| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ALPN: complete handshake without accepting a client's protocols.
The callback passed to `SSL_CTX_set_alpn_select_cb` can return
`SSL_TLSEXT_ERR_NOACK` to allow the handshake to continue without
accepting any of the client's offered protocols.
This commit introduces `NO_OVERLAPPING_PROTOCOLS`, which the Python
callback passed to `Context.set_alpn_select_callback` can return to
achieve the same thing.
It does not change the previous meaning of an empty string, which
still terminates the handshake.
* Update src/OpenSSL/SSL.py
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
* Address @alex's review.
* Use recorded value in test, fix lint error.
* Cover TypeError branch in _ALPNHelper.callback
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* use _ffi.from_buffer(buf) in send, to support bytearray
* add bytearray test
* update CHANGELOG.rst
* move from_buffer before 'buffer too long' check
* context-managed from_buffer + black
* don't shadow buf in send()
* test return count for sendall
* test sending an array
* fix test
* also use from_buffer in bio_write
* de-format _util.py
* formatting
* add simple bio_write tests
* wrap line
|
|
|
|
|
|
|
| |
Users with older cryptography (and hence potentially older asn1crypto, a
transitive dependency) are seeing a serious bug on macOS catalina due to
the way older asn1crypto loads a shared library. While this isn't a
pyOpenSSL bug bumping this dep might prevent the bug from impacting
some users.
|
| |
|
|
|
|
|
|
| |
* Fix for Python 4
* Fix for Python 4
|
|
|
|
|
|
| |
* Expose OP_NO_TLSv1_3
* Support openssl <1.1.1
|
|
|
|
|
|
| |
* Stop lawyers from emailing Hynek
* Update setup.py
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
* Delete README
* Delete client.py
* Delete server.py
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Delete README
* Delete another.invalid.crt
* Delete another.invalid.key
* Delete client.py
* Delete example.invalid.crt
* Delete example.invalid.key
* Delete server.py
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
generate certs (#833)
|
|
|
| |
These don't actually cover any code.
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Make test_ssl pass in an IPv6-only environment
* Review comments
* Update tests/test_ssl.py
Co-Authored-By: davidben <davidben@davidben.net>
* Wrap long line with parens.
|
|
|
|
|
|
| |
* skip NPN tests if NPN is not available
* use the right name
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Deprecated NPN
* arithmetic is hard
* oops
* oops
|
|
|
|
|
|
|
|
|
|
|
| |
* Raise an Error with "no cipher match" even with TLS 1.3
This makes Twisted's OpenSSLAcceptableCiphers.fromOpenSSLCipherString
and seamlessly work with TLS 1.3:
https://github.com/twisted/twisted/pull/1100/files/a5df2fb373ac67b0e3032acc9291ae88dfd0b3b1#diff-df501bac724aab523150498f84749b88R1767
* Split TestContext.test_set_cipher_list_wrong_args into two tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Removed deprecated Type aliases
* typo
* typo
* missed this somehow
* Line wrap
|
| |
|
| |
|
|
|
| |
2566 is not a valid digest, whoops!
|
|
|
|
|
|
|
|
|
|
|
|
| |
* more infra changes
* upgrade pypy
* still run a test against 1.0.1
* we don't need this builder
* ...
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
rtype for the following was incorrect:
X509Req.from_cryptography
X509.from_cryptography
|
|
|
|
|
|
|
|
|
|
|
| |
* Handle NULL bytes in get_components() values
Some old software may generate "bogus" CN with each character preceded
by a NULL.
This is already handled in commonName, but wasn't in get_components()
* review fixes (fix py3 test & avoid unpack/cast)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* fix openssl CLI testing for 1.1.1
* various 1.1.1 related fixes
some of which are just admitting TLS 1.3 is fundamentally different and
pinning the tests to TLS 1.2
* flake8 fixes
* allow travis_infra env var through
* fix twisted
|
| |
|
| |
|
|
|
|
|
|
| |
* X509Store.add_cert no longer raises an error on duplicate cert
* move changelog entry
|
| |
|
|
|
|
|
|
|
| |
My system apparently has larger socket buffers than this test assumes,
so it fails. (Debian 9, Linux 4.16, Python 3.7)
So let's increase the size of the buffers such that it works for me.
This was the smallest power of 2 that worked.
|
|
|
|
|
|
|
|
| |
* Added py37 to travis
* Added py37 trove classifier
* Added py37 to tox
|
|
|
| |
Not much point in making it otherwise.
|
|
|
|
|
|
|
|
|
| |
The ownership semantics of SSL_set_tlsext_status_ocsp_resp are not as
complex as the comment suggests. There's no leak or complex lifetime.
It's an ownership transfer of an OPENSSL_malloc'd buffer. The
documentation is lacking, and making the copy internally would have been
tidier (though less efficient if the OCSP response where generated by
i2d_OCSP_RESPONSE), but this sort of thing has precedent in OpenSSL's
API.
|
|
|
|
|
|
| |
See also https://github.com/pyca/cryptography/pull/4227. I suspect this
is a no-op since cffi is probably just generating its own function
stubs and every ABI makes const and non-const pointers the same. Still,
better to match things.
|
|
|
|
|
|
| |
* reopen master for 18.1
* there are four dashes
|