From: Benjamin Peterson <benjamin@python.org>
Date: Thu, 5 Mar 2015 03:49:41 +0000 (-0500)
Subject: expose X509_V_FLAG_TRUSTED_FIRST
X-Git-Tag: v2.7.10rc1~144
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=72ef9610593bfee5f504f9070482a265ac5eac69;p=thirdparty%2FPython%2Fcpython.git

expose X509_V_FLAG_TRUSTED_FIRST
---

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index b261eee93297..d328c2bad68f 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -482,9 +482,9 @@ Constants
 
 .. data:: VERIFY_DEFAULT
 
-   Possible value for :attr:`SSLContext.verify_flags`. In this mode,
-   certificate revocation lists (CRLs) are not checked. By default OpenSSL
-   does neither require nor verify CRLs.
+   Possible value for :attr:`SSLContext.verify_flags`. In this mode, certificate
+   revocation lists (CRLs) are not checked. By default OpenSSL does neither
+   require nor verify CRLs.
 
    .. versionadded:: 2.7.9
 
@@ -512,6 +512,14 @@ Constants
 
    .. versionadded:: 2.7.9
 
+.. data:: VERIFY_X509_TRUSTED_FIRST
+
+   Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to
+   prefer trusted certificates when building the trust chain to validate a
+   certificate. This flag is enabled by default.
+
+   .. versionadded:: 2.7.10
+
 .. data:: PROTOCOL_SSLv23
 
    Selects the highest protocol version that both the client and server support.
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index e9e80ee9ced3..b2d57cf87478 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -749,8 +749,9 @@ class ContextTests(unittest.TestCase):
                          "verify_flags need OpenSSL > 0.9.8")
     def test_verify_flags(self):
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-        # default value by OpenSSL
-        self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
+        # default value
+        tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
+        self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
         ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
         self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
         ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 309d00bf783c..8515c0fd1191 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -4052,6 +4052,10 @@ init_ssl(void)
                             X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
     PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
                             X509_V_FLAG_X509_STRICT);
+#ifdef X509_V_FLAG_TRUSTED_FIRST
+    PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST",
+                            X509_V_FLAG_TRUSTED_FIRST);
+#endif
 
     /* Alert Descriptions from ssl.h */
     /* note RESERVED constants no longer intended for use have been removed */