Age | Commit message (Collapse) | Author |
|
* Keep reference to SSL verify_call in Connection object
If a set_verify is used on a context before and after a Connection
the reference in the SSL* object still points to the old _verify_helper
object. Since this object has no longer any references to it, the
callback can result in a segfault.
This commit fixes the issues by ensuring that as long as the
Connection object/SSL* object lives a reference to the callback
function is held.
* Add Unit test for set_verify_callback deference
|
|
* Drop CI for OpenSSL 1.0.2
* Delete code for coverage reasons
* Bump minimum cryptography version
|
|
|
|
* Context.set_verify: allow omission of callback
* squeeze to 80 chars
* make it clear that default callback is used
|
|
* Allow accessing a connection's verfied certificate chain
Add X509StoreContext.get_verified_chain using X509_STORE_CTX_get1_chain.
Add Connection.get_verified_chain using SSL_get0_verified_chain if
available (ie OpenSSL 1.1+) and X509StoreContext.get_verified_chain
otherwise.
Fixes #740.
* TLSv1_METHOD -> SSLv23_METHOD
* Use X509_up_ref instead of X509_dup
* Add _openssl_assert where appropriate
* SSL_get_peer_cert_chain should not be null
* Reformat with black
* Fix <OpenSSL.crypto.X509 object at 0x7fdbb59e8050> != <OpenSSL.crypto.X509 object at 0x7fdbb59daad0>
* Add Changelog entry
* Remove _add_chain
|
|
* focal time
* larger dh params, assert on something
* urllib3 fix
* actually check an error
|
|
* remove npn support entirely. you should be using alpn
* flake8
|
|
|
|
|
|
* simplify
* generate new certs and keys with 3072-bit RSA
* black
* add a test to avoid losing coverage
|
|
* make our CI less frustrating
* sigh, even less sensitive
* can we stop doing this on macos now?
|
|
|
|
* add SSL.Context.set_keylog_callback
* don't fail on missing attribute
* lint!
* make it black
|
|
|
|
From RFC 5280, section 4.1.2.9:
[Extensions] MUST only appear if the version is 3 (Section 4.1.2.1).
If present, this field is a SEQUENCE of one or more certificate
extensions. The format and content of certificate extensions in the
Internet PKI are defined in Section 4.2.
X509 objects default to v1, so the test certs need a set_version(2) call. (Note
v3 is encoded as 2.)
|
|
|
|
|
|
* ALPN: complete handshake without accepting a client's protocols.
The callback passed to `SSL_CTX_set_alpn_select_cb` can return
`SSL_TLSEXT_ERR_NOACK` to allow the handshake to continue without
accepting any of the client's offered protocols.
This commit introduces `NO_OVERLAPPING_PROTOCOLS`, which the Python
callback passed to `Context.set_alpn_select_callback` can return to
achieve the same thing.
It does not change the previous meaning of an empty string, which
still terminates the handshake.
* Update src/OpenSSL/SSL.py
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
* Address @alex's review.
* Use recorded value in test, fix lint error.
* Cover TypeError branch in _ALPNHelper.callback
|
|
* use _ffi.from_buffer(buf) in send, to support bytearray
* add bytearray test
* update CHANGELOG.rst
* move from_buffer before 'buffer too long' check
* context-managed from_buffer + black
* don't shadow buf in send()
* test return count for sendall
* test sending an array
* fix test
* also use from_buffer in bio_write
* de-format _util.py
* formatting
* add simple bio_write tests
* wrap line
|
|
* Fix for Python 4
* Fix for Python 4
|
|
|
|
These don't actually cover any code.
|
|
* Make test_ssl pass in an IPv6-only environment
* Review comments
* Update tests/test_ssl.py
Co-Authored-By: davidben <davidben@davidben.net>
* Wrap long line with parens.
