Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(56220)

Side by Side Diff: Lib/ssl.py

Issue 22417: PEP 476: verify HTTPS certificates by default
Patch Set: Created 4 years, 7 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View unified diff | Download patch
« no previous file with comments | « Lib/http/client.py ('k') | Lib/test/test_httplib.py » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 # Wrapper module for _ssl, providing some additional facilities 1 # Wrapper module for _ssl, providing some additional facilities
2 # implemented in Python. Written by Bill Janssen. 2 # implemented in Python. Written by Bill Janssen.
3 3
4 """This module provides some more Pythonic support for SSL. 4 """This module provides some more Pythonic support for SSL.
5 5
6 Object types: 6 Object types:
7 7
8 SSLSocket -- subtype of socket.socket which does SSL over the socket 8 SSLSocket -- subtype of socket.socket which does SSL over the socket
9 9
10 Exceptions: 10 Exceptions:
(...skipping 418 matching lines...) Expand 10 before | Expand all | Expand 10 after
429 429
430 if cafile or capath or cadata: 430 if cafile or capath or cadata:
431 context.load_verify_locations(cafile, capath, cadata) 431 context.load_verify_locations(cafile, capath, cadata)
432 elif context.verify_mode != CERT_NONE: 432 elif context.verify_mode != CERT_NONE:
433 # no explicit cafile, capath or cadata but the verify mode is 433 # no explicit cafile, capath or cadata but the verify mode is
434 # CERT_OPTIONAL or CERT_REQUIRED. Let's try to load default system 434 # CERT_OPTIONAL or CERT_REQUIRED. Let's try to load default system
435 # root CA certificates for the given purpose. This may fail silently. 435 # root CA certificates for the given purpose. This may fail silently.
436 context.load_default_certs(purpose) 436 context.load_default_certs(purpose)
437 return context 437 return context
438 438
439 439 def _create_unverified_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None,
440 def _create_stdlib_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None,
441 check_hostname=False, purpose=Purpose.SERVER_AUTH, 440 check_hostname=False, purpose=Purpose.SERVER_AUTH,
442 certfile=None, keyfile=None, 441 certfile=None, keyfile=None,
443 cafile=None, capath=None, cadata=None): 442 cafile=None, capath=None, cadata=None):
444 """Create a SSLContext object for Python stdlib modules 443 """Create a SSLContext object for Python stdlib modules
445 444
446 All Python stdlib modules shall use this function to create SSLContext 445 All Python stdlib modules shall use this function to create SSLContext
447 objects in order to keep common settings in one place. The configuration 446 objects in order to keep common settings in one place. The configuration
448 is less restrict than create_default_context()'s to increase backward 447 is less restrict than create_default_context()'s to increase backward
449 compatibility. 448 compatibility.
450 """ 449 """
(...skipping 141 matching lines...) Expand 10 before | Expand all | Expand 10 after
592 if cb_type != "tls-unique": 591 if cb_type != "tls-unique":
593 raise NotImplementedError( 592 raise NotImplementedError(
594 "{0} channel binding type not implemented" 593 "{0} channel binding type not implemented"
595 .format(cb_type)) 594 .format(cb_type))
596 return self._sslobj.tls_unique_cb() 595 return self._sslobj.tls_unique_cb()
597 596
598 def version(self): 597 def version(self):
599 """Return a string identifying the protocol version used by the 598 """Return a string identifying the protocol version used by the
600 current SSL channel. """ 599 current SSL channel. """
601 return self._sslobj.version() 600 return self._sslobj.version()
601
602
603 # Used by http.client if no context is explicitly passed.
604 _create_default_https_context = create_default_context
605
606
607 # Backwards compatibility alias, even though it's not a public name.
608 _create_stdlib_context = _create_unverified_context
602 609
603 610
604 class SSLSocket(socket): 611 class SSLSocket(socket):
605 """This class implements a subtype of socket.socket that wraps 612 """This class implements a subtype of socket.socket that wraps
606 the underlying OS socket in an SSL context when necessary, and 613 the underlying OS socket in an SSL context when necessary, and
607 provides read and write methods over that channel.""" 614 provides read and write methods over that channel."""
608 615
609 def __init__(self, sock=None, keyfile=None, certfile=None, 616 def __init__(self, sock=None, keyfile=None, certfile=None,
610 server_side=False, cert_reqs=CERT_NONE, 617 server_side=False, cert_reqs=CERT_NONE,
611 ssl_version=PROTOCOL_SSLv23, ca_certs=None, 618 ssl_version=PROTOCOL_SSLv23, ca_certs=None,
(...skipping 461 matching lines...) Expand 10 before | Expand all | Expand 10 after
1073 context = _create_stdlib_context(ssl_version, 1080 context = _create_stdlib_context(ssl_version,
1074 cert_reqs=cert_reqs, 1081 cert_reqs=cert_reqs,
1075 cafile=ca_certs) 1082 cafile=ca_certs)
1076 with create_connection(addr) as sock: 1083 with create_connection(addr) as sock:
1077 with context.wrap_socket(sock) as sslsock: 1084 with context.wrap_socket(sock) as sslsock:
1078 dercert = sslsock.getpeercert(True) 1085 dercert = sslsock.getpeercert(True)
1079 return DER_cert_to_PEM_cert(dercert) 1086 return DER_cert_to_PEM_cert(dercert)
1080 1087
1081 def get_protocol_name(protocol_code): 1088 def get_protocol_name(protocol_code):
1082 return _PROTOCOL_NAMES.get(protocol_code, '<unknown>') 1089 return _PROTOCOL_NAMES.get(protocol_code, '<unknown>')
OLDNEW
« no previous file with comments | « Lib/http/client.py ('k') | Lib/test/test_httplib.py » ('j') | no next file with comments »

RSS Feeds Recent Issues | This issue
This is Rietveld 894c83f36cb7+