whatsnew: SSLContext.verify_flags and constants. (#8813)

author R David Murray <rdmurray@bitdance.com>

Sun, 9 Mar 2014 21:01:34 +0000 (17:01 -0400)

committer R David Murray <rdmurray@bitdance.com>

Sun, 9 Mar 2014 21:01:34 +0000 (17:01 -0400)
author R David Murray <rdmurray@bitdance.com>
Sun, 9 Mar 2014 21:01:34 +0000 (17:01 -0400)
committer R David Murray <rdmurray@bitdance.com>
Sun, 9 Mar 2014 21:01:34 +0000 (17:01 -0400)
diff --git a/Doc/whatsnew/3.4.rst b/Doc/whatsnew/3.4.rst

index d63d7690e36f2cecfe4d7e83bcdf2fab9bfb8423..dac452549cd7f2e1900f15ab424ce9b89ac15b9a 100644 (file)
--- a/Doc/whatsnew/3.4.rst
+++ b/Doc/whatsnew/3.4.rst
@@ -1305,6 +1305,14 @@ The dictionary returned by :meth:`.SSLSocket.getpeercert` contains additional
  ``X509v3`` extension items: ``crlDistributionPoints``, ``calIssuers``, and
  ``OCSP`` URIs.  (Contributed by Christian Heimes in :issue:`18379`.)
  
+If OpenSSL 0.9.8 or later is available, :class:`~ssl.SSLContext` has an new
+attribute :attr:`~ssl.SSLContext.verify_flags` that can be used to control the
+certificate verification process by setting it to some combination of the new
+constants :data:`~ssl.VERIFY_DEFAULT`, :data:`~ssl.VERIFY_CRL_CHECK_LEAF`,
+:data:`~ssl.VERIFY_CRL_CHECK_CHAIN`, or :data:`~ssl.VERIFY_X509_STRICT`.
+OpenSSL does not do any CRL verification by default.  (Contributed by
+Christien Heimes in :issue:`8813`.)
+
  
  stat
  ----
author	R David Murray <rdmurray@bitdance.com>
	Sun, 9 Mar 2014 21:01:34 +0000 (17:01 -0400)
committer	R David Murray <rdmurray@bitdance.com>
	Sun, 9 Mar 2014 21:01:34 +0000 (17:01 -0400)