Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(48125)

Side by Side Diff: Lib/ssl.py

Issue 22417: PEP 476: verify HTTPS certificates by default
Patch Set: Created 4 years, 11 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View unified diff | Download patch
« no previous file with comments | « Lib/http/client.py ('k') | Lib/test/test_httplib.py » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 # Wrapper module for _ssl, providing some additional facilities 1 # Wrapper module for _ssl, providing some additional facilities
2 # implemented in Python. Written by Bill Janssen. 2 # implemented in Python. Written by Bill Janssen.
3 3
4 """This module provides some more Pythonic support for SSL. 4 """This module provides some more Pythonic support for SSL.
5 5
6 Object types: 6 Object types:
7 7
8 SSLSocket -- subtype of socket.socket which does SSL over the socket 8 SSLSocket -- subtype of socket.socket which does SSL over the socket
9 9
10 Exceptions: 10 Exceptions:
(...skipping 418 matching lines...) Expand 10 before | Expand all | Expand 10 after
429 429
430 if cafile or capath or cadata: 430 if cafile or capath or cadata:
431 context.load_verify_locations(cafile, capath, cadata) 431 context.load_verify_locations(cafile, capath, cadata)
432 elif context.verify_mode != CERT_NONE: 432 elif context.verify_mode != CERT_NONE:
433 # no explicit cafile, capath or cadata but the verify mode is 433 # no explicit cafile, capath or cadata but the verify mode is
434 # CERT_OPTIONAL or CERT_REQUIRED. Let's try to load default system 434 # CERT_OPTIONAL or CERT_REQUIRED. Let's try to load default system
435 # root CA certificates for the given purpose. This may fail silently. 435 # root CA certificates for the given purpose. This may fail silently.
436 context.load_default_certs(purpose) 436 context.load_default_certs(purpose)
437 return context 437 return context
438 438
439 439 def _create_unverified_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None,
440 def _create_stdlib_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None,
441 check_hostname=False, purpose=Purpose.SERVER_AUTH, 440 check_hostname=False, purpose=Purpose.SERVER_AUTH,
442 certfile=None, keyfile=None, 441 certfile=None, keyfile=None,
443 cafile=None, capath=None, cadata=None): 442 cafile=None, capath=None, cadata=None):
444 """Create a SSLContext object for Python stdlib modules 443 """Create a SSLContext object for Python stdlib modules
445 444
446 All Python stdlib modules shall use this function to create SSLContext 445 All Python stdlib modules shall use this function to create SSLContext
447 objects in order to keep common settings in one place. The configuration 446 objects in order to keep common settings in one place. The configuration
448 is less restrict than create_default_context()'s to increase backward 447 is less restrict than create_default_context()'s to increase backward
449 compatibility. 448 compatibility.
450 """ 449 """
(...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after
589 if cb_type != "tls-unique": 588 if cb_type != "tls-unique":
590 raise NotImplementedError( 589 raise NotImplementedError(
591 "{0} channel binding type not implemented" 590 "{0} channel binding type not implemented"
592 .format(cb_type)) 591 .format(cb_type))
593 return self._sslobj.tls_unique_cb() 592 return self._sslobj.tls_unique_cb()
594 593
595 def version(self): 594 def version(self):
596 """Return a string identifying the protocol version used by the 595 """Return a string identifying the protocol version used by the
597 current SSL channel. """ 596 current SSL channel. """
598 return self._sslobj.version() 597 return self._sslobj.version()
598
599
600 # Used by http.client if no context is explicitly passed.
601 _create_default_https_context = create_default_context
602
603
604 # Backwards compatibility alias, even though it's not a public name.
605 _create_stdlib_context = _create_unverified_context
599 606
600 607
601 class SSLSocket(socket): 608 class SSLSocket(socket):
602 """This class implements a subtype of socket.socket that wraps 609 """This class implements a subtype of socket.socket that wraps
603 the underlying OS socket in an SSL context when necessary, and 610 the underlying OS socket in an SSL context when necessary, and
604 provides read and write methods over that channel.""" 611 provides read and write methods over that channel."""
605 612
606 def __init__(self, sock=None, keyfile=None, certfile=None, 613 def __init__(self, sock=None, keyfile=None, certfile=None,
607 server_side=False, cert_reqs=CERT_NONE, 614 server_side=False, cert_reqs=CERT_NONE,
608 ssl_version=PROTOCOL_SSLv23, ca_certs=None, 615 ssl_version=PROTOCOL_SSLv23, ca_certs=None,
(...skipping 461 matching lines...) Expand 10 before | Expand all | Expand 10 after
1070 context = _create_stdlib_context(ssl_version, 1077 context = _create_stdlib_context(ssl_version,
1071 cert_reqs=cert_reqs, 1078 cert_reqs=cert_reqs,
1072 cafile=ca_certs) 1079 cafile=ca_certs)
1073 with create_connection(addr) as sock: 1080 with create_connection(addr) as sock:
1074 with context.wrap_socket(sock) as sslsock: 1081 with context.wrap_socket(sock) as sslsock:
1075 dercert = sslsock.getpeercert(True) 1082 dercert = sslsock.getpeercert(True)
1076 return DER_cert_to_PEM_cert(dercert) 1083 return DER_cert_to_PEM_cert(dercert)
1077 1084
1078 def get_protocol_name(protocol_code): 1085 def get_protocol_name(protocol_code):
1079 return _PROTOCOL_NAMES.get(protocol_code, '<unknown>') 1086 return _PROTOCOL_NAMES.get(protocol_code, '<unknown>')
OLDNEW
« no previous file with comments | « Lib/http/client.py ('k') | Lib/test/test_httplib.py » ('j') | no next file with comments »

RSS Feeds Recent Issues | This issue
This is Rietveld 894c83f36cb7+