summaryrefslogtreecommitdiff
path: root/src/OpenSSL/SSL.py
Commit message (Collapse)AuthorAgeFilesLines
* Expose X509_V_* constants (#1202)HEADmainItamar Turner-Trauring2023-04-281-0/+108
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Expose X509_V_* constants. * Switch to strategy where cryptography 40.0.2 exposes the constants. * Fix bad merge. * Fix flake. * Link to PR. * Check availability, rather than versions. * Add namespacing. * Add success code to namespace. * Fix lint. * Remove unnecessary conditional. * Update CHANGELOG.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> --------- Co-authored-by: Itamar Turner-Trauring <itamar@pythonspeed.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Add support for DTLS timeouts (#1180)Jeremy Lainé2023-02-131-0/+31
| | | | | | | | | | | | Add support for DTLS timeouts When performing a DTLS handshake, the DTLS state machine may need to be updated based on the passage of time, for instance in response to packet loss. OpenSSL supports this by means of the `DTLSv1_get_timeout` and `DTLSv1_handle_timeout` methods, both of which are included in cryptography's bindings. This change adds Python wrappers for these methods in the `Connection` class.
* Fix CI (#1185)Maximilian Hils2023-02-131-1/+0
| | | | | * Reformat code using black 23.x * fix compat with tox 4
* style cleanups from recent PR (#1159)Alex Gaynor2022-10-211-6/+3
| | | don't leave comment out code, and use append rather than += on lists
* add attributes only conditionally (#1158)Ben Greiner2022-10-221-3/+6
| | | | | * add attributes only conditionally * fix flake8
* add `Connection.use_(certificate|privatekey)` (#1121)Maximilian Hils2022-09-161-0/+32
| | | | | | | | | | | * add `Connection.use_(certificate|privatekey)` * bump minimum cryptography version * deduplicate tests * black! * max line length
* Move away from the SSLEAY name (#1144)Alex Gaynor2022-09-161-8/+16
|
* Fix docs in `SSL.Context.get_alpn_proto_negotiated` (#1137)Nikita Sobolev2022-07-231-1/+1
|
* Expose SSL_OP_IGNORE_UNEXPECTED_EOF (#1127)dreid2022-06-091-0/+6
| | | This was added to pyca/cryptography at https://github.com/pyca/cryptography/commit/0fe4583d40b0a99feecc1dc33f96fa15002b443f
* add `Connection.set_verify`, fix #255 (#1073)Maximilian Hils2022-05-131-0/+29
| | | | | | | | | | | * add `Connection.set_verify`, fix #255 * show that it works with cryptography main * Revert "show that it works with cryptography main" This reverts commit fb0136a8e5aa5d2c6e0c16f8f4ecee2f3c72a16b. * make it black
* repair CI (#1116)Paul Kehrer2022-05-111-0/+18
| | | | | | | | | | | | | | | | | | | | | * repair CI * more fixes * pypy39 requires latest cryptography * Apply suggestions from code review Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * use constant * bump minimum version * remove unneeded try * fix Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Remove SSL_library_init call (#1110)Alex Gaynor2022-03-211-5/+0
| | | | a) It's already called by initializing the Bindings in cryptography b) I'm pretty sure it's not actually necessary at all
* Implement Context constructor in terms of new OpenSSL APIs (#1109)Alex Gaynor2022-03-141-22/+14
|
* flake8-import-order (#1099)whiteowl32022-03-021-7/+6
| | | | | | | | | | | * flake8-import-order * make sure bad import orders fail * flake8-import-order * add application name to flake8 section * correct import order for openssl as application
* Don’t inherit from object (#1084)lovetox2022-01-301-4/+4
| | | In python3 all classes inherit by default from object
* Update variable name, there are now many linuxes (#1070)Alex Gaynor2021-12-241-4/+4
|
* Rename path_string to path_bytes since that's what it actually does (#1067)Alex Gaynor2021-12-201-7/+7
|
* Remove native, it's behavior is confusing (#1069)Alex Gaynor2021-12-201-2/+1
| | | Instead just decode stuff at the call-sites -- 100% of which were passing bytes
* Remove dead code (#1068)Alex Gaynor2021-12-201-7/+0
|
