Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit de8eca4

Browse files
benjaminpbenjaminp
committed
merge 3.4
2 parents b64ae7b + 990fcaa commit de8eca4

3 files changed

Lines changed: 18 additions & 5 deletions

File tree

Doc/library/ssl.rst

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -520,9 +520,9 @@ Constants
520520

521521
.. data:: VERIFY_DEFAULT
522522

523-
Possible value for :attr:`SSLContext.verify_flags`. In this mode,
524-
certificate revocation lists (CRLs) are not checked. By default OpenSSL
525-
does neither require nor verify CRLs.
523+
Possible value for :attr:`SSLContext.verify_flags`. In this mode, certificate
524+
revocation lists (CRLs) are not checked. By default OpenSSL does neither
525+
require nor verify CRLs.
526526

527527
.. versionadded:: 3.4
528528

@@ -550,6 +550,14 @@ Constants
550550

551551
.. versionadded:: 3.4
552552

553+
.. data:: VERIFY_X509_TRUSTED_FIRST
554+
555+
Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to
556+
prefer trusted certificates when building the trust chain to validate a
557+
certificate. This flag is enabled by default.
558+
559+
.. versionadded:: 3.4.5
560+
553561
.. data:: PROTOCOL_SSLv23
554562

555563
Selects the highest protocol version that both the client and server support.

Lib/test/test_ssl.py

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -818,8 +818,9 @@ def test_verify_mode(self):
818818
"verify_flags need OpenSSL > 0.9.8")
819819
def test_verify_flags(self):
820820
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
821-
# default value by OpenSSL
822-
self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
821+
# default value
822+
tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
823+
self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
823824
ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
824825
self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
825826
ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN

Modules/_ssl.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4458,6 +4458,10 @@ PyInit__ssl(void)
44584458
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
44594459
PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
44604460
X509_V_FLAG_X509_STRICT);
4461+
#ifdef X509_V_FLAG_TRUSTED_FIRST
4462+
PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST",
4463+
X509_V_FLAG_TRUSTED_FIRST);
4464+
#endif
44614465

44624466
/* Alert Descriptions from ssl.h */
44634467
/* note RESERVED constants no longer intended for use have been removed */

0 commit comments

Comments
 (0)