|
|
* skip NPN tests if NPN is not available
* use the right name
|
|
* Raise an Error with "no cipher match" even with TLS 1.3
This makes Twisted's OpenSSLAcceptableCiphers.fromOpenSSLCipherString
and seamlessly work with TLS 1.3:
https://github.com/twisted/twisted/pull/1100/files/a5df2fb373ac67b0e3032acc9291ae88dfd0b3b1#diff-df501bac724aab523150498f84749b88R1767
* Split TestContext.test_set_cipher_list_wrong_args into two tests.
|
|
* Removed deprecated Type aliases
* typo
* typo
* missed this somehow
* Line wrap
|
|
* fix openssl CLI testing for 1.1.1
* various 1.1.1 related fixes
some of which are just admitting TLS 1.3 is fundamentally different and
pinning the tests to TLS 1.2
* flake8 fixes
* allow travis_infra env var through
* fix twisted
|
|
My system apparently has larger socket buffers than this test assumes,
so it fails. (Debian 9, Linux 4.16, Python 3.7)
So let's increase the size of the buffers such that it works for me.
This was the smallest power of 2 that worked.
|
|
This makes it possible to retrieve the local certificate (if any)
for a Connection.
An example where this is useful is when negotiating a DTLS-SRTP
connection, the fingerprint of the local certificate needs to be
communicated to the remote party out-of-band via SDP.
|
|
This allows negotiating SRTP keying material, which is useful when using
DTLS-SRTP, as WebRTC does for example.
|
|
|
|
* Increase the size of RSA key used in tests for OpenSSL 1.1.1
* here too
* In test_ssl.py as well
|
|
|
|
|
|
* added method to export keying material from an ssl connection
* updated tests to use bytestrings to avoid breaking python3 tests
* added additional comments to test
* simplify export_keying_material
* add changelog
* address review feedback
|
|
* fix a memory leak and a potential UAF and also #722
* sanity check
* bump cryptography minimum version, add changelog
|
|
|
|
* Don't use "TLSv1" as a default for loopback clients/servers
* We're sticklers for spelling
|
|
|
|
* Simplify code
* dead code
* unused...
* write imports normally
|
|
* Fixed #461 -- make the tests pass when SSLv3 isn't supported
We no longer support OpenSSL 1.0.0, so TLSv1.2 should always be available and this code can be simplified.
* Try the opposite direction?
* Another shot at getting this passing
* uhhh
* grump
|
|
* try loading trusted certs from a list of fallbacks
pyca/cryptography will shortly begin shipping a wheel. Since
SSL_CTX_set_default_verify_paths uses a hardcoded path compiled into the
library, this will start failing to load the proper certificates for
users on many linux distributions. To avoid this we can use the Go
solution of iterating over a list of potential candidates and loading
it when found.
* capath is lazy loaded so we need to do a lot more checks
This now checks to see if env vars are set as well as seeing if the
dir exists and has valid certs in it. If either of those are true (or
the number of certs is > 0) it won't load the fallback. If it does do
the fallback it will also attempt to load certs from a dir as a final
fallback
* remove an early return
* this shouldn't be commented out
* oops
* very limited testing
* sigh, can't use these py3 exceptions of course
* expand the tests a bit
* coverage!
* don't need this now
* change the approach to use a pyca/cryptography guard value
* test fix
* older python sometimes calls itself linux2
* flake8
* add changelog
* coverage
* slash opt
|
|
|
|
|
|
* limit SSL_write bufsize to avoid OverflowErrors
* fix .send() truncation, add test
|
|
|
|
|
|
|
|
* Define the OCSPCallbackHelper.
* Define set_ocsp_status_callback function.
* Reframe this as the "server" helper.
* Add OCSP helper.
* Allow clients to request OCSP
* Some tests for OCSP.
* Don't forget to throw callback errors.
* Add changelog entry for OCSP stapling.
* Require at least cryptography 1.7
* Sorry Flake8, won't happen again.
* How does spelling work?
|
|
* Rewrite test_tsafe to be pytest-style
* Rewrite TestRevoked to be pytest-style
* Convert TestConnection to be pytest-style
|