mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-26 18:29:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

whatsnew: remove 'draft' note, tidy up summary, collect SSLContext stuff.

Browse source 
Since Victor linked to it in a block, it seems to make sense to have
all the SSLContext changes next to each other.  I also sorted all the
SSL security enhancements next to each other in the security
enhancements summary.
This commit is contained in:
R David Murray 2014-03-13 14:36:09 -04:00
parent 9cb1ec5fb5
commit 66646e2ea4
1 changed files with 33 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

70
Doc/whatsnew/3.4.rst
View file

@ -67,11 +67,6 @@ This article explains the new features in Python 3.4, compared to 3.3.
For full details, see the For full details, see the
`changelog <http://docs.python.org/3.4/whatsnew/changelog.html>`_. `changelog <http://docs.python.org/3.4/whatsnew/changelog.html>`_.
.. note:: Prerelease users should be aware that this document is currently in
draft form. While it should be close to complete for the Python 3.4
release candidates, adjustments and additions to the document may be made
up until the final release.
.. seealso:: .. seealso::
@ -92,9 +87,9 @@ New syntax features:
New expected features for Python implementations: New expected features for Python implementations:
* :ref:`pip should always be "available" <whatsnew-pep-453>` (:pep:`453`). * :ref:`pip should always be "available" <whatsnew-pep-453>` (:pep:`453`).
* :ref:`Make newly created file descriptors non-inheritable <whatsnew-pep-446>` * :ref:`Newly created file descriptors are non-inheritable <whatsnew-pep-446>`
(:pep:`446`). (:pep:`446`).
* command line option for :ref:`isolated mode <whatsnew-isolated-mode>`, * command line option for :ref:`isolated mode <whatsnew-isolated-mode>`
(:issue:`16499`). (:issue:`16499`).
* :ref:`improvements in the handling of codecs <codec-handling-improvements>` * :ref:`improvements in the handling of codecs <codec-handling-improvements>`
that are not text encodings (multiple issues). that are not text encodings (multiple issues).
@ -145,10 +140,11 @@ Security improvements:
(:pep:`446`) to avoid leaking file descriptors to child processes. (:pep:`446`) to avoid leaking file descriptors to child processes.
* New command line option for :ref:`isolated mode <whatsnew-isolated-mode>`, * New command line option for :ref:`isolated mode <whatsnew-isolated-mode>`,
(:issue:`16499`). (:issue:`16499`).
* All modules of the standard library now support server certificate * :mod:`multiprocessing` now has :ref:`an option to avoid using os.fork
verification including hostname matching (:func:`ssl.match_hostname`) and CRL on Unix <whatsnew-multiprocessing-no-fork>`. *spawn* and *forkserver* are
(Certificate Revocation list, see more secure because they avoid sharing data with child processes.
:func:`ssl.SSLContext.load_verify_locations`). * :mod:`multiprocessing` child processes on Windows no longer inherit
all of the parent's inheritable handles, only the necessary ones.
* A new :func:`hashlib.pbkdf2_hmac` function provides * A new :func:`hashlib.pbkdf2_hmac` function provides
the `PKCS#5 password-based key derivation function 2 the `PKCS#5 password-based key derivation function 2
<http://en.wikipedia.org/wiki/PBKDF2>`_. <http://en.wikipedia.org/wiki/PBKDF2>`_.
@ -157,18 +153,18 @@ Security improvements:
<whatsnew34-win-cert-store>` for :mod:`ssl`. <whatsnew34-win-cert-store>` for :mod:`ssl`.
* :ref:`Server-side SNI (Server Name Indication) support * :ref:`Server-side SNI (Server Name Indication) support
<whatsnew34-sni>` for :mod:`ssl`. <whatsnew34-sni>` for :mod:`ssl`.
* The :class:`ssl.SSLContext` class got a :ref:`lot of improvements * The :class:`ssl.SSLContext` class has a :ref:`lot of improvements
<whatsnew34-sslcontext>`. <whatsnew34-sslcontext>`.
* :mod:`multiprocessing` now has :ref:`an option to avoid using os.fork * All modules in the standard library that support SSL now support server
on Unix <whatsnew-multiprocessing-no-fork>`: *spawn* and *forkserver* avoid certificate verification, including hostname matching
