Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(10776)

Delta Between Two Patch Sets: Lib/ssl.py

Issue 22417: PEP 476: verify HTTPS certificates by default
Left Patch Set: Created 4 years, 9 months ago
Right Patch Set: Created 4 years, 8 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
Left: Side by side diff | Download
Right: Side by side diff | Download
« no previous file with change/comment | « Lib/http/client.py ('k') | Lib/test/test_httplib.py » ('j') | no next file with change/comment »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
LEFTRIGHT
1 # Wrapper module for _ssl, providing some additional facilities 1 # Wrapper module for _ssl, providing some additional facilities
2 # implemented in Python. Written by Bill Janssen. 2 # implemented in Python. Written by Bill Janssen.
3 3
4 """This module provides some more Pythonic support for SSL. 4 """This module provides some more Pythonic support for SSL.
5 5
6 Object types: 6 Object types:
7 7
8 SSLSocket -- subtype of socket.socket which does SSL over the socket 8 SSLSocket -- subtype of socket.socket which does SSL over the socket
9 9
10 Exceptions: 10 Exceptions:
(...skipping 184 matching lines...) Expand 10 before | Expand all | Expand 10 after
195 """ 195 """
196 pats = [] 196 pats = []
197 if not dn: 197 if not dn:
198 return False 198 return False
199 199
200 leftmost, *remainder = dn.split(r'.') 200 leftmost, *remainder = dn.split(r'.')
201 201
202 wildcards = leftmost.count('*') 202 wildcards = leftmost.count('*')
203 if wildcards > max_wildcards: 203 if wildcards > max_wildcards:
204 # Issue #17980: avoid denials of service by refusing more 204 # Issue #17980: avoid denials of service by refusing more
205 # than one wildcard per fragment. A survery of established 205 # than one wildcard per fragment. A survey of established
206 # policy among SSL implementations showed it to be a 206 # policy among SSL implementations showed it to be a
207 # reasonable choice. 207 # reasonable choice.
208 raise CertificateError( 208 raise CertificateError(
209 "too many wildcards in certificate DNS name: " + repr(dn)) 209 "too many wildcards in certificate DNS name: " + repr(dn))
210 210
211 # speed up common case w/o wildcards 211 # speed up common case w/o wildcards
212 if not wildcards: 212 if not wildcards:
213 return dn.lower() == hostname.lower() 213 return dn.lower() == hostname.lower()
214 214
215 # RFC 6125, section 6.4.3, subitem 1. 215 # RFC 6125, section 6.4.3, subitem 1.
(...skipping 230 matching lines...) Expand 10 before | Expand all | Expand 10 after
446 objects in order to keep common settings in one place. The configuration 446 objects in order to keep common settings in one place. The configuration
447 is less restrict than create_default_context()'s to increase backward 447 is less restrict than create_default_context()'s to increase backward
448 compatibility. 448 compatibility.
449 """ 449 """
450 if not isinstance(purpose, _ASN1Object): 450 if not isinstance(purpose, _ASN1Object):
451 raise TypeError(purpose) 451 raise TypeError(purpose)
452 452
453 context = SSLContext(protocol) 453 context = SSLContext(protocol)
454 # SSLv2 considered harmful. 454 # SSLv2 considered harmful.
455 context.options |= OP_NO_SSLv2 455 context.options |= OP_NO_SSLv2
456 # SSLv3 has problematic security and is only required for really old
457 # clients such as IE6 on Windows XP
458 context.options |= OP_NO_SSLv3
456 459
457 if cert_reqs is not None: 460 if cert_reqs is not None:
458 context.verify_mode = cert_reqs 461 context.verify_mode = cert_reqs
459 context.check_hostname = check_hostname 462 context.check_hostname = check_hostname
460 463
461 if keyfile and not certfile: 464 if keyfile and not certfile:
462 raise ValueError("certfile must be specified") 465 raise ValueError("certfile must be specified")
463 if certfile or keyfile: 466 if certfile or keyfile:
464 context.load_cert_chain(certfile, keyfile) 467 context.load_cert_chain(certfile, keyfile)
465 468
(...skipping 611 matching lines...) Expand 10 before | Expand all | Expand 10 after
1077 context = _create_stdlib_context(ssl_version, 1080 context = _create_stdlib_context(ssl_version,
1078 cert_reqs=cert_reqs, 1081 cert_reqs=cert_reqs,
1079 cafile=ca_certs) 1082 cafile=ca_certs)
1080 with create_connection(addr) as sock: 1083 with create_connection(addr) as sock:
1081 with context.wrap_socket(sock) as sslsock: 1084 with context.wrap_socket(sock) as sslsock:
1082 dercert = sslsock.getpeercert(True) 1085 dercert = sslsock.getpeercert(True)
1083 return DER_cert_to_PEM_cert(dercert) 1086 return DER_cert_to_PEM_cert(dercert)
1084 1087
1085 def get_protocol_name(protocol_code): 1088 def get_protocol_name(protocol_code):
1086 return _PROTOCOL_NAMES.get(protocol_code, '<unknown>') 1089 return _PROTOCOL_NAMES.get(protocol_code, '<unknown>')
LEFTRIGHT

RSS Feeds Recent Issues | This issue
This is Rietveld 894c83f36cb7+