Since version 3.10, CPython requires OpenSSL 1.1.1 or higher.
Therefore, support for keylogging can be assumed.
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
*cadata* is given) or uses :meth:`SSLContext.load_default_certs` to load
default CA certificates.
- When :attr:`~SSLContext.keylog_filename` is supported and the environment
- variable :envvar:`SSLKEYLOGFILE` is set, :func:`create_default_context`
- enables key logging.
+ When the environment variable :envvar:`!SSLKEYLOGFILE` is set,
+ :func:`create_default_context` enables key logging by setting
+ :attr:`~SSLContext.keylog_filename` to the variable's value.
The default settings for this context include
:data:`VERIFY_X509_PARTIAL_CHAIN` and :data:`VERIFY_X509_STRICT`.
# root CA certificates for the given purpose. This may fail silently.
context.load_default_certs(purpose)
# OpenSSL 1.1.1 keylog file
- if hasattr(context, 'keylog_filename'):
- keylogfile = os.environ.get('SSLKEYLOGFILE')
- if keylogfile and not sys.flags.ignore_environment:
- context.keylog_filename = keylogfile
+ keylogfile = os.environ.get('SSLKEYLOGFILE')
+ if keylogfile and not sys.flags.ignore_environment:
+ context.keylog_filename = keylogfile
return context
def _create_unverified_context(protocol=None, *, cert_reqs=CERT_NONE,
# root CA certificates for the given purpose. This may fail silently.
context.load_default_certs(purpose)
# OpenSSL 1.1.1 keylog file
- if hasattr(context, 'keylog_filename'):
- keylogfile = os.environ.get('SSLKEYLOGFILE')
- if keylogfile and not sys.flags.ignore_environment:
- context.keylog_filename = keylogfile
+ keylogfile = os.environ.get('SSLKEYLOGFILE')
+ if keylogfile and not sys.flags.ignore_environment:
+ context.keylog_filename = keylogfile
return context
# Used by http.client if no context is explicitly passed.
CAN_GET_SELECTED_OPENSSL_SIGALG = ssl.OPENSSL_VERSION_INFO >= (3, 5)
PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
-HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename')
-requires_keylog = unittest.skipUnless(
- HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback')
-CAN_SET_KEYLOG = HAS_KEYLOG and os.name != "nt"
+CAN_SET_KEYLOG = (os.name != "nt")
requires_keylog_setter = unittest.skipUnless(
CAN_SET_KEYLOG,
"cannot set 'keylog_filename' on Windows"
with open(fname) as f:
return len(list(f))
- @requires_keylog
def test_keylog_defaults(self):
self.addCleanup(os_helper.unlink, os_helper.TESTFN)
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
with self.assertRaises(TypeError):
ctx.keylog_filename = 1
- @requires_keylog
def test_keylog_filename(self):
self.addCleanup(os_helper.unlink, os_helper.TESTFN)
client_context, server_context, hostname = testing_context()
client_context.keylog_filename = None
server_context.keylog_filename = None
- @requires_keylog
@unittest.skipIf(sys.flags.ignore_environment,
"test is not compatible with ignore_environment")
def test_keylog_env(self):
--- /dev/null
+Unconditionally assume :attr:`ssl.SSLContext.keylog_filename` exists.
projects / thirdparty / Python / cpython.git / commitdiff
