Previously, the ssl module stored international domain names (IDNs)
as U-labels. This is problematic for a number of reasons -- for
example, it made it impossible for users to use a different version
of IDNA than the one built into Python.
After this change, we always convert to A-labels as soon as possible,
and use them for all internal processing. In particular, server_hostname
attribute is now an A-label, and on the server side there's a new
sni_callback that receives the SNI servername as an A-label rather than
a U-label.
Until now Python used a hard coded white list of default TLS cipher
suites. The old approach has multiple downsides. OpenSSL's default
selection was completely overruled. Python did neither benefit from new
cipher suites (ChaCha20, TLS 1.3 suites) nor blacklisted cipher suites.
For example we used to re-enable 3DES.
Python now defaults to OpenSSL DEFAULT cipher suite selection and black
lists all unwanted ciphers. Downstream vendors can override the default
cipher list with --with-ssl-default-suites.
Signed-off-by: Christian Heimes <christian@python.org>
bpo-31399: Let OpenSSL verify hostname and IP
The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and
X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses.
* Remove match_hostname calls
* Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host()
* Add documentation for OpenSSL 1.0.2 requirement
* Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform.
* Add hostname_checks_common_name
Signed-off-by: Christian Heimes <christian@python.org>
DER_cert_to_PEM_cert() used textwrap.fill() to format PEM.
But it's library to wrap lines on word boundary, while PEM is
base64 encoded string.
Additionally, importing textwrap is little slow.
SSLSocket.wrap_bio() and SSLSocket.wrap_socket() hard-code SSLObject and
SSLSocket as return types. In the light of future deprecation of
ssl.wrap_socket() module function and direct instantiation of SSLSocket,
it is desirable to make the return type of SSLSocket.wrap_bio() and
SSLSocket.wrap_socket() customizable.
Signed-off-by: Christian Heimes <christian@python.org>
The SSL module now raises SSLCertVerificationError when OpenSSL fails to
verify the peer's certificate. The exception contains more information about
the error.
Original patch by Chi Hsuan Yen
Signed-off-by: Christian Heimes <christian@python.org>
* bpo-29136: Add TLS 1.3 support
TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
AES-GCM and ChaCha20 suites.
Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
now.
Signed-off-by: Christian Heimes <christian@python.org>
* bpo-27340: Use memoryview in SSLSocket.sendall()
SSLSocket.sendall() now uses memoryview to create slices of data. This fix
support for all bytes-like object. It is also more efficient and avoids
costly copies.
Signed-off-by: Christian Heimes <christian@python.org>
* Cast view to bytes, fix typo
Signed-off-by: Christian Heimes <christian@python.org>
The deprecation include manual creation of SSLSocket and certfile/keyfile
(or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib.
ssl.wrap_socket() is not marked as deprecated yet.
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
add private method to enum to support replacing global constants with Enum members:
- search for candidate constants via supplied filter
- create new enum class and members
- insert enum class and replace constants with members via supplied module name
- replace __reduce_ex__ with function that returns member name, so previous Python versions can unpickle
modify IntEnum classes to use new method
ssl.PROTOCOL_SSLv23 protocol by default, not ssl.PROTOCOL_SSLv3, for maximum
compatibility and support platforms where ssl.PROTOCOL_SSLv3 support is
disabled.
Closes#21013 by modfying ssl.create_default_context() to:
* Move the restricted ciphers to only apply when using
ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
is the lack of RC4 in the restricted. However there are servers that exist
that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
socket the context will prioritize our ciphers which have been carefully
selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
that end users can more easily determine if they need to unset
ssl.OP_NO_SSLv3.
Closes#20995 by Enabling better security by prioritizing ciphers
such that:
* Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
* Prefer ECDHE over DHE for better performance
* Prefer any AES-GCM over any AES-CBC for better performance and security
* Then Use HIGH cipher suites as a fallback
* Then Use 3DES as fallback which is secure but slow
* Finally use RC4 as a fallback which is problematic but needed for
compatibility some times.
* Disable NULL authentication, NULL encryption, and MD5 MACs for security
reasons
Christian Heimes
Mads Jensen
Mandeep Singh
INADA Naoki
Steve Dower
Martin Panter
Ethan Furman
Benjamin Peterson
Antoine Pitrou
Victor Stinner
Berker Peksag
Giampaolo Rodola'
Donald Stufft