In the future the ssl module will require at least OpenSSL 1.0.2 or
1.1.0.
+.. versionchanged:: 3.10
+
+ :pep:`644` has been implemented. The ssl module requires OpenSSL 1.1.1
+ or newer.
+
Functions, Constants, and Exceptions
------------------------------------
:func:`ssl.RAND_egd` and :func:`ssl.RAND_add` to increase the randomness of
the pseudo-random number generator.
-.. function:: RAND_egd(path)
-
- If you are running an entropy-gathering daemon (EGD) somewhere, and *path*
- is the pathname of a socket connection open to it, this will read 256 bytes
- of randomness from the socket, and add it to the SSL pseudo-random number
- generator to increase the security of generated secret keys. This is
- typically only necessary on systems without better sources of randomness.
-
- See http://egd.sourceforge.net/ or http://prngd.sourceforge.net/ for sources
- of entropy-gathering daemons.
-
- .. availability:: not available with LibreSSL and OpenSSL > 1.1.0.
-
.. function:: RAND_add(bytes, entropy)
Mix the given *bytes* into the SSL pseudo-random number generator. The
Disable compression on the SSL channel. This is useful if the application
protocol supports its own compression scheme.
- This option is only available with OpenSSL 1.0.0 and later.
-
.. versionadded:: 3.3
.. class:: Options
>>> ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
>>> ctx.set_ciphers('ECDHE+AESGCM:!ECDSA')
- >>> ctx.get_ciphers() # OpenSSL 1.0.x
- [{'alg_bits': 256,
- 'description': 'ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA '
- 'Enc=AESGCM(256) Mac=AEAD',
- 'id': 50380848,
- 'name': 'ECDHE-RSA-AES256-GCM-SHA384',
- 'protocol': 'TLSv1/SSLv3',
- 'strength_bits': 256},
- {'alg_bits': 128,
- 'description': 'ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA '
- 'Enc=AESGCM(128) Mac=AEAD',
- 'id': 50380847,
- 'name': 'ECDHE-RSA-AES128-GCM-SHA256',
- 'protocol': 'TLSv1/SSLv3',
- 'strength_bits': 128}]
-
- On OpenSSL 1.1 and newer the cipher dict contains additional fields::
-
- >>> ctx.get_ciphers() # OpenSSL 1.1+
+ >>> ctx.get_ciphers()
[{'aead': True,
'alg_bits': 256,
'auth': 'auth-rsa',
'strength_bits': 128,
'symmetric': 'aes-128-gcm'}]
- .. availability:: OpenSSL 1.0.2+.
-
.. versionadded:: 3.6
.. method:: SSLContext.set_default_verify_paths()
when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
give the currently selected cipher.
- OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites
- cannot be disabled with :meth:`~SSLContext.set_ciphers`.
+ TLS 1.3 cipher suites cannot be disabled with
+ :meth:`~SSLContext.set_ciphers`.
.. method:: SSLContext.set_alpn_protocols(protocols)
This method will raise :exc:`NotImplementedError` if :data:`HAS_ALPN` is
``False``.
- OpenSSL 1.1.0 to 1.1.0e will abort the handshake and raise :exc:`SSLError`
- when both sides support ALPN but cannot agree on a protocol. 1.1.0f+
- behaves like 1.0.2, :meth:`SSLSocket.selected_alpn_protocol` returns None.
-
.. versionadded:: 3.5
.. method:: SSLContext.set_npn_protocols(protocols)
.. method:: SSLContext.session_stats()
Get statistics about the SSL sessions created or managed by this context.
- A dictionary is returned which maps the names of each `piece of information <https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_sess_number.html>`_ to their
+ A dictionary is returned which maps the names of each `piece of information <https://www.openssl.org/docs/man1.1.1/ssl/SSL_CTX_sess_number.html>`_ to their
numeric values. For example, here is the total number of hits and misses
in the session cache since the context was created::
:attr:`~SSLContext.verify_mode` is :data:`CERT_NONE`. Previously
the same operation would have failed with a :exc:`ValueError`.
- .. note::
-
- This features requires OpenSSL 0.9.8f or newer.
-
.. attribute:: SSLContext.keylog_filename
Write TLS keys to a keylog file, whenever key material is generated or
.. versionadded:: 3.8
- .. note::
-
- This features requires OpenSSL 1.1.1 or newer.
-
.. attribute:: SSLContext.maximum_version
A :class:`TLSVersion` enum member representing the highest supported
:attr:`~SSLContext.maximum_version` set to :attr:`TLSVersion.TLSv1_2`
will not be able to establish a TLS 1.2 connection.
- .. note::
-
- This attribute is not available unless the ssl module is compiled
- with OpenSSL 1.1.0g or newer.
-
.. versionadded:: 3.7
.. attribute:: SSLContext.minimum_version
Like :attr:`SSLContext.maximum_version` except it is the lowest
supported version or :attr:`TLSVersion.MINIMUM_SUPPORTED`.
- .. note::
-
- This attribute is not available unless the ssl module is compiled
- with OpenSSL 1.1.0g or newer.
-
.. versionadded:: 3.7
.. attribute:: SSLContext.num_tickets
:attr:`TLS_PROTOCOL_SERVER` context. The setting has no impact on TLS
1.0 to 1.2 connections.
