mirror of
https://github.com/python/cpython.git
synced 2025-09-26 18:29:57 +00:00
whatsnew: remove 'draft' note, tidy up summary, collect SSLContext stuff.
Since Victor linked to it in a block, it seems to make sense to have all the SSLContext changes next to each other. I also sorted all the SSL security enhancements next to each other in the security enhancements summary.
This commit is contained in:
R David Murray
parent
9cb1ec5fb5
commit
66646e2ea4
1 changed files with 33 additions and 37 deletions
|
|
@ -67,11 +67,6 @@ This article explains the new features in Python 3.4, compared to 3.3.
|
|||
For full details, see the
|
||||
`changelog <http://docs.python.org/3.4/whatsnew/changelog.html>`_.
|
||||
|
||||
.. note:: Prerelease users should be aware that this document is currently in
|
||||
draft form. While it should be close to complete for the Python 3.4
|
||||
release candidates, adjustments and additions to the document may be made
|
||||
up until the final release.
|
||||
|
||||
|
||||
.. seealso::
|
||||
|
||||
|
|
@ -92,9 +87,9 @@ New syntax features:
|
|||
New expected features for Python implementations:
|
||||
|
||||
* :ref:`pip should always be "available" <whatsnew-pep-453>` (:pep:`453`).
|
||||
* :ref:`Make newly created file descriptors non-inheritable <whatsnew-pep-446>`
|
||||
* :ref:`Newly created file descriptors are non-inheritable <whatsnew-pep-446>`
|
||||
(:pep:`446`).
|
||||
* command line option for :ref:`isolated mode <whatsnew-isolated-mode>`,
|
||||
* command line option for :ref:`isolated mode <whatsnew-isolated-mode>`
|
||||
(:issue:`16499`).
|
||||
* :ref:`improvements in the handling of codecs <codec-handling-improvements>`
|
||||
that are not text encodings (multiple issues).
|
||||
|
|
@ -145,10 +140,11 @@ Security improvements:
|
|||
(:pep:`446`) to avoid leaking file descriptors to child processes.
|
||||
* New command line option for :ref:`isolated mode <whatsnew-isolated-mode>`,
|
||||
(:issue:`16499`).
|
||||
* All modules of the standard library now support server certificate
|
||||
verification including hostname matching (:func:`ssl.match_hostname`) and CRL
|
||||
(Certificate Revocation list, see
|
||||
:func:`ssl.SSLContext.load_verify_locations`).
|
||||
* :mod:`multiprocessing` now has :ref:`an option to avoid using os.fork
|
||||
on Unix <whatsnew-multiprocessing-no-fork>`. *spawn* and *forkserver* are
|
||||
more secure because they avoid sharing data with child processes.
|
||||
* :mod:`multiprocessing` child processes on Windows no longer inherit
|
||||
all of the parent's inheritable handles, only the necessary ones.
|
||||
* A new :func:`hashlib.pbkdf2_hmac` function provides
|
||||
the `PKCS#5 password-based key derivation function 2
|
||||
<http://en.wikipedia.org/wiki/PBKDF2>`_.
|
||||
|
|
@ -157,18 +153,18 @@ Security improvements:
|
|||
<whatsnew34-win-cert-store>` for :mod:`ssl`.
|
||||
* :ref:`Server-side SNI (Server Name Indication) support
|
||||
<whatsnew34-sni>` for :mod:`ssl`.
|
||||
* The :class:`ssl.SSLContext` class got a :ref:`lot of improvements
|
||||
* The :class:`ssl.SSLContext` class has a :ref:`lot of improvements
|
||||
<whatsnew34-sslcontext>`.
|
||||
* :mod:`multiprocessing` now has :ref:`an option to avoid using os.fork
|
||||
on Unix <whatsnew-multiprocessing-no-fork>`: *spawn* and *forkserver* avoid
|
||||
sharing data with child processes; child processes no longer inherit all of
|
||||
the parents inheritable handles on Windows.
|
||||
* All modules in the standard library that support SSL now support server
|
||||
certificate verification, including hostname matching
|
||||
(:func:`ssl.match_hostname`) and CRLs (Certificate Revocation lists, see
|
||||
:func:`ssl.SSLContext.load_verify_locations`).
|
||||
|
||||
CPython implementation improvements:
|
||||
|
||||
* :ref:`Safe object finalization <whatsnew-pep-442>` (:pep:`442`).
|
||||
* Leveraging :pep:`442`, :ref:`module globals are no longer set to None
|
||||
during finalization <whatsnew-pep-442>`, in most cases (:issue:`18214`).
|
||||
* Leveraging :pep:`442`, in most cases :ref:`module globals are no longer set
|
||||
to None during finalization <whatsnew-pep-442>` (:issue:`18214`).
|
||||
* :ref:`Configurable memory allocators <whatsnew-pep-445>` (:pep:`445`).
|
||||
* :ref:`Argument Clinic <whatsnew-pep-436>` (:pep:`436`).
|
||||
|
||||
|
|
@ -251,8 +247,8 @@ and :ref:`distutils-index`.
|
|||
|
||||
.. _whatsnew-pep-446:
|
||||
|
||||
PEP 446: Make Newly Created File Descriptors Non-Inheritable
|
||||
------------------------------------------------------------
|
||||
PEP 446: Newly Created File Descriptors Are Non-Inheritable
|
||||
-----------------------------------------------------------
|
||||
|
||||
:pep:`446` makes newly created file descriptors :ref:`non-inheritable
|
||||
<fd_inheritance>`. New functions and methods:
|
||||
|
|
@ -1432,23 +1428,6 @@ s), as well as a :meth:`~ssl.SSLContext.get_ca_certs` method that returns a
|
|||
list of the loaded ``CA`` certificates. (Contributed by Christian Heimes in
|
||||
and :issue:`18147`.)
|
||||
|
||||
.. _whatsnew34-win-cert-store:
|
||||
|
||||
Two new windows-only functions, :func:`~ssl.enum_certificates` and
|
||||
:func:`~ssl.enum_crls` provide the ability to retrieve certificates,
|
||||
certificate information, and CRLs from the Windows cert store. (Contributed
|
||||
by Christian Heimes in :issue:`17134`.)
|
||||
|
||||
.. _whatsnew34-sni:
|
||||
|
||||
Support for server-side SNI (Server Name Indication) using the new
|
||||
:meth:`ssl.SSLContext.set_servername_callback` method.
|
||||
(Contributed by Daniel Black in :issue:`8109`.)
|
||||
|
||||
The dictionary returned by :meth:`.SSLSocket.getpeercert` contains additional
|
||||
``X509v3`` extension items: ``crlDistributionPoints``, ``calIssuers``, and
|
||||
``OCSP`` URIs. (Contributed by Christian Heimes in :issue:`18379`.)
|
||||
|
||||
If OpenSSL 0.9.8 or later is available, :class:`~ssl.SSLContext` has an new
|
||||
attribute :attr:`~ssl.SSLContext.verify_flags` that can be used to control the
|
||||
certificate verification process by setting it to some combination of the new
|
||||
|
|
@ -1474,6 +1453,23 @@ constructor, and may be adjusted in the future, without prior deprecation, if
|
|||
best-practice security requirements change. (Contributed by Christian Heimes
|
||||
in :issue:`19689`.)
|
||||
|
||||
.. _whatsnew34-win-cert-store:
|
||||
|
||||
Two new windows-only functions, :func:`~ssl.enum_certificates` and
|
||||
:func:`~ssl.enum_crls` provide the ability to retrieve certificates,
|
||||
certificate information, and CRLs from the Windows cert store. (Contributed
|
||||
by Christian Heimes in :issue:`17134`.)
|
||||
|
||||
.. _whatsnew34-sni:
|
||||
|
||||
Support for server-side SNI (Server Name Indication) using the new
|
||||
:meth:`ssl.SSLContext.set_servername_callback` method.
|
||||
(Contributed by Daniel Black in :issue:`8109`.)
|
||||
|
||||
The dictionary returned by :meth:`.SSLSocket.getpeercert` contains additional
|
||||
``X509v3`` extension items: ``crlDistributionPoints``, ``calIssuers``, and
|
||||
``OCSP`` URIs. (Contributed by Christian Heimes in :issue:`18379`.)
|
||||
|
||||
|
||||
stat
|
||||
----
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue