10000 bpo-38820: Add ssl, hashlib, and hmac changes to whatsnew 3.10 (GH-25… · python/cpython@d8389e3 · GitHub
[go: up one dir, main page]
Skip to content

Commit d8389e3

Browse files
tirantiran
authored
bpo-38820: Add ssl, hashlib, and hmac changes to whatsnew 3.10 (GH-25817)
Signed-off-by: Christian Heimes <christian@python.org>
1 parent 60ce8f0 commit d8389e3

File tree

2 files changed

+63
-0
lines changed

2 files changed

+63
-0
lines changed

Doc/library/ssl.rst

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1358,6 +1358,10 @@ SSL sockets also have the following additional methods and attributes:
13581358

13591359
.. versionadded:: 3.3
13601360

1361+
.. deprecated:: 3.10
1362+
1363+
NPN has been superseded by ALPN
1364+
13611365
.. method:: SSLSocket.unwrap()
13621366

13631367
Performs the SSL shutdown handshake, which removes the TLS layer from the
@@ -1714,6 +1718,10 @@ to speed up repeated connections from the same clients.
17141718

17151719
.. versionadded:: 3.3
17161720

1721+
.. deprecated:: 3.10
1722+
1723+
NPN has been superseded by ALPN
1724+
17171725
.. attribute:: SS 10000 LContext.sni_callback
17181726

17191727
Register a callback function that will be called after the TLS Client Hello

Doc/whatsnew/3.10.rst

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -974,6 +974,26 @@ Added the *root_dir* and *dir_fd* parameters in :func:`~glob.glob` and
974974
:func:`~glob.iglob` which allow to specify the root directory for searching.
975975
(Contributed by Serhiy Storchaka in :issue:`38144`.)
976976
977+
hashlib
978+
-------
979+
980+
The hashlib module requires OpenSSL 1.1.1 or newer.
981+
(Contributed by Christian Heimes in :pep:`644` and :issue:`43669`.)
982+
983+
The hashlib module has preliminary support for OpenSSL 3.0.0.
984+
(Contributed by Christian Heimes in :issue:`38820` and other issues.)
985+
986+
The pure-Python fallback of :func:`~hashlib.pbkdf2_hmac` is deprecated. In
987+
the future PBKDF2-HMAC will only be available when Python has been built with
988+
OpenSSL support.
989+
(Contributed by Christian Heimes in :issue:`43880`.)
990+
991+
hmac
992+
----
993+
994+
The hmac module now uses OpenSSL's HMAC implementation internally.
995+
(Contributed by Christian Heimes in :issue:`40645`.)
996+
977997
importlib.metadata
978998
------------------
979999
@@ -1109,16 +1129,51 @@ Added option to create MPTCP sockets with ``IPPROTO_MPTCP``
11091129
ssl
11101130
---
11111131
1132+
The ssl module requires OpenSSL 1.1.1 or newer.
1133+
(Contributed by Christian Heimes in :pep:`644` and :issue:`43669`.)
1134+
1135+
The ssl module has preliminary support for OpenSSL 3.0.0 and new option
1136+
:data:`~ssl.OP_IGNORE 10000 _UNEXPECTED_EOF`.
1137+
(Contributed by Christian Heimes in :issue:`38820`, :issue:`43794`,
1138+
:issue:`43788`, :issue:`43791`, :issue:`43799`, :issue:`43920`,
1139+
:issue:`43789`, and :issue:`43811`.)
1140+
1141+
Deprecated function and use of deprecated constants now result in
1142+
a :exc:`DeprecationWarning`. The following features have been deprecated
1143+
since Python 3.6, Python 3.7, or OpenSSL 1.1.0:
1144+
:data:`~ssl.OP_NO_SSLv2`, :data:`~ssl.OP_NO_SSLv3`, :data:`~ssl.OP_NO_TLSv1`,
1145+
:data:`~ssl.OP_NO_TLSv1_1`, :data:`~ssl.OP_NO_TLSv1_2`,
1146+
:data:`~ssl.OP_NO_TLSv1_3`, :data:`~ssl.PROTOCOL_SSLv2`,
1147+
:data:`~ssl.PROTOCOL_SSLv3`, :data:`~ssl.PROTOCOL_SSLv23`,
1148+
:data:`~ssl.PROTOCOL_TLSv1`, :data:`~ssl.PROTOCOL_TLSv1_1`,
1149+
:data:`~ssl.PROTOCOL_TLSv1_2`, :data:`~ssl.PROTOCOL_TLS`,
1150+
:func:`~ssl.wrap_socket`, :func:`~ssl.match_hostname`,
1151+
:func:`~ssl.RAND_pseudo_bytes`, :func:`~ssl.RAND_egd`,
1152+
:meth:`ssl.SSLSocket.selected_npn_protocol`,
1153+
:meth:`ssl.SSLContext.set_npn_protocols`.
1154+
(Contributed by Christian Heimes in :issue:`43880`.)
1155+
11121156
The ssl module now has more secure default settings. Ciphers without forward
11131157
secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits
11141158
weak RSA, DH, and ECC keys with less than 112 bits of security.
11151159
:class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2.
11161160
Settings are based on Hynek Schlawack's research.
11171161
(Contributed by Christian Heimes in :issue:`43998`.)
11181162
1163+
The deprecated protocols SSL 3.0, TLS 1.0, and TLS 1.1 are no longer
1164+
officially supported. Python does not block them actively. However
1165+
OpenSSL build options, distro configurations, vendor patches, and cipher
1166+
suites may prevent a successful handshake.
1167+
11191168
Add a *timeout* parameter to the :func:`ssl.get_server_certificate` function.
11201169
(Contributed by Zackery Spytz in :issue:`31870`.)
11211170
1171+
The ssl module uses heap-types and multi-phase initialization.
1172+
(Contributed by Christian Heimes in :issue:`42333`.)
1173+
1174+
A new verify flag :data:`~ssl.VERIFY_X509_PARTIAL_CHAIN` has been added.
1175+
(Contributed by l0x in :issue:`40849`.)
1176+
11221177
sqlite3
11231178
-------
11241179

0 commit comments

Comments
 (0)
0