* remove SSL_CTX_set_ecdh_auto call (#1059)Paul Kehrer2021-11-031-6/+0
| | | | They are a noop on 1.1.0+ and pyOpenSSL only supports 1.1.0+ now due to cryptography versions
* Expose some DTLS-related features (#1026)Nathaniel J. Smith2021-11-021-1/+134
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Expose DTLS_METHOD and friends * Expose OP_NO_RENEGOTIATION * Expose DTLS MTU-related functions * Expose DTLSv1_listen and associated callbacks * Add a basic DTLS test * Cope with old versions of openssl/libressl * blacken * Soothe flake8 * Add temporary hack to skip DTLS test on old cryptography versions * Update for cryptography v35 release * Add changelog entry * Fix versionadded:: * get_cleartext_mtu doesn't exist on decrepit old openssl * Rewrite DTLS test to work around stupid OpenSSL misbehavior * flake8 go away * minor tidying
* Check for invalid ALPN lists before calling OpenSSL, for consistency (#1056)Nathaniel J. Smith2021-10-271-0/+12
| | | | | | | * Check for invalid ALPN lists before calling OpenSSL, for consistency Fixes gh-1043 * Soothe flake8
* py27 going, going, gone (#1047)Paul Kehrer2021-10-041-19/+17
| | | | | | | | | | | * py27 going, going, gone * black * more black * ok then * forgot to remove pypy2
* add `NO_OVERLAPPING_PROTOCOLS` to `__all__` (#1025)Maximilian Hils2021-06-301-0/+1
|
* Add SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_version bindings (#985)Maximilian Hils2021-03-101-2/+58
| | | | | | | | | | | | | | | | | | | * add Context.set_*_proto_version, fix #860 * docs: add new openssl tls methods * accept the fact that nothing can be taken for granted * bump minimum required cryptography version to 3.3 * drop support for Python 3.5 * use binary wheels for cryptography * Revert "use binary wheels for cryptography" This reverts commit 91a04c612ed1d0dd9fd541dfefe21cac7c25b1c1. * docker ci: compile cryptography with rust
* Check return code of SSL_[CTX_]set_alpn_protos (#993)Maximilian Hils2021-02-171-2/+19
| | | | | | | * check return code of SSL_CTX_set_alpn_protos, fix #992 * paint it black! * fix line lengths as well :upside_down_face:
* cleanup from_buffer now that we just use cffi natively (#989)masterAlex Gaynor2021-01-161-4/+3
|
* Fix for running on OpenSSL 1.1.0 + CI (#978)Alex Gaynor2020-12-141-1/+4
| | | | | | | * Test on OpenSSL 1.1.0 w/ Debian stretch * Make pyOpenSSL compatible with openssl 1.1.0 again Co-authored-by: Shane Harvey <shnhrv@gmail.com>
* Keep reference to SSL verify_call in Connection object (#956)Arne Schwabe2020-11-271-0/+6
| | | | | | | | | | | | | | * Keep reference to SSL verify_call in Connection object If a set_verify is used on a context before and after a Connection the reference in the SSL* object still points to the old _verify_helper object. Since this object has no longer any references to it, the callback can result in a segfault. This commit fixes the issues by ensuring that as long as the Connection object/SSL* object lives a reference to the callback function is held. * Add Unit test for set_verify_callback deference
* Fix spelling of set in set_verify docstring (#959)Arne Schwabe2020-11-131-2/+2
|
* Drop CI for OpenSSL 1.0.2 (#953)Alex Gaynor2020-10-261-39/+6
| | | | | | | * Drop CI for OpenSSL 1.0.2 * Delete code for coverage reasons * Bump minimum cryptography version
* I'm back in black (#941)Alex Gaynor2020-08-261-4/+5
|
* Context.set_verify: allow omission of callback (#933)Maximilian Hils2020-08-071-11/+17
| | | | | | | * Context.set_verify: allow omission of callback * squeeze to 80 chars * make it clear that default callback is used
* Allow accessing a connection's verfied certificate chain (#894)Shane Harvey2020-08-051-7/+54
