summaryrefslogtreecommitdiff
path: root/Modules/_ssl.c
Commit message (Collapse)AuthorAgeFilesLines
* [2.7] bpo-34710: fix SSL module build (GH-9347) (GH-9353)Christian Heimes2018-09-171-0/+1
| | | | | | | | | | | | Include ``openssl/dh.h`` header file to fix implicit function declaration of ``DH_free()``. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>. (cherry picked from commit b3a271fc0ce3e13e427be8914decfc205a220ca8) Co-authored-by: Alexandru Ardelean <ardeleanalex@gmail.com> https://bugs.python.org/issue34710
* [2.7] bpo-33127: Compatibility patch for LibreSSL 2.7.0 (GH-6210) (GH-6215)Christian Heimes2018-03-241-8/+16
| | | | | | | | | | | | | LibreSSL 2.7 introduced OpenSSL 1.1.0 API. The ssl module now detects LibreSSL 2.7 and only provides API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7. Documentation updates and fixes for failing tests will be provided in another patch set. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 4ca0739c9d97ac7cd45499e0d31be68dc659d0e1) Co-authored-by: Christian Heimes <christian@python.org>
* [2.7] bpo-30622: Fix NPN for OpenSSL 1.1.1-pre1 (GH-5876) (#5882)Christian Heimes2018-02-251-21/+26
| | | | | | Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 29eab55309b9f78b79074d26db16a44e7841c639) Co-authored-by: Christian Heimes <christian@python.org>
* Fix ssl module, Python 2.7 doesn't have Py_MAX (#5878)Christian Heimes2018-02-251-1/+2
| | | Signed-off-by: Christian Heimes <christian@python.org>
* [2.7] bpo-30622: Improve NPN support detection (GH-5859) (#5863)Christian Heimes2018-02-251-7/+20
| | | | | | | | | The ssl module now detects missing NPN support in LibreSSL. Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org> Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 6cdb7954b0a578d899e4b78b868ea59eef08480a) Co-authored-by: Christian Heimes <christian@python.org>
* [2.7] bpo-32185: Don't send IP in SNI TLS extension (GH-5865) (#5871)Miss Islington (bot)2018-02-251-2/+40
| | | | | | | | | The SSL module no longer sends IP addresses in SNI TLS extension on platforms with OpenSSL 1.0.2+ or inet_pton. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit e9370a47389903bb72badc95032ec84a0ebbf8cc) Co-authored-by: Christian Heimes <christian@python.org>
* bpo-25404: SSLContext.load_dh_params() non-ASCII path (GH-3459)Christian Heimes2018-02-251-4/+17
| | | | | SSLContext.load_dh_params() now supports non-ASCII path. Signed-off-by: Christian Heimes <christian@python.org>
* [2.7] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (#3446)Christian Heimes2017-09-071-0/+13
| | | | | | | | | | | | | | | | * bpo-29136: Add TLS 1.3 support TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3 cipher suites don't overlap with cipher suites from TLS 1.2 and earlier. Since Python sets its own set of permitted ciphers, TLS 1.3 handshake will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common AES-GCM and ChaCha20 suites. Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3 now. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit cb5b68abdeb1b1d56c581d5b4d647018703d61e3)
* [2.7] bpo-28958: Improve SSLContext error reporting. (GH-3414) (#3433)Christian Heimes2017-09-071-2/+1
| | | | Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 17c9ac9)
* [2.7] bpo-30502: Fix handling of long oids in ssl. (GH-2909). (#3322)Christian Heimes2017-09-051-41/+48
| | | (cherry picked from commit e503ca52889bf66ac502702569e726caa7970299)
* [2.7] bpo-30102: Call OPENSSL_add_all_algorithms_noconf (GH-3112) (#3343)Christian Heimes2017-09-051-1/+5
| | | | | | | | | The ssl and hashlib modules now call OPENSSL_add_all_algorithms_noconf() on OpenSSL < 1.1.0. The function detects CPU features and enables optimizations on some CPU architectures such as POWER8. Patch is based on research from Gustavo Serra Scalet. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit c941e62)
* [2.7] bpo-30622: Change NPN detection: (GH-2079) (#3316)Christian Heimes2017-09-051-7/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Change NPN detection: Version breakdown, support disabled (pre-patch/post-patch): - pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will be defined -> True/False Version breakdown support enabled (pre-patch/post-patch): - pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True - 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True * Refine NPN guard: - If NPN is disabled, but ALPN is available we need our callback - Make clinic's ssl behave the same way This created a working ssl module for me, with NPN disabled and ALPN enabled for OpenSSL 1.1.0f. Concerns to address: The initial commit for NPN support into OpenSSL [1], had the OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG guard. The question is if that ever made it into a release. This would need an ugly hack, something like: GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \ !defined(OPENSSL_NPN_NEGOTIATED) GH- define OPENSSL_NPN_UNSUPPORTED 0 GH- define OPENSSL_NPN_NEGOTIATED 1 GH- define OPENSSL_NPN_NO_OVERLAP 2 GH-endif [1] https://github.com/openssl/openssl/commit/68b33cc5c7. (cherry picked from commit b2d096bd2a5ff86e53c25d00ee5fa097b36bf1d8)
* bpo-31095: Fix potential crash during GC (GH-3197)INADA Naoki2017-09-041-0/+2
| | | (cherry picked from commit a6296d34a478b4f697ea9db798146195075d496c)
* [2.7] bpo-29738: Fix memory leak in _get_crl_dp (GH-526) (GH-1144)Mariatta2017-04-141-7/+1
| | | | | | | | | * Remove conditional on free of `dps`, since `dps` is now allocated for all versions of OpenSSL * Remove call to `x509_check_ca` since it was only used to cache the `crldp` field of the certificate CRL_DIST_POINTS_free is available in all supported versions of OpenSSL (recent 0.9.8+) and LibreSSL. (cherry picked from commit 2849cc34a8db93d448a62d69c462402347b50dcb)
* bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-399)Donald Stufft2017-03-021-2/+2
|
* Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name ↵Christian Heimes2016-09-061-1/+34
| | | | fields in X.509 certs.
