| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
| |
And also whatever supports the protocol.
Way more pythonic now!
|
| |
|
| |
It has been a no-op (when called from an _instance_ of Binding) since 3.3
|
| | |
|
| |
|
|
|
| |
* use more functions guaranteed available in cryptography 35.0
* these are also guaranteed
|
| |
|
|
| |
They are a noop on 1.1.0+ and pyOpenSSL only supports 1.1.0+ now due to
cryptography versions
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Expose DTLS_METHOD and friends
* Expose OP_NO_RENEGOTIATION
* Expose DTLS MTU-related functions
* Expose DTLSv1_listen and associated callbacks
* Add a basic DTLS test
* Cope with old versions of openssl/libressl
* blacken
* Soothe flake8
* Add temporary hack to skip DTLS test on old cryptography versions
* Update for cryptography v35 release
* Add changelog entry
* Fix versionadded::
* get_cleartext_mtu doesn't exist on decrepit old openssl
* Rewrite DTLS test to work around stupid OpenSSL misbehavior
* flake8 go away
* minor tidying
|
| |
|
|
|
|
|
| |
* Check for invalid ALPN lists before calling OpenSSL, for consistency
Fixes gh-1043
* Soothe flake8
|
| |
|
|
|
|
|
|
|
|
|
| |
* py27 going, going, gone
* black
* more black
* ok then
* forgot to remove pypy2
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add Context.set_*_proto_version, fix #860
* docs: add new openssl tls methods
* accept the fact that nothing can be taken for granted
* bump minimum required cryptography version to 3.3
* drop support for Python 3.5
* use binary wheels for cryptography
* Revert "use binary wheels for cryptography"
This reverts commit 91a04c612ed1d0dd9fd541dfefe21cac7c25b1c1.
* docker ci: compile cryptography with rust
|
| |
|
|
|
| |
Deprecated under OpenSSL 1.1
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
| |
* check return code of SSL_CTX_set_alpn_protos, fix #992
* paint it black!
* fix line lengths as well :upside_down_face:
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
* Test on OpenSSL 1.1.0 w/ Debian stretch
* Make pyOpenSSL compatible with openssl 1.1.0 again
Co-authored-by: Shane Harvey <shnhrv@gmail.com>
|
| | |
|
| | |
|
| |
|
|
|
| |
* fix a memleak
* black
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Keep reference to SSL verify_call in Connection object
If a set_verify is used on a context before and after a Connection
the reference in the SSL* object still points to the old _verify_helper
object. Since this object has no longer any references to it, the
callback can result in a segfault.
This commit fixes the issues by ensuring that as long as the
Connection object/SSL* object lives a reference to the callback
function is held.
* Add Unit test for set_verify_callback deference
|
| | |
|
| |
|
| |
Co-authored-by: Michael Lazar <mlazar@doctorondemand.com>
|
| |
|
|
|
|
|
| |
* Drop CI for OpenSSL 1.0.2
* Delete code for coverage reasons
* Bump minimum cryptography version
|
| |
|
|
|
|
| |
* Fixing issue #798, thanks to @reaperhulk; removing undocumented '%s' option and getting the date in a more robust way
Co-authored-by: Joseba Alberdi <j.alberdi@simuneatomistics.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* crypto._PassphraseHelper: pass non-callable passphrase using callback
Fixes #945
Before this commit, we would pass a bytes passphrase as a null terminated string.
This causes issue when a randomly generated key's first byte is null because
OpenSSL rightly determines the key length is 0.
This commit modifies the passphrase helper to pass the passphrase via the
callback
* Update changelog to document bug fix
|
| |
|
|
|
|
|
|
|
|
|
|
| |
X509StoreContext (#948)
The additional certificates provided in the new `chain` parameter will be
untrusted but may be used to build the chain.
This makes it easier to validate a certificate against a store which
contains only root ca certificates, and the intermediates come from e.g.
the same untrusted source as the certificate to be verified.
Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
|
| |
|
|
|
|
|
| |
Add X509Store.load_locations() to set a CA bundle file and/or an OpenSSL-
style hashed CA/CRL lookup directory, similar to the already existing
SSL.Context.load_verify_locations().
Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
|
| | |
|
| |
|
| |
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
| |
* Context.set_verify: allow omission of callback
* squeeze to 80 chars
* make it clear that default callback is used
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Allow accessing a connection's verfied certificate chain
Add X509StoreContext.get_verified_chain using X509_STORE_CTX_get1_chain.
Add Connection.get_verified_chain using SSL_get0_verified_chain if
available (ie OpenSSL 1.1+) and X509StoreContext.get_verified_chain
otherwise.
Fixes #740.
* TLSv1_METHOD -> SSLv23_METHOD
* Use X509_up_ref instead of X509_dup
* Add _openssl_assert where appropriate
* SSL_get_peer_cert_chain should not be null
* Reformat with black
* Fix <OpenSSL.crypto.X509 object at 0x7fdbb59e8050> != <OpenSSL.crypto.X509 object at 0x7fdbb59daad0>
* Add Changelog entry
* Remove _add_chain
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* focal time
* larger dh params, assert on something
* urllib3 fix
* actually check an error
|
| |
|
|
|
| |
* remove npn support entirely. you should be using alpn
* flake8
|
| |
|
|
|
|
|
| |
* newer pypy
* missed one
* we don't support ancient cffi any more
|
| |
|
|
|
|
|
|
|
| |
* add SSL.Context.set_keylog_callback
* don't fail on missing attribute
* lint!
* make it black
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* fix PKey.check for some broken keys
RSA_check_key is documented to return 1 for valid keys.
It (currently) returns 0 or -1 for invalid ones.
The previous code accepted invalid keys if RSA_check_key returns -1!
* add test
|
| | |
|
| | |
|
| | |
|
| | |
|
