bpo-31453: Add setter for min/max protocol version (GH-5259)
OpenSSL 1.1 has introduced a new API to set the minimum and maximum
supported protocol version. The API is easier to use than the old
OP_NO_TLS1 option flags, too.
Since OpenSSL has no call to set minimum version to highest supported,
the implementation emulate maximum_version = MINIMUM_SUPPORTED and
minimum_version = MAXIMUM_SUPPORTED by figuring out the minumum and
maximum supported version at compile time.
Direct instantiation of SSLSocket and SSLObject objects is now prohibited.
The constructors were never documented, tested, or designed as public
constructors. The SSLSocket constructor had limitations. For example it was
not possible to enabled hostname verification except was
ssl_version=PROTOCOL_TLS_CLIENT with cert_reqs=CERT_REQUIRED.
SSLContext.wrap_socket() and SSLContext.wrap_bio are the recommended API
to construct SSLSocket and SSLObject instances. ssl.wrap_socket() is
also deprecated.
The only test case for direct instantiation was added a couple of days
ago for IDNA testing.
The ssl module function ssl.wrap_socket() has been de-emphasized
and deprecated in favor of the more secure and efficient
SSLContext.wrap_socket() method.
Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and
TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
default. Some test cases only apply to TLS 1.2. Other tests currently
fail because the threaded or async test servers stop after failure.
I'm going to address these issues when OpenSSL 1.1.1 reaches beta.
OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
1.3. The feature is enabled by default for maximum compatibility with
broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
it to verify default options.
bpo-32929: Dataclasses: Change the tri-state hash parameter to the boolean unsafe_hash. (GH-5891) (GH-5902)
unsafe_hash=False is now the default. It is the same behavior as the old hash=None parameter. unsafe_hash=True will try to add __hash__. If it already exists, TypeError is raised.
(cherry picked from commit dbf9cff48a4ad0fd58e1c623ce1f36c3dd3d5f38)
Co-authored-by: Eric V. Smith <ericvsmith@users.noreply.github.com>
Exhaustively test dataclass hashing when no hash= value is provided. This is in anticipation of changing how non-default hashing is handled. (GH-5834) (GH-5889)
This code never did anything correct or useful. The class attribute will never be affected, and the condition will never be true.
(cherry picked from commit 5fb632e83136399bad9427ee23ec8b771695290a)
[3.7] bpo-30622: Improve NPN support detection (GH-5859) (#5860)
The ssl module now detects missing NPN support in LibreSSL.
Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org> Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 6cdb7954b0a578d899e4b78b868ea59eef08480a)
Co-authored-by: Christian Heimes <christian@python.org>
* The SSLSocket is no longer implemented on top of SSLObject to
avoid an extra level of indirection.
* Owner and session are now handled in the internal constructor.
* _ssl._SSLSocket now uses the same method names as SSLSocket and
SSLObject.
* Channel binding type check is now handled in C code. Channel binding
is always available.
The patch also changes the signature of SSLObject.__init__(). In my
opinion it's fine. A SSLObject is not a user-constructable object.
SSLContext.wrap_bio() is the only valid factory.
(cherry picked from commit 141c5e8c2437a9fed95a04c81e400ef725592a17)
Co-authored-by: Christian Heimes <christian@python.org>
[3.7] bpo-32819: Simplify and improve ssl.match_hostname (GH-5620) (#5847)
ssl.match_hostname() has been simplified and no longer depends on re and
ipaddress module for wildcard and IP addresses. Error reporting for invalid
wildcards has been improved.
[bpo-28414] Make all hostnames in SSL module IDN A-labels (GH-5128) (GH-5843)
Previously, the ssl module stored international domain names (IDNs)
as U-labels. This is problematic for a number of reasons -- for
example, it made it impossible for users to use a different version
of IDNA than the one built into Python.
After this change, we always convert to A-labels as soon as possible,
and use them for all internal processing. In particular, server_hostname
attribute is now an A-label, and on the server side there's a new
sni_callback that receives the SNI servername as an A-label rather than
a U-label.
(cherry picked from commit 11a1493bc4198f1def5e572049485779cf54dc57)
Co-authored-by: Christian Heimes <christian@python.org>
bpo-32923: Unittest doc: replace `whilst` with `while` (GH-5833)
`whilst` and `while` are both english words, `whilst` is not as commonly used.
This can be confusing to readers whose primary language is not english.
(cherry picked from commit 98f42aac23f3863973cb6e9964c5212cfd3a1d98)
bpo-30028: make test.support.temp_cwd() fork-safe (GH-1066)
Make test.support.temp_cwd() fork-safe. The context manager test.support.temp_cwd() no longer removes the temporary directory when executing in a process other than the parent it entered from.
If a forked child exits the context manager it won't do the cleanup.
