| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
* Fix for Python 4
* Fix for Python 4
|
| |
|
|
|
| |
These don't actually cover any code.
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Make test_ssl pass in an IPv6-only environment
* Review comments
* Update tests/test_ssl.py
Co-Authored-By: davidben <davidben@davidben.net>
* Wrap long line with parens.
|
|
|
|
|
|
| |
* skip NPN tests if NPN is not available
* use the right name
|
|
|
|
|
|
|
|
|
|
|
| |
* Raise an Error with "no cipher match" even with TLS 1.3
This makes Twisted's OpenSSLAcceptableCiphers.fromOpenSSLCipherString
and seamlessly work with TLS 1.3:
https://github.com/twisted/twisted/pull/1100/files/a5df2fb373ac67b0e3032acc9291ae88dfd0b3b1#diff-df501bac724aab523150498f84749b88R1767
* Split TestContext.test_set_cipher_list_wrong_args into two tests.
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Removed deprecated Type aliases
* typo
* typo
* missed this somehow
* Line wrap
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Handle NULL bytes in get_components() values
Some old software may generate "bogus" CN with each character preceded
by a NULL.
This is already handled in commonName, but wasn't in get_components()
* review fixes (fix py3 test & avoid unpack/cast)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* fix openssl CLI testing for 1.1.1
* various 1.1.1 related fixes
some of which are just admitting TLS 1.3 is fundamentally different and
pinning the tests to TLS 1.2
* flake8 fixes
* allow travis_infra env var through
* fix twisted
|
|
|
|
|
|
| |
* X509Store.add_cert no longer raises an error on duplicate cert
* move changelog entry
|
|
|
|
|
|
|
| |
My system apparently has larger socket buffers than this test assumes,
so it fails. (Debian 9, Linux 4.16, Python 3.7)
So let's increase the size of the buffers such that it works for me.
This was the smallest power of 2 that worked.
|
|
|
|
|
|
|
|
| |
This makes it possible to retrieve the local certificate (if any)
for a Connection.
An example where this is useful is when negotiating a DTLS-SRTP
connection, the fingerprint of the local certificate needs to be
communicated to the remote party out-of-band via SDP.
|
|
|
|
| |
This allows negotiating SRTP keying material, which is useful when using
DTLS-SRTP, as WebRTC does for example.
|
| |
|
|
|
|
|
|
|
|
| |
* Increase the size of RSA key used in tests for OpenSSL 1.1.1
* here too
* In test_ssl.py as well
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* added method to export keying material from an ssl connection
* updated tests to use bytestrings to avoid breaking python3 tests
* added additional comments to test
* simplify export_keying_material
* add changelog
* address review feedback
|
|
|
|
|
|
|
|
| |
* fix a memory leak and a potential UAF and also #722
* sanity check
* bump cryptography minimum version, add changelog
|
|
|
|
|
|
|
|
|
|
| |
* restore a subset of the rand module
* flake
* remove cleanup, go ahead and assume status will always be 1
* lighten and add power
|
|
|
|
|
|
|
|
|
|
| |
* fix errors with latest flake8
* Also fix the macOS builds
* fix?
* allow urllib3 to fail for now
|
| |
|
|
|
|
|
|
| |
* Don't use "TLSv1" as a default for loopback clients/servers
* We're sticklers for spelling
|
| |
|
|
|
|
|
|
| |
* Simplify test code
* fix
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Write a test - signatures with EC keys (#609)
* Ask for signature length before allocating a buffer.
This fixes a potential heap buffer overflow that may happen when a signature
is longer than the private key, as with X9.62 ECDSA (#609).
* change approach to EVP_PKEY_size and add changelog
* add a small assert
|
| |
|
|
|
|
|
|
| |
* FIxed #266 -- attempt to deflake our tests
* typo
|
|
|
|
|
|
| |
* Fixed #657 -- handle OverflowErrors on large allocation requests
* always be overflowing
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Removed the deprecated md5 default on CRL.export()
* Doh
* unused import
* fixed tests
* last one
* py3k!!!!!
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Simplify code
* dead code
* unused...
* write imports normally
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Fixed #461 -- make the tests pass when SSLv3 isn't supported
We no longer support OpenSSL 1.0.0, so TLSv1.2 should always be available and this code can be simplified.
* Try the opposite direction?
* Another shot at getting this passing
* uhhh
* grump
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* try loading trusted certs from a list of fallbacks
pyca/cryptography will shortly begin shipping a wheel. Since
SSL_CTX_set_default_verify_paths uses a hardcoded path compiled into the
library, this will start failing to load the proper certificates for
users on many linux distributions. To avoid this we can use the Go
solution of iterating over a list of potential candidates and loading
it when found.
* capath is lazy loaded so we need to do a lot more checks
This now checks to see if env vars are set as well as seeing if the
dir exists and has valid certs in it. If either of those are true (or
the number of certs is > 0) it won't load the fallback. If it does do
the fallback it will also attempt to load certs from a dir as a final
fallback
* remove an early return
* this shouldn't be commented out
* oops
* very limited testing
* sigh, can't use these py3 exceptions of course
* expand the tests a bit
* coverage!
* don't need this now
* change the approach to use a pyca/cryptography guard value
* test fix
* older python sometimes calls itself linux2
* flake8
* add changelog
* coverage
* slash opt
|
|
|
|
|
|
|
|
| |
* dump_privatekey with FILETYPE_TEXT only supports RSA keys
FILETYPE_TEXT is terrible but everyone hold their nose
* also verify it's a pkey
|
|
|
|
|
|
| |
* add to_cryptography/from_cryptography on CRL and X509Req
* add changelog entry
|
|
|
|
|
|
| |
* Added an API for converting X509 to/from cryptography
* changelog
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* the root cert expired, make a new one (using the same values)
The new one lasts 20 years. If this project is still in use in 20 years
we have failed.
* this is the same cert. wtf
* replace the other certs we need to replace...
* this too
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Drop the deprecated rand.egd function
* Removed egd tests
* Removed egd docs
* Document the removal
* unused imports
* Update CHANGELOG.rst
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add an informative __main__.py
Give users an easy way to figure out what versions they're running.
* Why not more info!
* Add test
* No empty last line
* Make @alex happy
* DIAF Python 2.6
* Add cffi's version
* Make debug a module
* Add cryptography's compile-time OpenSSL
|
| |
|
| |
|
|
|
|
|
|
| |
* limit SSL_write bufsize to avoid OverflowErrors
* fix .send() truncation, add test
|
| |
|
| |
|
| |
|
| |
|
| |
|