| | | | | | | | | | | | | | | | | | | | | | | | | * Allow accessing a connection's verfied certificate chain Add X509StoreContext.get_verified_chain using X509_STORE_CTX_get1_chain. Add Connection.get_verified_chain using SSL_get0_verified_chain if available (ie OpenSSL 1.1+) and X509StoreContext.get_verified_chain otherwise. Fixes #740. * TLSv1_METHOD -> SSLv23_METHOD * Use X509_up_ref instead of X509_dup * Add _openssl_assert where appropriate * SSL_get_peer_cert_chain should not be null * Reformat with black * Fix <OpenSSL.crypto.X509 object at 0x7fdbb59e8050> != <OpenSSL.crypto.X509 object at 0x7fdbb59daad0> * Add Changelog entry * Remove _add_chain
* focal time (#929)Paul Kehrer2020-08-051-1/+2
| | | | | | | | | * focal time * larger dh params, assert on something * urllib3 fix * actually check an error
* remove npn support entirely. you should be using alpn (#932)Paul Kehrer2020-08-031-180/+0
| | | | | * remove npn support entirely. you should be using alpn * flake8
* Add SSL.Context.set_keylog_callback (#910)Maximilian Hils2020-07-281-0/+31
| | | | | | | | | * add SSL.Context.set_keylog_callback * don't fail on missing attribute * lint! * make it black
* Paint it Black by the Rolling Stones (#920)Alex Gaynor2020-07-231-161/+196
|
* Drop OpenSSL 1.0.1 (#908)Alex Gaynor2020-04-071-10/+6
|
* Remove asserts (#904)Adrián Chaves2020-03-311-3/+3
|
* Random cleanup around our usage of binary_type (#879)Alex Gaynor2019-11-181-5/+3
|
* ALPN: complete handshake without accepting a client's protocols. (#876)Mark Williams2019-11-181-10/+25
| | | | | | | | | | | | | | | | | | | | | | | | | * ALPN: complete handshake without accepting a client's protocols. The callback passed to `SSL_CTX_set_alpn_select_cb` can return `SSL_TLSEXT_ERR_NOACK` to allow the handshake to continue without accepting any of the client's offered protocols. This commit introduces `NO_OVERLAPPING_PROTOCOLS`, which the Python callback passed to `Context.set_alpn_select_callback` can return to achieve the same thing. It does not change the previous meaning of an empty string, which still terminates the handshake. * Update src/OpenSSL/SSL.py Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com> * Address @alex's review. * Use recorded value in test, fix lint error. * Cover TypeError branch in _ALPNHelper.callback
* use _ffi.from_buffer() to support bytearray (#852)Daniel Holth2019-11-181-37/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * use _ffi.from_buffer(buf) in send, to support bytearray * add bytearray test * update CHANGELOG.rst * move from_buffer before 'buffer too long' check * context-managed from_buffer + black * don't shadow buf in send() * test return count for sendall * test sending an array * fix test * also use from_buffer in bio_write * de-format _util.py * formatting * add simple bio_write tests * wrap line
* Expose OP_NO_TLSv1_3 (#861)Nathaniel J. Smith2019-08-021-0/+5
| | | | | | * Expose OP_NO_TLSv1_3 * Support openssl <1.1.1
* Update SSL.py docstring (#849)Daniel Holth2019-07-051-1/+1
|
* OpenSSL always has SNI (#821)Alex Gaynor2019-02-221-8/+0
|
* Deprecated NPN (#820)Alex Gaynor2019-02-221-0/+9
| | | | | | | | | | * Deprecated NPN * arithmetic is hard * oops * oops
* Raise an Error with "no cipher match" even with TLS 1.3 (#818)Mark Williams2019-02-141-3/+12
| | | | | | | | | | | * Raise an Error with "no cipher match" even with TLS 1.3 This makes Twisted's OpenSSLAcceptableCiphers.fromOpenSSLCipherString and seamlessly work with TLS 1.3: https://github.com/twisted/twisted/pull/1100/files/a5df2fb373ac67b0e3032acc9291ae88dfd0b3b1#diff-df501bac724aab523150498f84749b88R1767 * Split TestContext.test_set_cipher_list_wrong_args into two tests.
* Removed deprecated Type aliases (#814)Alex Gaynor2019-02-071-14/+0
| | | | | | | | | | | | * Removed deprecated Type aliases * typo * typo * missed this somehow * Line wrap
* Hypothetically fixes pyOpenSSL tests (#805)Paul Kehrer2019-01-211-0/+13
| | | | | | | | | | | | | | | * fix openssl CLI testing for 1.1.1 * various 1.1.1 related fixes some of which are just admitting TLS 1.3 is fundamentally different and pinning the tests to TLS 1.2 * flake8 fixes * allow travis_infra env var through * fix twisted
View Lorry Controller Status