| msg125621 - (view) |
Author: Daniel Black (grooverdan) * |
Date: 2011-01-07 04:42 |
| Like r85793, sni is enabled by default for url and https classes. This continues the consistency throughout the python libraries by adding it to other places where wrap_socket is used to instigate a SSL/TLS connection. |
|
|
| msg125623 - (view) |
Author: Daniel Black (grooverdan) * |
Date: 2011-01-07 04:54 |
| dup #10853 |
|
|
| msg125647 - (view) |
Author: Antoine Pitrou (pitrou) *  |
Date: 2011-01-07 13:48 |
| Oops, I hadn't noticed you had closed it. |
|
|
| msg125670 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2011-01-07 18:13 |
| I understand this patch relies on #10851. As I said there, I would rather have SSLContext become the primary API, and the stdlib standardize on it. Part of the stdlib, as you have witnessed, already allows the user to pass a custom SSLContext, which is very simple way of allowing for custom user settings. There are two open issues for imaplib (#8808) and smtplib (#8809). |
|
|
| msg126920 - (view) |
Author: Daniel Black (grooverdan) * |
Date: 2011-01-24 11:05 |
| ok. should library/ssl.rst be updated to use a SSLContext example? |
|
|
| msg126929 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2011-01-24 14:20 |
| Well, there are already such examples: http://docs.python.org/dev/library/ssl.html#examples Do you think they are not visible enough? |
|
|
| msg126958 - (view) |
Author: Daniel Black (grooverdan) * |
Date: 2011-01-24 21:21 |
| I thought previous comments you wanted SSLContext to become the primary api rather than wrap_socket? Coding this into the examples is probably a good way of making this happen. |
|
|
| msg168632 - (view) |
Author: danblack (daniel-black) |
Date: 2012-08-20 07:28 |
| Antoine, I copied off your http example for all the other protocols. tested with: import smtplib a = smtplib.SMTP_SSL('gmail-smtp-in.l.google.com.') a.starttls() a = smtplib.SMTP_SSL('mail.internode.on.net') a = smtplib.SMTP_SSL('smtp.gmail.com') import ftplib # http://secureftp-test.com/ f = ftplib.FTP_TLS('ftp.secureftp-test.com') f.auth() import imaplib i = imaplib.IMAP4('calmail.berkley.edu') i.starttls() i = imaplib.IMAP4_SSL('mail.internode.on.net') import poplib p = poplib.POP3_SSL('calmail.berkley.edu') import nntplib n = nntplib.NNTP_SSL('news.internode.on.net') I did a network capture and saw the hostname in the SNI header |
|
|
| msg168781 - (view) |
Author: danblack (daniel-black) |
Date: 2012-08-21 14:49 |
| previous patch had dumb error and even failed test suit. Now fixed. |
|
|
| msg168782 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2012-08-21 14:55 |
| Thanks for the patch, Daniel. 3.3 is nearing the release candidate phase, so I'm re-targetting to 3.4. I'll take a detailed look soon. (I suppose there's no easy way to write automated tests for this, unfortunately) |
|
|
| msg168784 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2012-08-21 14:56 |
| By the way, could you sign a contributor agreement? You can find instructions at http://www.python.org/psf/contrib/ |
|
|
| msg168850 - (view) |
Author: danblack (daniel-black) |
Date: 2012-08-22 07:48 |
| > Thanks for the patch > Daniel. 3.3 is nearing the release candidate phase, so I'm re-targetting to 3.4. I'll take a detailed look soon. Welcome. Just noticed conflicts with #4473 in the client POP implementation. Hopefully they are close anyway. > (I suppose there's no easy way to write automated tests for this, unfortunately) Well since #8109 writes the server SNI its getting easier. In Lib/test/test_ssl.py combined with the changes of #8109 it would seem that changing ConnectionHandler.run to respond to "AUTH TLS", "AUTH SSL" (ftp) and "STLS" for pop (preempt #4473). Changing server_params_test to support a proper arguments that correspond the the client protocol would be the way to do it. > By the way, could you sign a contributor agreement yes - emailed in. |
|
|
| msg177261 - (view) |
Author: danblack (daniel-black) |
Date: 2012-12-10 03:41 |
| the one error in the previous review corrected. |
|
|
| msg181804 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2013-02-10 13:51 |
| I'm getting a test failure in test_ftplib: ====================================================================== ERROR: test_data_connection (test.test_ftplib.TestTLS_FTPClass) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/antoine/cpython/default/Lib/test/test_ftplib.py", line 834, in test_data_connection with self.client.transfercmd('list') as sock: File "/home/antoine/cpython/default/Lib/ftplib.py", line 386, in transfercmd return self.ntransfercmd(cmd, rest)[0] File "/home/antoine/cpython/default/Lib/ftplib.py", line 756, in ntransfercmd self.context.load_cert_chain(self.certfile, self.keyfile) TypeError: certfile should be a valid filesystem path Also, since we now have SNI server support, perhaps it's easier to test the change :-) |
|
|
| msg181890 - (view) |
Author: Daniel Black (grooverdan) * |
Date: 2013-02-11 10:20 |
| Ack. Have fix. Simple if self.certfile or self.keyfile: test added before load_cert_chain. part way through developing test. Thinking #17181 would help. |
|
|
| msg275024 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2016-09-08 14:43 |
| Good idea, but the patch is outdated. We can enforce verification by changing ssl._create_stdlib_context. |
|
|
| msg275026 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2016-09-08 14:44 |
| Oh sorry, this is about SNI not verified context. All protocols support SNI for some time. |
|
|