From 66646e2ea40a2b4675b85a33f36a7748577a648a Mon Sep 17 00:00:00 2001 From: R David Murray Date: Thu, 13 Mar 2014 14:36:09 -0400 Subject: [PATCH] whatsnew: remove 'draft' note, tidy up summary, collect SSLContext stuff. Since Victor linked to it in a block, it seems to make sense to have all the SSLContext changes next to each other. I also sorted all the SSL security enhancements next to each other in the security enhancements summary. --- Doc/whatsnew/3.4.rst | 70 +++++++++++++++++++++----------------------- 1 file changed, 33 insertions(+), 37 deletions(-) diff --git a/Doc/whatsnew/3.4.rst b/Doc/whatsnew/3.4.rst index 0630e7000d..f70679141d 100644 --- a/Doc/whatsnew/3.4.rst +++ b/Doc/whatsnew/3.4.rst @@ -67,11 +67,6 @@ This article explains the new features in Python 3.4, compared to 3.3. For full details, see the `changelog `_. -.. note:: Prerelease users should be aware that this document is currently in - draft form. While it should be close to complete for the Python 3.4 - release candidates, adjustments and additions to the document may be made - up until the final release. - .. seealso:: @@ -92,9 +87,9 @@ New syntax features: New expected features for Python implementations: * :ref:`pip should always be "available" ` (:pep:`453`). -* :ref:`Make newly created file descriptors non-inheritable ` +* :ref:`Newly created file descriptors are non-inheritable ` (:pep:`446`). -* command line option for :ref:`isolated mode `, +* command line option for :ref:`isolated mode ` (:issue:`16499`). * :ref:`improvements in the handling of codecs ` that are not text encodings (multiple issues). @@ -145,10 +140,11 @@ Security improvements: (:pep:`446`) to avoid leaking file descriptors to child processes. * New command line option for :ref:`isolated mode `, (:issue:`16499`). -* All modules of the standard library now support server certificate - verification including hostname matching (:func:`ssl.match_hostname`) and CRL - (Certificate Revocation list, see - :func:`ssl.SSLContext.load_verify_locations`). +* :mod:`multiprocessing` now has :ref:`an option to avoid using os.fork + on Unix `. *spawn* and *forkserver* are + more secure because they avoid sharing data with child processes. +* :mod:`multiprocessing` child processes on Windows no longer inherit + all of the parent's inheritable handles, only the necessary ones. * A new :func:`hashlib.pbkdf2_hmac` function provides the `PKCS#5 password-based key derivation function 2 `_. @@ -157,18 +153,18 @@ Security improvements: ` for :mod:`ssl`. * :ref:`Server-side SNI (Server Name Indication) support ` for :mod:`ssl`. -* The :class:`ssl.SSLContext` class got a :ref:`lot of improvements +* The :class:`ssl.SSLContext` class has a :ref:`lot of improvements `. -* :mod:`multiprocessing` now has :ref:`an option to avoid using os.fork - on Unix `: *spawn* and *forkserver* avoid - sharing data with child processes; child processes no longer inherit all of - the parents inheritable handles on Windows. +* All modules in the standard library that support SSL now support server + certificate verification, including hostname matching + (:func:`ssl.match_hostname`) and CRLs (Certificate Revocation lists, see + :func:`ssl.SSLContext.load_verify_locations`). CPython implementation improvements: * :ref:`Safe object finalization ` (:pep:`442`). -* Leveraging :pep:`442`, :ref:`module globals are no longer set to None - during finalization `, in most cases (:issue:`18214`). +* Leveraging :pep:`442`, in most cases :ref:`module globals are no longer set + to None during finalization ` (:issue:`18214`). * :ref:`Configurable memory allocators ` (:pep:`445`). * :ref:`Argument Clinic ` (:pep:`436`). @@ -251,8 +247,8 @@ and :ref:`distutils-index`. .. _whatsnew-pep-446: -PEP 446: Make Newly Created File Descriptors Non-Inheritable ------------------------------------------------------------- +PEP 446: Newly Created File Descriptors Are Non-Inheritable +----------------------------------------------------------- :pep:`446` makes newly created file descriptors :ref:`non-inheritable `. New functions and methods: @@ -1432,23 +1428,6 @@ s), as well as a :meth:`~ssl.SSLContext.get_ca_certs` method that returns a list of the loaded ``CA`` certificates. (Contributed by Christian Heimes in and :issue:`18147`.) -.. _whatsnew34-win-cert-store: - -Two new windows-only functions, :func:`~ssl.enum_certificates` and -:func:`~ssl.enum_crls` provide the ability to retrieve certificates, -certificate information, and CRLs from the Windows cert store. (Contributed -by Christian Heimes in :issue:`17134`.) - -.. _whatsnew34-sni: - -Support for server-side SNI (Server Name Indication) using the new -:meth:`ssl.SSLContext.set_servername_callback` method. -(Contributed by Daniel Black in :issue:`8109`.) - -The dictionary returned by :meth:`.SSLSocket.getpeercert` contains additional -``X509v3`` extension items: ``crlDistributionPoints``, ``calIssuers``, and -``OCSP`` URIs. (Contributed by Christian Heimes in :issue:`18379`.) - If OpenSSL 0.9.8 or later is available, :class:`~ssl.SSLContext` has an new attribute :attr:`~ssl.SSLContext.verify_flags` that can be used to control the certificate verification process by setting it to some combination of the new @@ -1474,6 +1453,23 @@ constructor, and may be adjusted in the future, without prior deprecation, if best-practice security requirements change. (Contributed by Christian Heimes in :issue:`19689`.) +.. _whatsnew34-win-cert-store: + +Two new windows-only functions, :func:`~ssl.enum_certificates` and +:func:`~ssl.enum_crls` provide the ability to retrieve certificates, +certificate information, and CRLs from the Windows cert store. (Contributed +by Christian Heimes in :issue:`17134`.) + +.. _whatsnew34-sni: + +Support for server-side SNI (Server Name Indication) using the new +:meth:`ssl.SSLContext.set_servername_callback` method. +(Contributed by Daniel Black in :issue:`8109`.) + +The dictionary returned by :meth:`.SSLSocket.getpeercert` contains additional +``X509v3`` extension items: ``crlDistributionPoints``, ``calIssuers``, and +``OCSP`` URIs. (Contributed by Christian Heimes in :issue:`18379`.) + stat ---- -- 2.40.0