* Issue #26470: Use short name rather than name for compression name to fix ↵Christian Heimes2016-09-061-6/+1
| | | | #27958.
* Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.Christian Heimes2016-09-051-41/+131
|
* Issue #23804: Fix SSL zero-length recv() calls to not block and raise EOFMartin Panter2016-07-111-0/+8
|
* assume egd unless OPENSSL_NO_EGD is defined—remove configure check (closes ↵Benjamin Peterson2016-07-071-3/+3
| | | | #24557)
* fix leak of keyfile_bytesBenjamin Peterson2016-06-081-0/+1
|
* stop leaking certfile_bytes (closes #27267)Benjamin Peterson2016-06-081-0/+1
|
* Issue #26200: Added Py_SETREF and replaced Py_XSETREF with Py_SETREFSerhiy Storchaka2016-04-101-1/+1
| | | | in places where Py_DECREF was used.
* Issue #22570: Renamed Py_SETREF to Py_XSETREF.Serhiy Storchaka2016-04-061-1/+1
|
* Issue #26644: Raise ValueError for negative SSLSocket.recv() and read()Martin Panter2016-03-271-0/+4
|
* open the cert store readonlyBenjamin Peterson2016-02-171-2/+6
| | | | Patch from Chi Hsuan Yen.
* Issue #20440: Massive replacing unsafe attribute setting code with specialSerhiy Storchaka2015-12-241-2/+1
| | | | macro Py_SETREF.
* rm trailing wsBenjamin Peterson2015-11-141-1/+1
|
* fix possible memory lea k in _get_aia_uri (closes #25578)Benjamin Peterson2015-11-141-1/+4
|
* fix build with older openssl (#25569)Benjamin Peterson2015-11-141-1/+1
|
* always set OP_NO_SSLv3 by default (closes #25530)Benjamin Peterson2015-11-111-0/+2
|
* fix memory leak in _get_crl_dp (closes #25569)Benjamin Peterson2015-11-111-28/+24
| | | | Patch started by Stéphane Wirtel.
* Issue #25523: Backported a-to-an corrections.Serhiy Storchaka2015-11-021-1/+1
|
* improve style of the convert macro (#24655)Benjamin Peterson2015-07-181-7/+7
| | | | Patch by Brian Cain.
* remove extra arguments in arg parsing format codes (closes #23875)Benjamin Peterson2015-04-061-2/+2
|
* expose X509_V_FLAG_TRUSTED_FIRSTBenjamin Peterson2015-03-041-0/+4
|
* enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476)Benjamin Peterson2015-03-041-0/+9
|
* Issue #23576: Avoid stalling in SSL reads when EOF has been reached in the ↵Antoine Pitrou2015-03-041-20/+0
| | | | SSL layer but the underlying connection hasn't been closed.
* Issue #23446: Use PyMem_New instead of PyMem_Malloc to avoid possible integerSerhiy Storchaka2015-02-161-3/+4
| | | | overflows. Added few missed PyErr_NoMemory().
* ifdef our way to compatibility with old openssl (closes #23335)Benjamin Peterson2015-01-281-1/+1
|
* disable ALPN on LibreSSL, which has a large version number, but not ALPN ↵Benjamin Peterson2015-01-271-1/+1
| | | | support (closes #23329)
* prefer server alpn ordering over the client'sBenjamin Peterson2015-01-231-13/+20
|
* pep 466 backport of alpn (#20188)Benjamin Peterson2015-01-231-22/+110
|
* Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. TheVictor Stinner2015-01-061-3/+10
| | | | | availability of the function is checked during the compilation. Patch written by Bernard Spil.
* allow ssl module to compile if openssl doesn't support SSL 3 (closes #22935)Benjamin Peterson2014-12-051-0/+4
| | | | Patch by Kurt Roeckx.
* allow hostname to be passed to SSLContext even if OpenSSL doesn't support ↵Benjamin Peterson2014-11-231-6/+0
| | | | | | SNI (closes #22921) Patch from Donald Stufft.
* allow keyfile argument to be None (closes #22787)Benjamin Peterson2014-11-031-7/+23
|
* fix sslwrap_simple (closes #22523)Benjamin Peterson2014-10-011-6/+12
| | | | Thanks Alex Gaynor.
* Issue #20421: Add a .version() method to SSL sockets exposing the actual ↵Alex Gaynor2014-09-041-0/+13
| | | | | | protocol version in use. Backport from default.
* fix load_verify_locations on unicode paths (closes #22244)Benjamin Peterson2014-08-281-8/+24
|
View Lorry Controller Status