]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit
projects / thirdparty / Python / cpython.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ea1803e) | patch
gh-107361: strengthen default SSL context flags (#112389)
authorWilliam Woodruff <william@yossarian.net>
Wed, 6 Mar 2024 21:44:58 +0000 (16:44 -0500)
committerGitHub <noreply@github.com>
Wed, 6 Mar 2024 21:44:58 +0000 (13:44 -0800)
commit0876b921b28bb14e3fa61b188e52fc9b4c77cb1a
tree62bc49024ede52d872ea9a270390bb338709b653tree | snapshot
parentea1803e608a7aaf9cf2c07e510d8540d46d3b9adcommit | diff
gh-107361: strengthen default SSL context flags (#112389)

This adds `VERIFY_X509_STRICT` to make the default
SSL context perform stricter (per RFC 5280) validation, as well
as `VERIFY_X509_PARTIAL_CHAIN` to enforce more standards-compliant
path-building behavior.

As part of this changeset, I had to tweak `make_ssl_certs.py`
slightly to emit 5280-conforming CA certs. This changeset includes
the regenerated certificates after that change.

Signed-off-by: William Woodruff <william@yossarian.net>
Co-authored-by: Victor Stinner <vstinner@python.org>
26 files changed:
.gitattributes diff | blob | blame | history
Doc/library/ssl.rst diff | blob | blame | history
Doc/whatsnew/3.13.rst diff | blob | blame | history
Lib/ssl.py diff | blob | blame | history
Lib/test/certdata/allsans.pem diff | blob | blame | history
Lib/test/certdata/capath/b1930218.0 diff | blob | blame | history
Lib/test/certdata/capath/ceff1710.0 diff | blob | blame | history
Lib/test/certdata/idnsans.pem diff | blob | blame | history
Lib/test/certdata/keycert.passwd.pem diff | blob | blame | history
Lib/test/certdata/keycert.pem diff | blob | blame | history
Lib/test/certdata/keycert2.pem diff | blob | blame | history
Lib/test/certdata/keycert3.pem diff | blob | blame | history
Lib/test/certdata/keycert4.pem diff | blob | blame | history
Lib/test/certdata/keycertecc.pem diff | blob | blame | history
Lib/test/certdata/leaf-missing-aki.ca.pem [new file with mode: 0644] blob
Lib/test/certdata/leaf-missing-aki.keycert.pem [new file with mode: 0644] blob
Lib/test/certdata/make_ssl_certs.py diff | blob | blame | history
Lib/test/certdata/nosan.pem diff | blob | blame | history
Lib/test/certdata/pycacert.pem diff | blob | blame | history
Lib/test/certdata/pycakey.pem diff | blob | blame | history
Lib/test/certdata/revocation.crl diff | blob | blame | history
Lib/test/certdata/ssl_cert.pem diff | blob | blame | history
Lib/test/certdata/ssl_key.passwd.pem diff | blob | blame | history
Lib/test/certdata/ssl_key.pem diff | blob | blame | history
Lib/test/test_ssl.py diff | blob | blame | history
Misc/NEWS.d/next/Library/2023-11-24-23-40-00.gh-issue-107361.v54gh46.rst [new file with mode: 0644] blob
Mirror of https://github.com/python/cpython.git