Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / 0a6373c1a928e80c8c3fa9b88d925b3dccc5afc4^! / . / Doc
commit0a6373c1a928e80c8c3fa9b88d925b3dccc5afc4[log] [tgz]
authorAntoine Pitrou <solipsis@pitrou.net>Sat Apr 17 17:10:38 2010 +0000
committerAntoine Pitrou <solipsis@pitrou.net>Sat Apr 17 17:10:38 2010 +0000
treea943cdb41cc6eaf54fc12b0dc225b086e4111bc5
parent7794b5b52f8c5c4bf465a44a53025e9b6fa49592 [diff]
Issue #8322: Add a *ciphers* argument to SSL sockets, so as to change the
available cipher list.  Helps fix test_ssl with OpenSSL 1.0.0.

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 5d8ca3c..0d19fb9 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst

@@ -50,7 +50,7 @@
    is a subtype of :exc:`socket.error`, which in turn is a subtype of
    :exc:`IOError`.
 
-.. function:: wrap_socket (sock, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, ssl_version={see docs}, ca_certs=None, do_handshake_on_connect=True, suppress_ragged_eofs=True)
+.. function:: wrap_socket (sock, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, ssl_version={see docs}, ca_certs=None, do_handshake_on_connect=True, suppress_ragged_eofs=True, ciphers=None)
 
    Takes an instance ``sock`` of :class:`socket.socket`, and returns an instance
    of :class:`ssl.SSLSocket`, a subtype of :class:`socket.socket`, which wraps
@@ -113,14 +113,23 @@
        ========================  =========  =========  ==========  =========
         *client* / **server**    **SSLv2**  **SSLv3**  **SSLv23**  **TLSv1**
        ------------------------  ---------  ---------  ----------  ---------
-        *SSLv2*                    yes        no         yes*        no
+        *SSLv2*                    yes        no         yes         no
         *SSLv3*                    yes        yes        yes         no
         *SSLv23*                   yes        no         yes         no
         *TLSv1*                    no         no         yes         yes
        ========================  =========  =========  ==========  =========
 
-   In some older versions of OpenSSL (for instance, 0.9.7l on OS X 10.4), an
-   SSLv2 client could not connect to an SSLv23 server.
+   .. note::
+
+      This information varies depending on the version of OpenSSL.
+      For instance, in some older versions of OpenSSL (such as 0.9.7l on
+      OS X 10.4), an SSLv2 client could not connect to an SSLv23 server.
+      Conversely, starting from 1.0.0, an SSLv23 client will actually
+      try the SSLv3 protocol unless you explicitly enable SSLv2 ciphers.
+
+   The parameter ``ciphers`` sets the available ciphers for this SSL object.
+   It should be a string in the `OpenSSL cipher list format
+   <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`_.
 
    The parameter ``do_handshake_on_connect`` specifies whether to do the SSL
    handshake automatically after doing a :meth:`socket.connect`, or whether the
@@ -135,6 +144,9 @@
    normal EOF in response to unexpected EOF errors raised from the underlying
    socket; if :const:`False`, it will raise the exceptions back to the caller.
 
+   .. versionchanged:: 2.7
+      New optional argument *ciphers*.
+
 .. function:: RAND_status()
 
    Returns True if the SSL pseudo-random number generator has been seeded with