diff -r cb1691d42101 Doc/library/ssl.rst --- a/Doc/library/ssl.rst Wed Nov 20 17:43:23 2013 +0100 +++ b/Doc/library/ssl.rst Thu Nov 21 03:29:49 2013 +0100 @@ -423,6 +423,28 @@ be passed, either to :meth:`SSLContext.load_verify_locations` or as a value of the ``ca_certs`` parameter to :func:`wrap_socket`. +.. data:: CRL_CHECK_NONE + + Possible value for :attr:`SSLContext.verify_flags`. In this mode, CRLs + are not checked. + + .. versionadded:: 3.4 + +.. data:: CRL_CHECK_LEAF + + Possible value for :attr:`SSLContext.verify_flags`. In this mode, only CRLs + of the peer certificate are checked. If not CRL for the peer cert has been + loaded with :attr:`SSLContext.load_verify_locations`, validation will fail. + + .. versionadded:: 3.4 + +.. data:: CRL_CHECK_CHAIN + + Possible value for :attr:`SSLContext.verify_flags`. In this mode, CRLs of + all certificates in the peer cert chain are checked. + + .. versionadded:: 3.4 + .. data:: PROTOCOL_SSLv2 Selects SSL version 2 as the channel encryption protocol. @@ -857,6 +879,10 @@ other peers' certificates when :data:`verify_mode` is other than :data:`CERT_NONE`. At least one of *cafile* or *capath* must be specified. + The method can also load certification revocation lists (CRLs) in PEM or + or DER format. In order to make use of CRLs, :attr:`SSLContext.verify_flags` + must be configured properly. + The *cafile* string, if present, is the path to a file of concatenated CA certificates in PEM format. See the discussion of :ref:`ssl-certificates` for more information about how to arrange the @@ -867,6 +893,7 @@ following an `OpenSSL specific layout `_. + .. method:: SSLContext.get_ca_certs(binary_form=False) Get a list of loaded "certification authority" (CA) certificates. If the @@ -1044,6 +1071,15 @@ The protocol version chosen when constructing the context. This attribute is read-only. +.. attribute:: SSLContext.verify_flags + + The flags for verification verification operations. This attribute can be + set to any value of :data:`CRL_CHECK_NONE`, :data:`CRL_CHECK_LEAF` or + :data:`CRL_CHECK_CHAIN`. + + .. versionadded:: 3.4 + + .. attribute:: SSLContext.verify_mode Whether to try to verify other peers' certificates and how to behave diff -r cb1691d42101 Lib/ssl.py --- a/Lib/ssl.py Wed Nov 20 17:43:23 2013 +0100 +++ b/Lib/ssl.py Thu Nov 21 03:29:49 2013 +0100 @@ -102,6 +102,7 @@ SSLSyscallError, SSLEOFError, ) from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED +from _ssl import CRL_CHECK_NONE, CRL_CHECK_LEAF, CRL_CHECK_CHAIN from _ssl import txt2obj as _txt2obj, nid2obj as _nid2obj from _ssl import RAND_status, RAND_egd, RAND_add, RAND_bytes, RAND_pseudo_bytes diff -r cb1691d42101 Lib/test/make_ssl_certs.py --- a/Lib/test/make_ssl_certs.py Wed Nov 20 17:43:23 2013 +0100 +++ b/Lib/test/make_ssl_certs.py Thu Nov 21 03:29:49 2013 +0100 @@ -28,8 +28,10 @@ [ CA_default ] dir = cadir database = $dir/index.txt + crlnumber = $dir/crl.txt default_md = sha1 default_days = 3600 + default_crl_days = 3600 certificate = pycacert.pem private_key = pycakey.pem serial = $dir/serial @@ -129,6 +131,8 @@ '-keyfile', 'pycakey.pem', '-days', '3650', '-selfsign', '-extensions', 'v3_ca', '-infiles', f.name ] check_call(['openssl'] + args) + args = ['ca', '-config', t.name, '-gencrl', '-out', 'revocation.crl'] + check_call(['openssl'] + args) if __name__ == '__main__': os.chdir(here) diff -r cb1691d42101 Lib/test/test_ssl.py --- a/Lib/test/test_ssl.py Wed Nov 20 17:43:23 2013 +0100 +++ b/Lib/test/test_ssl.py Thu Nov 21 03:29:49 2013 +0100 @@ -44,6 +44,9 @@ CAPATH = data_file("capath") BYTES_CAPATH = os.fsencode(CAPATH) +# empty CRL +CRLFILE = data_file("revocation.crl") + # Two keys