Commit Graph

116 Commits

Author SHA1 Message Date
Christian Heimes
c2fc7c4f53 Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. 2016-09-05 23:37:13 +02:00
Martin Panter
8c6849bfe6 Issue #23804: Fix SSL zero-length recv() calls to not block and raise EOF 2016-07-11 00:17:13 +00:00
Martin Panter
d524b705af Issue #23804: Fix SSL recv/read(0) to not return 1024 bytes 2016-03-28 00:22:09 +00:00
Martin Panter
b8089b4dde Issue #26644: Raise ValueError for negative SSLSocket.recv() and read() 2016-03-27 05:35:19 +00:00
Nick Coghlan
dbcd457624 Issue #23857: Implement PEP 493
Adds a Python-2-only ssl module API and environment variable to
configure the default handling of SSL/TLS certificates for
HTTPS connections.
2016-03-20 22:39:15 +10:00
Martin Panter
886aba4737 Issue #26173: Separate bad cert file tests and client rejection test
Test test_wrong_cert() runs a server that rejects the client's certificate,
so ECONNRESET is reasonable in addition to SSLError. On the other hand, the
other three tests don't even need to run a server because they are just
testing the parsing of invalid certificate files.

This should fix intermittent failures on Windows where ECONNRESET was not
being caught.
2016-02-01 21:58:11 +00:00
Martin Panter
fd8e8504e2 Issue #26173: Fix test_ssl confusion with non-existing cert and wrongcert.pem
Testing for a non-existing certificate file is already done in test_errors().
The wrongcert.pem test was originally testing behaviour with a mismatched
certificate.
2016-01-30 02:36:00 +00:00
Martin Panter
71202bb053 Issue #25940: Use self-signed.pythontest.net in SSL tests
This is instead of svn.python.org, whose certificate recently expired, and
whose new certificate uses a different root certificate.

The certificate used at the pythontest server was modifed to set the "basic
constraints" CA flag. This flag seems to be required for test_get_ca_certs_
capath() to work.

Added the new self-signed certificate to capath with the following commands:

cp Lib/test/{selfsigned_pythontestdotnet.pem,capath/}
c_rehash -v Lib/test/capath/
c_rehash -v -old Lib/test/capath/
# Note the generated file names
cp Lib/test/capath/{selfsigned_pythontestdotnet.pem,0e4015b9.0}
mv Lib/test/capath/{selfsigned_pythontestdotnet.pem,ce7b8643.0}

When attempting to connect to port 444 on the new server, the resulting error
code is EHOSTUNREACH on Linux, and ETIMEDOUT on Windows.
2016-01-15 00:25:29 +00:00
Benjamin Peterson
10aaca9941 always set OP_NO_SSLv3 by default (closes #25530) 2015-11-11 22:38:41 -08:00
Benjamin Peterson
df11d4cbe4 replace 512 bit dh key with a 2014 bit one (closes #23844)
Patch by Cédric Krier.
2015-04-02 00:04:06 -04:00
Benjamin Peterson
d86699fe04 adjust test_crl_check for trusted first being default 2015-03-04 23:18:48 -05:00
Benjamin Peterson
72ef961059 expose X509_V_FLAG_TRUSTED_FIRST 2015-03-04 22:49:41 -05:00
Ned Deily
fa11978f1b Issue #23345: Prevent test_ssl failures with large OpenSSL patch level
values (like 0.9.8zc).
2015-02-05 17:19:11 +11:00
Serhiy Storchaka
5312a7f912 Avoid deprecation warnings. 2015-01-31 11:27:06 +02:00
Benjamin Peterson
aa7075845c prefer server alpn ordering over the client's 2015-01-23 17:30:26 -05:00
Benjamin Peterson
b10bfbe036 pep 466 backport of alpn (#20188) 2015-01-23 16:35:37 -05:00
Victor Stinner
7c90667f74 Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. The
availability of the function is checked during the compilation. Patch written
by Bernard Spil.
2015-01-06 13:53:37 +01:00
Benjamin Peterson
60766c47e7 allow ssl module to compile if openssl doesn't support SSL 3 (closes #22935)
Patch by Kurt Roeckx.
2014-12-05 21:59:35 -05:00
Benjamin Peterson
31aa69ead5 allow hostname to be passed to SSLContext even if OpenSSL doesn't support SNI (closes #22921)
Patch from Donald Stufft.
2014-11-23 20:13:31 -06:00
Benjamin Peterson
b0609ec8f3 remove py3k warning guard 2014-11-23 11:52:46 -06:00
Benjamin Peterson
fcfb18ee2b allow passing cert/ssl information to urllib2.urlopen and httplib.HTTPSConnection
This is basically a backport of issues #9003 and #22366.
2014-11-23 11:42:45 -06:00
Benjamin Peterson
04439fd5ee test that keyfile can be None 2014-11-03 21:05:01 -05:00
Benjamin Peterson
a02ae2500a separate cert loading tests into Windows and non-Windows cases 2014-10-03 18:17:15 -04:00
Benjamin Peterson
0b30a2bd27 also use openssl envvars to find certs on windows (closes #22449)
Patch by Christian Heimes and Alex Gaynor.
2014-10-03 17:27:05 -04:00
Benjamin Peterson
2f33456e41 fix sslwrap_simple (closes #22523)
Thanks Alex Gaynor.
2014-10-01 23:53:01 -04:00