]> git.ipfire.org Git - thirdparty/Python/cpython.git/commitdiff
projects / thirdparty / Python / cpython.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d37b74f)
bpo-40849: Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag (GH-20463)
authorl0x <37248016+l0x-c0d3z@users.noreply.github.com>
Mon, 19 Apr 2021 11:51:18 +0000 (13:51 +0200)
committerGitHub <noreply@github.com>
Mon, 19 Apr 2021 11:51:18 +0000 (04:51 -0700)
This short PR exposes an openssl flag that  wasn't exposed. I've also updated to doc to reflect the change. It's heavily inspired by 990fcaac3c428569697f62a80fd95ab4d4b93151.

Doc/library/ssl.rst patch | blob | blame | history
Misc/ACKS patch | blob | blame | history
Misc/NEWS.d/next/Library/2020-06-02-21-32-33.bpo-40849.zpeKx3.rst [new file with mode: 0644] patch | blob
Modules/_ssl.c patch | blob | blame | history

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index c954d9c8febb01960d68cbc3c66091cd7a2389b1..b9e54357bb96909c21fe5688ee7ba291b821a7c8 100644 (file)
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -650,6 +650,17 @@ Constants
 
    .. versionadded:: 3.4.4
 
+.. data:: VERIFY_X509_PARTIAL_CHAIN
+
+   Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to
+   accept intermediate CAs in the trust store to be treated as trust-anchors,
+   in the same way as the self-signed root CA certificates. This makes it
+   possible to trust certificates issued by an intermediate CA without having
+   to trust its ancestor root CA.
+
+   .. versionadded:: 3.10
+
+
 .. class:: VerifyFlags
 
    :class:`enum.IntFlag` collection of VERIFY_* constants.
diff --git a/Misc/ACKS b/Misc/ACKS
index 1eeae0caef50a16a7cb6b24ab2ba321a6848dd7d..e394ea6802fbe298e6591b34f9e540849a7efa15 100644 (file)
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -157,6 +157,7 @@ Michel Van den Bergh
 Julian Berman
 Brice Berna
 Olivier Bernard
+Vivien Bernet-Rollande
 Maxwell Bernstein
 Eric Beser
 Steven Bethard
diff --git a/Misc/NEWS.d/next/Library/2020-06-02-21-32-33.bpo-40849.zpeKx3.rst b/Misc/NEWS.d/next/Library/2020-06-02-21-32-33.bpo-40849.zpeKx3.rst
new file mode 100644 (file)
index 0000000..032a65d
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2020-06-02-21-32-33.bpo-40849.zpeKx3.rst
@@ -0,0 +1 @@
+Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 934c59e26d2d4559016870df23f557c396f27f66..4b84014d008c12983c0dd2cb58a2bee864240e2d 100644 (file)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -5630,6 +5630,11 @@ sslmodule_init_constants(PyObject *m)
     PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST",
                             X509_V_FLAG_TRUSTED_FIRST);
 
+#ifdef X509_V_FLAG_PARTIAL_CHAIN
+    PyModule_AddIntConstant(m, "VERIFY_X509_PARTIAL_CHAIN",
+                            X509_V_FLAG_PARTIAL_CHAIN);
+#endif
+
     /* Alert Descriptions from ssl.h */
     /* note RESERVED constants no longer intended for use have been removed */
     /* http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6 */
Mirror of https://github.com/python/cpython.git