sharing data with child processes; child processes no longer inherit all of (:func:`ssl.match_hostname`) and CRLs (Certificate Revocation lists, see
the parents inheritable handles on Windows. :func:`ssl.SSLContext.load_verify_locations`).
CPython implementation improvements: CPython implementation improvements:
* :ref:`Safe object finalization <whatsnew-pep-442>` (:pep:`442`). * :ref:`Safe object finalization <whatsnew-pep-442>` (:pep:`442`).
* Leveraging :pep:`442`, :ref:`module globals are no longer set to None * Leveraging :pep:`442`, in most cases :ref:`module globals are no longer set
during finalization <whatsnew-pep-442>`, in most cases (:issue:`18214`). to None during finalization <whatsnew-pep-442>` (:issue:`18214`).
* :ref:`Configurable memory allocators <whatsnew-pep-445>` (:pep:`445`). * :ref:`Configurable memory allocators <whatsnew-pep-445>` (:pep:`445`).
* :ref:`Argument Clinic <whatsnew-pep-436>` (:pep:`436`). * :ref:`Argument Clinic <whatsnew-pep-436>` (:pep:`436`).
@ -251,8 +247,8 @@ and :ref:`distutils-index`.
.. _whatsnew-pep-446: .. _whatsnew-pep-446:
PEP 446: Make Newly Created File Descriptors Non-Inheritable PEP 446: Newly Created File Descriptors Are Non-Inheritable
------------------------------------------------------------ -----------------------------------------------------------
:pep:`446` makes newly created file descriptors :ref:`non-inheritable :pep:`446` makes newly created file descriptors :ref:`non-inheritable
<fd_inheritance>`. New functions and methods: <fd_inheritance>`. New functions and methods:
@ -1432,23 +1428,6 @@ s), as well as a :meth:`~ssl.SSLContext.get_ca_certs` method that returns a
list of the loaded ``CA`` certificates. (Contributed by Christian Heimes in list of the loaded ``CA`` certificates. (Contributed by Christian Heimes in
and :issue:`18147`.) and :issue:`18147`.)
.. _whatsnew34-win-cert-store:
Two new windows-only functions, :func:`~ssl.enum_certificates` and
:func:`~ssl.enum_crls` provide the ability to retrieve certificates,
certificate information, and CRLs from the Windows cert store. (Contributed
by Christian Heimes in :issue:`17134`.)
.. _whatsnew34-sni:
Support for server-side SNI (Server Name Indication) using the new
:meth:`ssl.SSLContext.set_servername_callback` method.
(Contributed by Daniel Black in :issue:`8109`.)
The dictionary returned by :meth:`.SSLSocket.getpeercert` contains additional
``X509v3`` extension items: ``crlDistributionPoints``, ``calIssuers``, and
``OCSP`` URIs. (Contributed by Christian Heimes in :issue:`18379`.)
If OpenSSL 0.9.8 or later is available, :class:`~ssl.SSLContext` has an new If OpenSSL 0.9.8 or later is available, :class:`~ssl.SSLContext` has an new
attribute :attr:`~ssl.SSLContext.verify_flags` that can be used to control the attribute :attr:`~ssl.SSLContext.verify_flags` that can be used to control the
certificate verification process by setting it to some combination of the new certificate verification process by setting it to some combination of the new
@ -1474,6 +1453,23 @@ constructor, and may be adjusted in the future, without prior deprecation, if
best-practice security requirements change. (Contributed by Christian Heimes best-practice security requirements change. (Contributed by Christian Heimes
in :issue:`19689`.) in :issue:`19689`.)
.. _whatsnew34-win-cert-store:
Two new windows-only functions, :func:`~ssl.enum_certificates` and
:func:`~ssl.enum_crls` provide the ability to retrieve certificates,
certificate information, and CRLs from the Windows cert store. (Contributed
by Christian Heimes in :issue:`17134`.)
.. _whatsnew34-sni:
Support for server-side SNI (Server Name Indication) using the new
:meth:`ssl.SSLContext.set_servername_callback` method.
(Contributed by Daniel Black in :issue:`8109`.)
The dictionary returned by :meth:`.SSLSocket.getpeercert` contains additional
``X509v3`` extension items: ``crlDistributionPoints``, ``calIssuers``, and
``OCSP`` URIs. (Contributed by Christian Heimes in :issue:`18379`.)
stat stat
---- ----