An error occurred fetching the project authors.
- 27 Feb, 2018 2 commits
-
-
Christian Heimes authored
The ssl module function ssl.wrap_socket() has been de-emphasized and deprecated in favor of the more secure and efficient SSLContext.wrap_socket() method. Signed-off-by:
Christian Heimes <christian@python.org>
-
Christian Heimes authored
* bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by default. Some test cases only apply to TLS 1.2. Other tests currently fail because the threaded or async test servers stop after failure. I'm going to address these issues when OpenSSL 1.1.1 reaches beta. OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS 1.3. The feature is enabled by default for maximum compatibility with broken middle boxes. Users should be able to disable the hack and CPython's test suite needs it to verify default options. Signed-off-by:
Christian Heimes <christian@python.org>
-
- 24 Feb, 2018 2 commits
-
-
Christian Heimes authored
The ssl module now detects missing NPN support in LibreSSL. Co-Authored-By:
Bernard Spil <brnrd@FreeBSD.org> Signed-off-by:
Christian Heimes <christian@python.org>
-
Christian Heimes authored
Previously, the ssl module stored international domain names (IDNs) as U-labels. This is problematic for a number of reasons -- for example, it made it impossible for users to use a different version of IDNA than the one built into Python. After this change, we always convert to A-labels as soon as possible, and use them for all internal processing. In particular, server_hostname attribute is now an A-label, and on the server side there's a new sni_callback that receives the SNI servername as an A-label rather than a U-label.
-
- 21 Feb, 2018 1 commit
-
-
Benjamin Peterson authored
It's bad form to pin to an old version of TLS. ssl.SSLContext has the right protocol default, so let's not pass anyway.
-
- 27 Jan, 2018 1 commit
-
-
Christian Heimes authored
bpo-31399: Let OpenSSL verify hostname and IP The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses. * Remove match_hostname calls * Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host() * Add documentation for OpenSSL 1.0.2 requirement * Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform. * Add hostname_checks_common_name Signed-off-by:
Christian Heimes <christian@python.org>
-
- 20 Jan, 2018 1 commit
-
-
Sanyam Khurana authored
Fixes some redirection links in docs.
-
- 13 Dec, 2017 1 commit
-
-
jimmy authored
-
- 06 Dec, 2017 1 commit
-
-
Sanyam Khurana authored
-
- 26 Nov, 2017 1 commit
-
-
Mandeep Singh authored
Wildcard is now supported in hostname when it is one and only character in the leftmost segment.
-
- 20 Sep, 2017 1 commit
-
-
Felipe authored
-
- 15 Sep, 2017 2 commits
-
-
Christian Heimes authored
Signed-off-by:
Christian Heimes <christian@python.org>
-
Christian Heimes authored
SSLSocket.wrap_bio() and SSLSocket.wrap_socket() hard-code SSLObject and SSLSocket as return types. In the light of future deprecation of ssl.wrap_socket() module function and direct instantiation of SSLSocket, it is desirable to make the return type of SSLSocket.wrap_bio() and SSLSocket.wrap_socket() customizable. Signed-off-by:
Christian Heimes <christian@python.org>
-
- 08 Sep, 2017 2 commits
-
-
Christian Heimes authored
The SSL module now raises SSLCertVerificationError when OpenSSL fails to verify the peer's certificate. The exception contains more information about the error. Original patch by Chi Hsuan Yen Signed-off-by:
Christian Heimes <christian@python.org>
-
Christian Heimes authored
* bpo-29136: Add TLS 1.3 support TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3 cipher suites don't overlap with cipher suites from TLS 1.2 and earlier. Since Python sets its own set of permitted ciphers, TLS 1.3 handshake will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common AES-GCM and ChaCha20 suites. Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3 now. Signed-off-by:
Christian Heimes <christian@python.org>
-
- 06 Sep, 2017 1 commit
-
-
Christian Heimes authored
Signed-off-by:
Christian Heimes <christian@python.org>
-
- 15 Aug, 2017 1 commit
-
-
Christian Heimes authored
OpenSSL 1.1.0 to 1.1.0e aborted the handshake when server and client could not agree on a protocol using ALPN. OpenSSL 1.1.0f changed that. The most recent version now behaves like OpenSSL 1.0.2 again. The ALPN callback can pretend to not been set. See https://github.com/openssl/openssl/pull/3158 for more details Signed-off-by:
Christian Heimes <christian@python.org>
-
- 11 Jun, 2017 2 commits
-
-
Benjamin Peterson authored
-
Benjamin Peterson authored
SSLObject has recv() and send(), but they don't do any network io.
-
- 09 Jun, 2017 1 commit
-
-
Chandan Kumar authored
* RFC 1750 has been been obsoleted by RFC 4086. * RFC 3280 has been obsoleted by RFC 5280. * RFC 4366 has been obsoleted by RFC 6066.
-
- 02 May, 2017 1 commit
-
-
Nathaniel J. Smith authored
-
- 13 Apr, 2017 1 commit
-
-
Marco Buttu authored
-
- 02 Mar, 2017 1 commit
-
-
Alex Gaynor authored
-
- 01 Mar, 2017 1 commit
-
-
Alex Gaynor authored
-
- 06 Feb, 2017 1 commit
-
-
Berker Peksag authored
-
- 19 Oct, 2016 2 commits
-
-
Serhiy Storchaka authored
-
Serhiy Storchaka authored
-
- 13 Sep, 2016 2 commits
-
-
Christian Heimes authored
-
Christian Heimes authored
-
- 11 Sep, 2016 2 commits
-
-
Christian Heimes authored
-
Christian Heimes authored
-
- 10 Sep, 2016 3 commits
-
-
Christian Heimes authored
-
Christian Heimes authored
The deprecation include manual creation of SSLSocket and certfile/keyfile (or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib. ssl.wrap_socket() is not marked as deprecated yet.
-
Christian Heimes authored
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
-
- 09 Sep, 2016 1 commit
-
-
Christian Heimes authored
-
- 06 Sep, 2016 1 commit
-
-
Christian Heimes authored
-
- 05 Sep, 2016 2 commits
-
-
Christian Heimes authored
-
Christian Heimes authored
-
- 11 Jun, 2016 1 commit
-
-
Terry Jan Reedy authored
Reformat header above separator line (added if missing) to a common format. Patch by Yoni Lavi.
-
- 10 May, 2016 1 commit
-
-
Serhiy Storchaka authored
Original patch by James Edwards.
-