cpython: 63df21e74c65 (original) (raw)

Mercurial > cpython

changeset 87422:63df21e74c65

Issue #19689: Add ssl.create_default_context() factory function. It creates a new SSLContext object with secure default settings. [#19689]

line wrap: on

line diff

--- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -346,6 +346,24 @@ Certificate handling .. versionchanged:: 3.3 This function is now IPv6-compatible. +.. function:: create_default_context(purpose=Purpose.SERVER_AUTH, cafile=None, capath=None, cadata=None) +

• Create a :class:SSLContext with default settings. +
• The current settings are: :data:PROTOCOL_TLSv1 with high encryption
• cipher suites without RC4 and without unauthenticated cipher suites. The
• purpose :data:Purpose.SERVER_AUTH sets verify_mode to
• :data:CERT_REQUIRED and either loads CA certs (when at least one of
• cafile, capath or cadata is given) or uses
• :meth:SSLContext.load_default_certs to load default CA certs. +
• .. note::

•  The protocol, options, cipher and other settings may change to more[](#l1.19)

•  restrictive values anytime without prior deprecation. The values[](#l1.20)

•  represent a fair balance between maximum compatibility and security.[](#l1.21)

+

• .. versionadded:: 3.4 +

.. function:: DER_cert_to_PEM_cert(DER_cert_bytes) Given a certificate as a DER-encoded blob of bytes, returns a PEM-encoded

--- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -165,6 +165,13 @@ else:

(OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')

_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2' +# restricted and more secure ciphers +# HIGH: high encryption cipher suites with key length >= 128 bits (no MD5) +# !aNULL: only authenticated cipher suites (no anonymous DH) +# !RC4: no RC4 streaming cipher, RC4 is broken +# !DSS: RSA is preferred over DSA +_RESTRICTED_CIPHERS = 'HIGH:!aNULL:!RC4:!DSS' + class CertificateError(ValueError): pass @@ -363,6 +370,34 @@ class SSLContext(_SSLContext): self.set_default_verify_paths() +def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,

•                       capath=None, cadata=None):[](#l2.22)

• """Create a SSLContext object with default settings.

+

• NOTE: The protocol and settings may change anytime without prior

•      deprecation. The values represent a fair balance between maximum[](#l2.26)

•      compatibility and security.[](#l2.27)

• """
• if not isinstance(purpose, _ASN1Object):

•    raise TypeError(purpose)[](#l2.30)

• context = SSLContext(PROTOCOL_TLSv1)

• SSLv2 considered harmful.

• context.options |= OP_NO_SSLv2

• disallow ciphers with known vulnerabilities

• context.set_ciphers(_RESTRICTED_CIPHERS)

• verify certs in client mode

• if purpose == Purpose.SERVER_AUTH:

•    context.verify_mode = CERT_REQUIRED[](#l2.38)

• if cafile or capath or cadata:

•    context.load_verify_locations(cafile, capath, cadata)[](#l2.40)

• elif context.verify_mode != CERT_NONE:

•    # no explicit cafile, capath or cadata but the verify mode is[](#l2.42)

•    # CERT_OPTIONAL or CERT_REQUIRED. Let's try to load default system[](#l2.43)

•    # root CA certificates for the given purpose. This may fail silently.[](#l2.44)

•    context.load_default_certs(purpose)[](#l2.45)

• return context

+ + class SSLSocket(socket): """This class implements a subtype of socket.socket that wraps the underlying OS socket in an SSL context when necessary, and

--- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -999,6 +999,26 @@ class ContextTests(unittest.TestCase): self.assertRaises(TypeError, ctx.load_default_certs, None) self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH')

• def test_create_default_context(self):

•    ctx = ssl.create_default_context()[](#l3.8)

•    self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)[](#l3.9)

•    self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)[](#l3.10)

•    self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)[](#l3.11)

+

•    with open(SIGNING_CA) as f:[](#l3.13)

•        cadata = f.read()[](#l3.14)

•    ctx = ssl.create_default_context(cafile=SIGNING_CA, capath=CAPATH,[](#l3.15)

•                                     cadata=cadata)[](#l3.16)

•    self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)[](#l3.17)

•    self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)[](#l3.18)

•    self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)[](#l3.19)

+

•    ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)[](#l3.21)

•    self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)[](#l3.22)

•    self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)[](#l3.23)

•    self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)[](#l3.24)

+ + class SSLErrorTests(unittest.TestCase):

--- a/Misc/NEWS +++ b/Misc/NEWS @@ -68,6 +68,9 @@ Core and Builtins Library ------- +- Issue #19689: Add ssl.create_default_context() factory function. It creates

• a new SSLContext object with secure default settings. +

• Issue #19292: Add SSLContext.load_default_certs() to load default root CA certificates from default stores or system stores. By default the method loads CA certs for authentication of server certs.