and certs signed by the same CA (for SNI tests) SIGNED_CERTFILE = data_file("keycert3.pem") SIGNED_CERTFILE2 = data_file("keycert4.pem") @@ -1681,6 +1684,47 @@ self.assertLess(before, after) s.close() + def test_crl_check(self): + if support.verbose: + sys.stdout.write("\n") + + server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + server_context.load_cert_chain(SIGNED_CERTFILE) + + context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context.verify_mode = ssl.CERT_REQUIRED + context.load_verify_locations(SIGNING_CA) + context.verify_mode = ssl.CERT_REQUIRED + context.verify_flags = ssl.CRL_CHECK_NONE + + # CRL_CHECK_NONE should pass + server = ThreadedEchoServer(context=server_context, chatty=True) + with server: + with context.wrap_socket(socket.socket()) as s: + s.connect((HOST, server.port)) + cert = s.getpeercert() + self.assertTrue(cert, "Can't get peer certificate.") + + # CRL_CHECK_LEAF without a loaded CRL file fails + context.verify_flags = ssl.CRL_CHECK_LEAF + + server = ThreadedEchoServer(context=server_context, chatty=True) + with server: + with context.wrap_socket(socket.socket()) as s: + with self.assertRaisesRegex(ssl.SSLError, + "certificate verify failed"): + s.connect((HOST, server.port)) + + # now load a CRL file. The CRL file is signed by the CA. + context.load_verify_locations(CRLFILE) + + server = ThreadedEchoServer(context=server_context, chatty=True) + with server: + with context.wrap_socket(socket.socket()) as s: + s.connect((HOST, server.port)) + cert = s.getpeercert() + self.assertTrue(cert, "Can't get peer certificate.") + def test_empty_cert(self): """Connecting with an empty cert file""" bad_cert_test(os.path.join(os.path.dirname(__file__) or os.curdir, diff -r cb1691d42101 Modules/_ssl.c --- a/Modules/_ssl.c Wed Nov 20 17:43:23 2013 +0100 +++ b/Modules/_ssl.c Thu Nov 21 03:29:49 2013 +0100 @@ -2075,6 +2075,44 @@ } static PyObject * +get_verify_flags(PySSLContext *self, void *c) +{ + X509_STORE *store; + unsigned long flags; + + store = SSL_CTX_get_cert_store(self->ctx); + flags = X509_VERIFY_PARAM_get_flags(store->param); + return PyLong_FromUnsignedLong(flags); +} + +static int +set_verify_flags(PySSLContext *self, PyObject *arg, void *c) +{ + X509_STORE *store; + unsigned long new_flags, flags, set, clear; + + if (!PyArg_Parse(arg, "k", &new_flags)) + return -1; + store = SSL_CTX_get_cert_store(self->ctx); + flags = X509_VERIFY_PARAM_get_flags(store->param); + clear = flags & ~new_flags; + set = ~flags & new_flags; + if (clear) { + if (!X509_VERIFY_PARAM_clear_flags(store->param, clear)) { + _setSSLError(NULL, 0, __FILE__, __LINE__); + return -1; + } + } + if (set) { + if (!X509_VERIFY_PARAM_set_flags(store->param, set)) { + _setSSLError(NULL, 0, __FILE__, __LINE__); + return -1; + } + } + return 0; +} + +static PyObject * get_options(PySSLContext *self, void *c) { return PyLong_FromLong(SSL_CTX_get_options(self->ctx)); @@ -2752,6 +2790,8 @@ static PyGetSetDef context_getsetlist[] = { {"options", (getter) get_options, (setter) set_options, NULL}, + {"verify_flags", (getter) get_verify_flags, + (setter) set_verify_flags, NULL}, {"verify_mode", (getter) get_verify_mode, (setter) set_verify_mode, NULL}, {NULL}, /* sentinel */ @@ -3465,6 +3505,13 @@ PY_SSL_CERT_OPTIONAL); PyModule_AddIntConstant(m, "CERT_REQUIRED", PY_SSL_CERT_REQUIRED); + /* CRL verification for verification_flags */ + PyModule_AddIntConstant(m, "CRL_CHECK_NONE", + 0); + PyModule_AddIntConstant(m, "CRL_CHECK_LEAF", + X509_V_FLAG_CRL_CHECK); + PyModule_AddIntConstant(m, "CRL_CHECK_CHAIN", + X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); #ifdef _MSC_VER /* Windows dwCertEncodingType */