- .. note::
-
- This attribute is not available unless the ssl module is compiled
- with OpenSSL 1.1.1 or newer.
-
.. versionadded:: 3.8
.. attribute:: SSLContext.options
The default value is :data:`OP_ALL`, but you can specify other options
such as :data:`OP_NO_SSLv2` by ORing them together.
- .. note::
- With versions of OpenSSL older than 0.9.8m, it is only possible
- to set options, not to clear them. Attempting to clear an option
- (by resetting the corresponding bits) will raise a :exc:`ValueError`.
-
.. versionchanged:: 3.6
:attr:`SSLContext.options` returns :class:`Options` flags:
:meth:`SSLSocket.verify_client_post_handshake` is called and some I/O is
performed.
- .. note::
- Only available with OpenSSL 1.1.1 and TLS 1.3 enabled. Without TLS 1.3
- support, the property value is None and can't be modified
-
.. versionadded:: 3.8
.. attribute:: SSLContext.protocol
subject common name in the absence of a subject alternative name
extension (default: true).
- .. note::
- Only writeable with OpenSSL 1.1.0 or higher.
-
.. versionadded:: 3.7
.. versionchanged:: 3.10
<https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html>`_
for the context. This attribute is read-only.
- .. availability:: OpenSSL 1.1.0 or newer
-
.. versionadded:: 3.10
.. attribute:: SSLContext.verify_flags
The flags for certificate verification operations. You can set flags like
:data:`VERIFY_CRL_CHECK_LEAF` by ORing them together. By default OpenSSL
does neither require nor verify certificate revocation lists (CRLs).
- Available only with openssl version 0.9.8+.
.. versionadded:: 3.4
.. versionadded:: 3.7
-Python has provisional and experimental support for TLS 1.3 with OpenSSL
-1.1.1. The new protocol behaves slightly differently than previous version
-of TLS/SSL. Some new TLS 1.3 features are not yet available.
+The TLS 1.3 protocol behaves slightly differently than previous version
+of TLS/SSL. Some new TLS 1.3 features are not yet available.
- TLS 1.3 uses a disjunct set of cipher suites. All AES-GCM and
ChaCha20 cipher suites are enabled by default. The method
signature algorithm configuration, and rekeying are not supported yet.
-.. _ssl-libressl:
-
-LibreSSL support
-----------------
-
-LibreSSL is a fork of OpenSSL 1.0.1. The ssl module has limited support for
-LibreSSL. Some features are not available when the ssl module is compiled
-with LibreSSL.
-
-* LibreSSL >= 2.6.1 no longer supports NPN. The methods
- :meth:`SSLContext.set_npn_protocols` and
- :meth:`SSLSocket.selected_npn_protocol` are not available.
-* :meth:`SSLContext.set_default_verify_paths` ignores the env vars
- :envvar:`SSL_CERT_FILE` and :envvar:`SSL_CERT_PATH` although
- :func:`get_default_verify_paths` still reports them.
-
-
.. seealso::
Class :class:`socket.socket`
return _ssl_RAND_status_impl(module);
}
-#if !defined(OPENSSL_NO_EGD)
-
-PyDoc_STRVAR(_ssl_RAND_egd__doc__,
-"RAND_egd($module, path, /)\n"
-"--\n"
-"\n"
-"Queries the entropy gather daemon (EGD) on the socket named by \'path\'.\n"
-"\n"
-"Returns number of bytes read. Raises SSLError if connection to EGD\n"
-"fails or if it does not provide enough data to seed PRNG.");
-
-#define _SSL_RAND_EGD_METHODDEF \
- {"RAND_egd", (PyCFunction)_ssl_RAND_egd, METH_O, _ssl_RAND_egd__doc__},
-
-static PyObject *
-_ssl_RAND_egd_impl(PyObject *module, PyObject *path);
-
-static PyObject *
-_ssl_RAND_egd(PyObject *module, PyObject *arg)
-{
- PyObject *return_value = NULL;
- PyObject *path;
-
- if (!PyUnicode_FSConverter(arg, &path)) {
- goto exit;
- }
- return_value = _ssl_RAND_egd_impl(module, path);
-
-exit:
- return return_value;
-}
-
-#endif /* !defined(OPENSSL_NO_EGD) */
-
PyDoc_STRVAR(_ssl_get_default_verify_paths__doc__,
"get_default_verify_paths($module, /)\n"
"--\n"
#endif /* defined(_MSC_VER) */
-#ifndef _SSL_RAND_EGD_METHODDEF
- #define _SSL_RAND_EGD_METHODDEF
-#endif /* !defined(_SSL_RAND_EGD_METHODDEF) */
-
#ifndef _SSL_ENUM_CERTIFICATES_METHODDEF
#define _SSL_ENUM_CERTIFICATES_METHODDEF
#endif /* !defined(_SSL_ENUM_CERTIFICATES_METHODDEF) */
#ifndef _SSL_ENUM_CRLS_METHODDEF
#define _SSL_ENUM_CRLS_METHODDEF
#endif /* !defined(_SSL_ENUM_CRLS_METHODDEF) */
-/*[clinic end generated code: output=9468e58904a565a2 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=ae3d1851daba6562 input=a9049054013a1b77]*/
projects / thirdparty / Python / cpython.git / commitdiff
