8)
Co-authored-by: Alexandru Ardelean <ardeleanalex@gmail.com>
https://bugs.python.org/issue34710
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LibreSSL 2.7 introduced OpenSSL 1.1.0 API. The ssl module now detects
LibreSSL 2.7 and only provides API shims for OpenSSL < 1.1.0 and
LibreSSL < 2.7.
Documentation updates and fixes for failing tests will be provided in
another patch set.
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 4ca0739c9d97ac7cd45499e0d31be68dc659d0e1)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 29eab55309b9f78b79074d26db16a44e7841c639)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
| |
The ssl module now detects missing NPN support in LibreSSL.
Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org>
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 6cdb7954b0a578d899e4b78b868ea59eef08480a)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
| |
The SSL module no longer sends IP addresses in SNI TLS extension on
platforms with OpenSSL 1.0.2+ or inet_pton.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit e9370a47389903bb72badc95032ec84a0ebbf8cc)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
|
|
| |
SSLContext.load_dh_params() now supports non-ASCII path.
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-29136: Add TLS 1.3 support
TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
AES-GCM and ChaCha20 suites.
Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
now.
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit cb5b68abdeb1b1d56c581d5b4d647018703d61e3)
|
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 17c9ac9)
|
|
|
| |
(cherry picked from commit e503ca52889bf66ac502702569e726caa7970299)
|
|
|
|
|
|
|
|
|
| |
The ssl and hashlib modules now call OPENSSL_add_all_algorithms_noconf() on
OpenSSL < 1.1.0. The function detects CPU features and enables optimizations
on some CPU architectures such as POWER8. Patch is based on research from
Gustavo Serra Scalet.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit c941e62)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Change NPN detection:
Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
* Refine NPN guard:
- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way
This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.
Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:
GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
!defined(OPENSSL_NPN_NEGOTIATED)
GH- define OPENSSL_NPN_UNSUPPORTED 0
GH- define OPENSSL_NPN_NEGOTIATED 1
GH- define OPENSSL_NPN_NO_OVERLAP 2
GH-endif
[1] https://github.com/openssl/openssl/commit/68b33cc5c7.
(cherry picked from commit b2d096bd2a5ff86e53c25d00ee5fa097b36bf1d8)
|
|
|
| |
(cherry picked from commit a6296d34a478b4f697ea9db798146195075d496c)
|
|
|
|
|
|
|
|
|
| |
* Remove conditional on free of `dps`, since `dps` is now allocated for
all versions of OpenSSL
* Remove call to `x509_check_ca` since it was only used to cache
the `crldp` field of the certificate
CRL_DIST_POINTS_free is available in all supported versions of OpenSSL
(recent 0.9.8+) and LibreSSL.
(cherry picked from commit 2849cc34a8db93d448a62d69c462402347b50dcb)
|
| |
|
|
|
|
| |
fields in X.509 certs.
|
|
|
|
| |
#27958.
|
| |
|
| |
|
|
|
|
| |
#24557)
|
| |
|
| |
|
|
|
|
| |
in places where Py_DECREF was used.
|
| |
|
| |
|
|
|
|
| |
Patch from Chi Hsuan Yen.
|
|
|
|
| |
macro Py_SETREF.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Patch started by Stéphane Wirtel.
|
| |
|
|
|
|
| |
Patch by Brian Cain.
|
| |
|
| |
|
| |
|
|
|
|
| |
SSL layer but the underlying connection hasn't been closed.
|
|
|
|
| |
overflows. Added few missed PyErr_NoMemory().
|
| |
|
|
|
|
| |
support (closes #23329)
|
| |
|
| |
|
|
|
|
|
| |
availability of the function is checked during the compilation. Patch written
by Bernard Spil.
|
|
|
|
| |
Patch by Kurt Roeckx.
|
|
|
|
|
|
| |
SNI (closes #22921)
Patch from Donald Stufft.
|
| |
|
|
|
|
| |
Thanks Alex Gaynor.
|
|
|
|
|
|
| |
protocol version in use.
Backport from default.
|
| |
|