Skip to content

gh-107361: strengthen default SSL context flags #112389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gpshead merged 19 commits into from
Mar 6, 2024
Merged

gh-107361: strengthen default SSL context flags #112389

Changes from 1 commit
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
f0e262e
gh-107361: strengthen default SSL context flags
woodruffw Nov 25, 2023
4782048
add news entry
woodruffw Nov 25, 2023
732b953
ssl: expand comment
woodruffw Nov 25, 2023
15c0313
ssl.rst: further explain new X509 flags
woodruffw Nov 29, 2023
2aceb81
whatsnew: add ssl.create_default_context changes
woodruffw Nov 29, 2023
eb2c6e4
gitattributes: mark certdata as generated
woodruffw Nov 29, 2023
668803c
gitattributes: avoid {} glob syntax
woodruffw Nov 29, 2023
da318a6
Update Doc/library/ssl.rst
woodruffw Dec 1, 2023
4ae44d1
ssl.rst: explain how to disable VERIFY_X509_STRICT
woodruffw Dec 1, 2023
792383a
Apply suggestions from code review
woodruffw Dec 6, 2023
f1b59ed
whatsnew/3.13: add note for disabling VERIFY_X509_STRICT
woodruffw Dec 6, 2023
c8a7bb5
Merge remote-tracking branch 'upstream/main' into default-ssl-verify-…
woodruffw Feb 1, 2024
f6c3af3
test: add a backstop test for VERIFY_X509_STRICT
woodruffw Feb 2, 2024
ff087fb
test: try a higher base error
woodruffw Feb 2, 2024
e46a672
test: require OpenSSL 3+ for test_verify_strict
woodruffw Feb 16, 2024
fe42d9a
Merge remote-tracking branch 'upstream/main' into default-ssl-verify-…
woodruffw Feb 16, 2024
1a3e037
test: whitespace
woodruffw Feb 16, 2024
cef6950
Merge remote-tracking branch 'upstream/main' into default-ssl-verify-…
woodruffw Mar 4, 2024
2c7b14e
Merge remote-tracking branch 'upstream/main' into default-ssl-verify-…
woodruffw Mar 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
ssl: expand comment
  • Loading branch information
@woodruffw
woodruffw committed Nov 25, 2023
commit 732b953f3de5c60dbba1fee88eeb39bf2f602970
9 changes: 6 additions & 3 deletions Lib/ssl.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -704,9 +704,12 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
else:
raise ValueError(purpose)

# Make OpenSSL's chain building behave more like RFC 3280 5280,
# which specify that chain building stops with the first trust
# anchor, even if that anchor is not self-signed.
# `VERIFY_X509_PARTIAL_CHAIN` makes OpenSSL's chain building behave more
# like RFC 3280 and 5280, which specify that chain building stops with the
# first trust anchor, even if that anchor is not self-signed.
Comment thread
woodruffw marked this conversation as resolved.
# `VERIFY_X509_STRICT` makes OpenSSL more conservative about the
# certificates it accepts, including "disabling workarounds for
# some broken certificates."
context.verify_flags |= (_ssl.VERIFY_X509_PARTIAL_CHAIN |
_ssl.VERIFY_X509_STRICT)

Expand Down