mirror of
https://github.com/python/cpython.git
synced 2025-11-04 03:44:55 +00:00
expose X509_V_FLAG_TRUSTED_FIRST
This commit is contained in:
Benjamin Peterson
parent
fdb1971587
commit
990fcaac3c
3 changed files with 18 additions and 5 deletions
|
|
@ -499,9 +499,9 @@ Constants
|
||||||
|
|
||||||
.. data:: VERIFY_DEFAULT
|
.. data:: VERIFY_DEFAULT
|
||||||
|
|
||||||
Possible value for :attr:`SSLContext.verify_flags`. In this mode,
|
Possible value for :attr:`SSLContext.verify_flags`. In this mode, certificate
|
||||||
certificate revocation lists (CRLs) are not checked. By default OpenSSL
|
revocation lists (CRLs) are not checked. By default OpenSSL does neither
|
||||||
does neither require nor verify CRLs.
|
require nor verify CRLs.
|
||||||
|
|
||||||
.. versionadded:: 3.4
|
.. versionadded:: 3.4
|
||||||
|
|
||||||
|
|
@ -529,6 +529,14 @@ Constants
|
||||||
|
|
||||||
.. versionadded:: 3.4
|
.. versionadded:: 3.4
|
||||||
|
|
||||||
|
.. data:: VERIFY_X509_TRUSTED_FIRST
|
||||||
|
|
||||||
|
Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to
|
||||||
|
prefer trusted certificates when building the trust chain to validate a
|
||||||
|
certificate. This flag is enabled by default.
|
||||||
|
|
||||||
|
.. versionadded:: 3.4.5
|
||||||
|
|
||||||
.. data:: PROTOCOL_SSLv23
|
.. data:: PROTOCOL_SSLv23
|
||||||
|
|
||||||
Selects the highest protocol version that both the client and server support.
|
Selects the highest protocol version that both the client and server support.
|
||||||
|
|
|
||||||
|
|
@ -710,8 +710,9 @@ class ContextTests(unittest.TestCase):
|
||||||
"verify_flags need OpenSSL > 0.9.8")
|
"verify_flags need OpenSSL > 0.9.8")
|
||||||
def test_verify_flags(self):
|
def test_verify_flags(self):
|
||||||
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
||||||
# default value by OpenSSL
|
# default value
|
||||||
self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
|
tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
|
||||||
|
self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
|
||||||
ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
|
ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
|
||||||
self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
|
self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
|
||||||
ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
|
ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
|
||||||
|
|
|
||||||
|
|
@ -4004,6 +4004,10 @@ PyInit__ssl(void)
|
||||||
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
|
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
|
||||||
PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
|
PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
|
||||||
X509_V_FLAG_X509_STRICT);
|
X509_V_FLAG_X509_STRICT);
|
||||||
|
#ifdef X509_V_FLAG_TRUSTED_FIRST
|
||||||
|
PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST",
|
||||||
|
X509_V_FLAG_TRUSTED_FIRST);
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Alert Descriptions from ssl.h */
|
/* Alert Descriptions from ssl.h */
|
||||||
/* note RESERVED constants no longer intended for use have been removed */
|
/* note RESERVED constants no longer intended for use have been removed */
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue