[Python-checkins] cpython (merge 3.4 -> default): merge 3.4

benjamin.peterson python-checkins at python.org
Thu Mar 5 04:50:30 CET 2015

• Previous message (by thread): [Python-checkins] cpython (merge 3.4 -> default): merge 3.4
• Next message (by thread): [Python-checkins] cpython (merge 3.4 -> default): merge 3.4
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

https://hg.python.org/cpython/rev/135e16acdec7
changeset: 94860:135e16acdec7
parent: 94857:442e2c357979
parent: 94858:bb6fb47e0141
user: Benjamin Peterson <benjamin at python.org>
date: Wed Mar 04 22:50:25 2015 -0500
summary:
 merge 3.4
files:
 Doc/library/ssl.rst | 14 +++++++++++---
 Lib/test/test_ssl.py | 5 +++--
 Modules/_ssl.c | 4 ++++
 3 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -520,9 +520,9 @@
 
 .. data:: VERIFY_DEFAULT
 
- Possible value for :attr:`SSLContext.verify_flags`. In this mode,
- certificate revocation lists (CRLs) are not checked. By default OpenSSL
- does neither require nor verify CRLs.
+ Possible value for :attr:`SSLContext.verify_flags`. In this mode, certificate
+ revocation lists (CRLs) are not checked. By default OpenSSL does neither
+ require nor verify CRLs.
 
 .. versionadded:: 3.4
 
@@ -550,6 +550,14 @@
 
 .. versionadded:: 3.4
 
+.. data:: VERIFY_X509_TRUSTED_FIRST
+
+ Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to
+ prefer trusted certificates when building the trust chain to validate a
+ certificate. This flag is enabled by default.
+
+ .. versionadded:: 3.4.5
+
 .. data:: PROTOCOL_SSLv23
 
 Selects the highest protocol version that both the client and server support.
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -818,8 +818,9 @@
 "verify_flags need OpenSSL > 0.9.8")
 def test_verify_flags(self):
 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
- # default value by OpenSSL
- self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
+ # default value
+ tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
+ self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -4458,6 +4458,10 @@
 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
 PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
 X509_V_FLAG_X509_STRICT);
+#ifdef X509_V_FLAG_TRUSTED_FIRST
+ PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST",
+ X509_V_FLAG_TRUSTED_FIRST);
+#endif
 
 /* Alert Descriptions from ssl.h */
 /* note RESERVED constants no longer intended for use have been removed */
-- 
Repository URL: https://hg.python.org/cpython

---

• Previous message (by thread): [Python-checkins] cpython (merge 3.4 -> default): merge 3.4
• Next message (by thread): [Python-checkins] cpython (merge 3.4 -> default): merge 3.4
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list