mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-30 13:38:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

gh-107361: strengthen default SSL context flags (#112389)

Browse source 
This adds `VERIFY_X509_STRICT` to make the default
SSL context perform stricter (per RFC 5280) validation, as well
as `VERIFY_X509_PARTIAL_CHAIN` to enforce more standards-compliant
path-building behavior.

As part of this changeset, I had to tweak `make_ssl_certs.py`
slightly to emit 5280-conforming CA certs. This changeset includes
the regenerated certificates after that change.

Signed-off-by: William Woodruff <william@yossarian.net>
Co-authored-by: Victor Stinner <vstinner@python.org>
This commit is contained in:
William Woodruff 2024-03-06 16:44:58 -05:00 committed by GitHub
parent ea1803e608
commit 0876b921b2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
26 changed files with 1184 additions and 1067 deletions
Download patch file Download diff file Expand all files Collapse all files

3
Lib/test/certdata/make_ssl_certs.py
View file

@ -109,7 +109,8 @@ req_template = """
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
"""