Skip to content

Commit 990fcaa

Browse files
benjaminpbenjaminp
committed
expose X509_V_FLAG_TRUSTED_FIRST
1 parent fdb1971 commit 990fcaa

File tree

3 files changed

+18
-5
lines changed

3 files changed

+18
-5
lines changed

Doc/library/ssl.rst

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -499,9 +499,9 @@ Constants
499499

500500
.. data:: VERIFY_DEFAULT
501501

502-
Possible value for :attr:`SSLContext.verify_flags`. In this mode,
503-
certificate revocation lists (CRLs) are not checked. By default OpenSSL
504-
does neither require nor verify CRLs.
502+
Possible value for :attr:`SSLContext.verify_flags`. In this mode, certificate
503+
revocation lists (CRLs) are not checked. By default OpenSSL does neither
504+
require nor verify CRLs.
505505

506506
.. versionadded:: 3.4
507507

@@ -529,6 +529,14 @@ Constants
529529

530530
.. versionadded:: 3.4
531531

532+
.. data:: VERIFY_X509_TRUSTED_FIRST
533+
534+
Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to
535+
prefer trusted certificates when building the trust chain to validate a
536+
certificate. This flag is enabled by default.
537+
538+
.. versionadded:: 3.4.5
539+
532540
.. data:: PROTOCOL_SSLv23
533541

534542
Selects the highest protocol version that both the client and server support.

Lib/test/test_ssl.py

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -710,8 +710,9 @@ def test_verify_mode(self):
710710
"verify_flags need OpenSSL > 0.9.8")
711711
def test_verify_flags(self):
712712
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
713-
# default value by OpenSSL
714-
self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
713+
# default value
714+
tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
715+
self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
715716
ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
716717
self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
717718
ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN

Modules/_ssl.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4004,6 +4004,10 @@ PyInit__ssl(void)
40044004
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
40054005
PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
40064006
X509_V_FLAG_X509_STRICT);
4007+
#ifdef X509_V_FLAG_TRUSTED_FIRST
4008+
PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST",
4009+
X509_V_FLAG_TRUSTED_FIRST);
4010+
#endif
40074011

40084012
/* Alert Descriptions from ssl.h */
40094013
/* note RESERVED constants no longer intended for use have been removed */

0 commit comments

Comments
 (0)