mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-29 11:45:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Tidy-up the ssl section.

Browse source
This commit is contained in:
Raymond Hettinger 2011-01-17 21:29:58 +00:00
parent 6e7f5823d0
commit 4854d14f55
1 changed files with 30 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

65
Doc/whatsnew/3.2.rst
View file

@ -1040,8 +1040,7 @@ by Georg Brandl in :issue:`8046` and :issue:`1286`.)
The :class:`~ftplib.FTP_TLS` class now accepts a *context* parameter, which is a The :class:`~ftplib.FTP_TLS` class now accepts a *context* parameter, which is a
:class:`ssl.SSLContext` object allowing bundling SSL configuration options, :class:`ssl.SSLContext` object allowing bundling SSL configuration options,
certificates and private keys into a single (potentially long-lived) certificates and private keys into a single (potentially long-lived) structure.
structure.
(Contributed by Giampaolo Rodolà; :issue:`8806`.) (Contributed by Giampaolo Rodolà; :issue:`8806`.)
@ -1134,48 +1133,44 @@ The :mod:`socket` module has two new improvements.
ssl ssl
--- ---
The :mod:`ssl` module gains an array of new functionalities which make it much easier The :mod:`ssl` module added a number of features to satisfy common requirements
to satisfy common requirements for secure (encrypted, authenticated) connections for secure (encrypted, authenticated) internet connections:
over the Internet:
* A new class, :class:`~ssl.SSLContext`, serves as a container for various * A new class, :class:`~ssl.SSLContext`, serves as a container for persistent
persistent SSL data, such as protocol settings, certificates, private keys, SSL data, such as protocol settings, certificates, private keys, and various
and various other options. The :meth:`~ssl.SSLContext.wrap_socket` method other options. It includes a :meth:`~ssl.SSLContext.wrap_socket` for creating
allows to create an SSL socket from such an SSL context. (Added by Antoine an SSL socket from an SSL context.
Pitrou; :issue:`8550`.)
* A new function, :func:`ssl.match_hostname`, helps implement server identity * A new function, :func:`ssl.match_hostname`, supports server identity
verification for higher-level protocols by implementing the rules of verification for higher-level protocols by implementing the rules of HTTPS
HTTPS (from :rfc:`2818`), which are also suitable for other protocols. (from :rfc:`2818`) which are also suitable for other protocols.
(Added by Antoine Pitrou, :issue:`1589`).
* The :func:`ssl.wrap_socket` constructor function now takes a *ciphers* * The :func:`ssl.wrap_socket` constructor function now takes a *ciphers*
argument that's a string listing the encryption algorithms to be allowed; the argument. The *ciphers* string lists the allowed encryption algorithms using
format of the string is described `in the OpenSSL documentation the format described in the `OpenSSL documentation
<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`__. (Added <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`__.
by Antoine Pitrou; :issue:`8322`.)
* When linked against a recent enough version of OpenSSL, the :mod:`ssl` * When linked against recent versions of OpenSSL, the :mod:`ssl` module now
module now supports the Server Name Indication extension to the TLS supports the Server Name Indication extension to the TLS protocol, allowing
protocol, allowing for several "virtual hosts" using different certificates multiple "virtual hosts" using different certificates on a single IP port.
on a single IP/port. This extension is only supported in client mode, This extension is only supported in client mode, and is activated by passing
and is activated by passing the *server_hostname* argument to the *server_hostname* argument to :meth:`ssl.SSLContext.wrap_socket`.
:meth:`ssl.SSLContext.wrap_socket`.
(Added by Antoine Pitrou, :issue:`5639`.)
* Various options have been added to the :mod:`ssl` module, such as * Various options have been added to the :mod:`ssl` module, such as
:data:`~ssl.OP_NO_SSLv2` which allows to force disabling of the insecure and :data:`~ssl.OP_NO_SSLv2` which disables the insecure and obsolete SSLv2
obsolete SSLv2 protocol. (Added by Antoine Pitrou; :issue:`4870`.) protocol.
* Another change makes the extension load all of OpenSSL's ciphers and digest * The extension now loads all the OpenSSL ciphers and digest algorithms. If
algorithms so that they're all available. Some SSL certificates couldn't be some SSL certificates cannot be verified, they are reported as an "unknown
verified, reporting an "unknown algorithm" error. (Reported by Beda Kosata, algorithm" error.
and fixed by Antoine Pitrou; :issue:`8484`.)
* The version of OpenSSL being used is now available as the module attributes * The version of OpenSSL being used is now accessible using the module
:data:`ssl.OPENSSL_VERSION` (a string), :data:`ssl.OPENSSL_VERSION_INFO` (a attributes :data:`ssl.OPENSSL_VERSION` (a string),
5-tuple), and :data:`ssl.OPENSSL_VERSION_NUMBER` (an integer). (Added by :data:`ssl.OPENSSL_VERSION_INFO` (a 5-tuple), and
Antoine Pitrou; :issue:`8321`.) :data:`ssl.OPENSSL_VERSION_NUMBER` (an integer).
(Contributed by Antoine Pitrou in :issue:`8850`, :issue:`1589`, :issue:`8322`,
:issue:`5639`, :issue:`4870`, :issue:`8484`, and :issue:`8321`.)
nntp nntp
---- ----