Thanks to visit codestin.com
Credit goes to github.com

Skip to content

gh-136306: Add support for SSL groups #136307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
picnixz merged 16 commits into from
Jul 28, 2025
Merged

gh-136306: Add support for SSL groups #136307

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
662d66e
gh-136306: Initial cut at SSL groups support
ronf Jul 4, 2025
9acb2c3
Fix regen and lint issues
ronf Jul 4, 2025
03072c4
πŸ“œπŸ€– Added by blurb_it.
blurb-it[bot] Jul 4, 2025
187ff2e
gh-136306: Address first round of comments
ronf Jul 5, 2025
452bdec
gh-136306: Add back indentation of example
ronf Jul 5, 2025
9b4066b
gh-136306: Handle another allocation failure in get_groups()
ronf Jul 5, 2025
a6ad433
gh-136306: Address additional review comments
ronf Jul 5, 2025
aecc96b
gh-136306: Fix method references in whatsnew entry.
ronf Jul 5, 2025
05c75a5
gh-136306: Add missing documentation for SSLSocket.group()
ronf Jul 5, 2025
304c223
gh-136306: Address additional review comments
ronf Jul 6, 2025
b516200
gh-136306: Minor doc updates
ronf Jul 7, 2025
e0fdd25
gh-136306: Missed one
ronf Jul 7, 2025
35a3ae0
gh-136306: Address additional review comments
ronf Jul 12, 2025
e0baf56
Add checks that cipher() and group() return None on handshake failure
ronf Jul 12, 2025
c5a1146
Merge branch 'main' into ssl-group-support
ronf Jul 19, 2025
5e626a6
gh-136306: Regenerate clinic signature to fix missing end fo line
ronf Jul 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
gh-136306: Address first round of comments
  • Loading branch information
@ronf
ronf committed Jul 5, 2025
commit 187ff2e1acaa02c8d595fc9ad0ecb645cb26e203
22 changes: 8 additions & 14 deletions Doc/library/ssl.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1645,17 +1645,15 @@

Get a list of groups implemented for key agreement, taking into account
the SSLContext's current TLS ``minimum_version`` and ``maximum_version``
Comment thread
picnixz marked this conversation as resolved.
Outdated
values.
values. For example::

Example::

>>> ctx = ssl.create_default_context()
>>> ctx.minimum_version=ssl.TLSVersion.TLSv1_3
>>> ctx.maximum_version=ssl.TLSVersion.TLSv1_3
>>> ctx.get_groups()
['secp256r1', 'secp384r1', 'secp521r1', 'x25519', 'x448', 'brainpoolP256r1tls13', 'brainpoolP384r1tls13', 'brainpoolP512r1tls13', 'ffdhe2048', 'ffdhe3072', 'ffdhe4096', 'ffdhe6144', 'ffdhe8192', 'MLKEM512', 'MLKEM768', 'MLKEM1024', 'SecP256r1MLKEM768', 'X25519MLKEM768', 'SecP384r1MLKEM1024'
>>> ctx = ssl.create_default_context()
Comment thread
picnixz marked this conversation as resolved.
Outdated
>>> ctx.minimum_version=ssl.TLSVersion.TLSv1_3
>>> ctx.maximum_version=ssl.TLSVersion.TLSv1_3
>>> ctx.get_groups()
['secp256r1', 'secp384r1', 'secp521r1', 'x25519', 'x448', 'brainpoolP256r1tls13', 'brainpoolP384r1tls13', 'brainpoolP512r1tls13', 'ffdhe2048', 'ffdhe3072', 'ffdhe4096', 'ffdhe6144', 'ffdhe8192', 'MLKEM512', 'MLKEM768', 'MLKEM1024', 'SecP256r1MLKEM768', 'X25519MLKEM768', 'SecP384r1MLKEM1024']

.. versionadded:: 3.15
.. versionadded:: next

.. method:: SSLContext.set_default_verify_paths()

Expand Down Expand Up @@ -1689,7 +1687,7 @@
<https://docs.openssl.org/master/man3/SSL_CTX_set1_groups_list/>`_.
Comment thread
gpshead marked this conversation as resolved.

.. note::
when connected, the :meth:`SSLSocket.group` method of SSL sockets will
When connected, the :meth:`SSLSocket.group` method of SSL sockets will

Check warning on line 1690 in Doc/library/ssl.rst

View workflow job for this annotation

GitHub Actions / Docs / Docs 

py:meth reference target not found: SSLSocket.group [ref.meth]
Comment thread
picnixz marked this conversation as resolved.
return the group used for key agreement on that connection.

.. versionadded:: 3.15
Comment thread
picnixz marked this conversation as resolved.
Outdated
Comment thread
picnixz marked this conversation as resolved.
Outdated
Expand Down Expand Up @@ -1817,10 +1815,6 @@

.. versionadded:: 3.3

.. deprecated:: 3.15

This method has been replaced by :math:`set_groups`.

.. seealso::
`SSL/TLS & Perfect Forward Secrecy <https://vincent.bernat.ch/en/blog/2011-ssl-perfect-forward-secrecy>`_
Vincent Bernat.
Expand Down
8 changes: 6 additions & 2 deletions Modules/_ssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2154,11 +2154,15 @@ _ssl__SSLSocket_group_impl(PySSLSocket *self)
#if OPENSSL_VERSION_NUMBER >= 0x30200000L
const char *group_name;

if (self->ssl == NULL)
if (self->ssl == NULL) {
Py_RETURN_NONE;
}

group_name = SSL_get0_group_name(self->ssl);
if (group_name == NULL)
if (group_name == NULL) {
Py_RETURN_NONE;
}
Comment thread
picnixz marked this conversation as resolved.

return PyUnicode_DecodeFSDefault(group_name);
#else
PyErr_SetString(PyExc_NotImplementedError,
Expand Down
Loading