(cherry picked from commit 33dddac00ba8d9b72cf21b8698504077eb3c23ad)
bpo-32905: IDLE - remove unused code in pyparse module (GH-5807)
dump is similar to print but less flexible. lastopenbracketpos is now always initialized in _study2, as was stmt_bracketing, so the class settings are not needed. get_last_open_bracket_pos is never called.
(cherry picked from commit 451d1edaf4d27c4e632d81246d308e8dd6ea945f)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
bpo-32008: don't use PROTOCOL_TLSv1 in example (GH-5789)
It's bad form to pin to an old version of TLS. ssl.SSLContext has the right
protocol default, so let's not pass anyway.
(cherry picked from commit e9edee0b65650c4f9db90cefc2e9a8125bad762c)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
bpo-32604: Swap threads only if the interpreter is different. (gh-5783)
The CPython runtime assumes that there is a one-to-one relationship (for a given interpreter) between PyThreadState and OS threads. Sending and receiving on a channel in the same interpreter was causing crashes because of this (specifically due to a check in PyThreadState_Swap()). The solution is to not switch threads if the interpreter is the same.
(cherry picked from commit f53d9f2778a87bdd48eb9030f782a4ebf9e7622f)
Co-authored-by: Eric Snow <ericsnowcurrently@gmail.com>
closes bpo-32859: Don't retry dup3() if it is not available at runtime (GH-5708)
os.dup2() tests for dup3() system call availability at runtime,
but doesn't remember the result across calls, repeating
the test on each call with inheritable=False.
Since the caller of os.dup2() is expected to hold the GIL,
fix this by making the variable holding the test result static.
(cherry picked from commit b3caf388a0418f6c031e4dbdcc0c1ce7e5cc36bd)
bpo-32869: Fix incorrect dst buffer size for MultiByteToWideChar (GH-5739)
This function expects the destination buffer size to be given
in wide characters, not bytes.
(cherry picked from commit b3b4a9d3001f1fc7df8efcccdce081de54fa5eab)
bpo-30638: Add clinic to `make regen-all` (GH-5671)
Also, use PYTHON_FOR_REGEN for clinic and blake2s_impl.c rather than PYTHON_FOR_BUILD, and update .travis.yml to make use of the change.
(cherry picked from commit d6ff8a7037903497eff95fa32bdac2b6adf71505)
Co-authored-by: Zachary Ware <zachary.ware@gmail.com>
DOC: fix documentation for copyright and credits (GH-5706)
Adapt documentation for `copyright` and `credits` to reality. Previously, the documentation implied that all each of `copyright`,
`credits`, and `license`, would print a message to call the object in order to see the full text. In reality, only `license` exhibits this
behaviour, and `copyright` and `credit` print their full text either when printed, displayed, or called.
(cherry picked from commit 243d6d71265be1996a8326002deae429106a5fba)
Co-authored-by: Gerrit Holl <gerrit.holl@gmail.com>
bpo-32837: IDLE - require encoding argument for textview.view_file. (GH-5646)
Using the system and place-dependent default encoding for open()
is a bad idea for IDLE's system and location-independent files.
(cherry picked from commit 688722cedd6437910ff185ecf94fb3b749ad37f2)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
The PrintNameOffset field of the reparse data buffer
was treated as a number of characters instead of bytes.
(cherry picked from commit 3c34aad4e7a95913ec7db8e5e948a8fc69047bf7)
bpo-32826: Add "encoding=utf-8" to open() in idle_test/test_help_about. (GH-5639)
GUI test test_file_buttons() only looks at initial ascii-only lines,
but failed on systems where open() defaults to 'ascii' because
readline() internally reads and decodes far enough ahead to encounter
a non-ascii character in CREDITS.txt.
(cherry picked from commit f34e03ec0ea6a4cef8d966087c77e616c4a5893b)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
bpo-32815: Improve docs on the subprocess API *text* parameter (GH-5622) (GH-5631)
Describe *text* as an alias for *universal_newlines* in more places that people are likely to be referred to.
(cherry picked from commit e14c01037877768a3fe766e50d14993bd5d8a67e)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
bpo-32604: Make _xxsubinterpreters build on Windows (GH-5624)
This is not the ideal solution; this means that a test module is now
always included in the main python3x.dll. However, we're already
including xxsubtype, so why not?
(cherry picked from commit 310b05289b5d9550040f469e60b5e8e77f1022b6)
Co-authored-by: Zachary Ware <zachary.ware@gmail.com>
bpo-32775: Fix regular expression warnings in fnmatch. (GH-5583) (GH-5596)
fnmatch.translate() no longer produces patterns which contain set
operations.
Sets starting with '[' or containing '--', '&&', '~~' or '||' will
be interpreted differently in regular expressions in future versions.
Currently they emit warnings. fnmatch.translate() now avoids producing
patterns containing such sets by accident.
(cherry picked from commit 23cdbfa744f0ec0e9e7575d378df4cb758691cd3)
projects / python / log