expose X509_V_FLAG_TRUSTED_FIRST

990fcaac · Benjamin Peterson · fdb19715 · 990fcaac · 990fcaac · 990fcaac
Commit 990fcaac authored Mar 04, 2015 by Benjamin Peterson
Show whitespace changes
Inline Side-by-side

Showing with 18 additions and 5 deletions

Doc/library/ssl.rst Doc/library/ssl.rst +11 -3

Lib/test/test_ssl.py Lib/test/test_ssl.py +3 -2

Modules/_ssl.c Modules/_ssl.c +4 -0

No files found.
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -499,9 +499,9 @@ Constants
 .. data:: VERIFY_DEFAULT
-   Possible value for :attr:`SSLContext.verify_flags`. In this mode,
+   Possible value for :attr:`SSLContext.verify_flags`. In this mode, certificate
-   certificate revocation lists (CRLs) are not checked. By default OpenSSL
+   revocation lists (CRLs) are not checked. By default OpenSSL does neither
-   does neither require nor verify CRLs.
+   require nor verify CRLs.
   .. versionadded:: 3.4
@@ -529,6 +529,14 @@ Constants
   .. versionadded:: 3.4
+.. data:: VERIFY_X509_TRUSTED_FIRST
+   Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to
+   prefer trusted certificates when building the trust chain to validate a
+   certificate. This flag is enabled by default.
+   .. versionadded:: 3.4.5
 .. data:: PROTOCOL_SSLv23
   Selects the highest protocol version that both the client and server support.

--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -710,8 +710,9 @@ class ContextTests(unittest.TestCase):
                         "verify_flags need OpenSSL > 0.9.8")
    def test_verify_flags(self):
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-        # default value by OpenSSL
+        # default value
-        self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
+        tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
+        self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
        ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
        self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
        ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN

--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -4004,6 +4004,10 @@ PyInit__ssl(void)
                            X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
    PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
                            X509_V_FLAG_X509_STRICT);
+#ifdef X509_V_FLAG_TRUSTED_FIRST
+    PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST",
+                            X509_V_FLAG_TRUSTED_FIRST);
+#endif
    /* Alert Descriptions from ssl.h */
    /* note RESERVED constants no longer intended for use have been removed */