Skip to content
Permalink
Browse files

bpo-32257: Add ssl.OP_NO_RENEGOTIATION (GH-5904)

The ssl module now contains OP_NO_RENEGOTIATION constant, available with
OpenSSL 1.1.0h or 1.1.1.

Note, OpenSSL 1.1.0h hasn't been released yet.

Signed-off-by: Christian Heimes <christian@python.org>
  • Loading branch information
tiran authored and ned-deily committed May 15, 2018
1 parent 19177fb commit 67c48016638aac9a15afe6fd6754d53d2bdd6b76
Showing with 15 additions and 0 deletions.
  1. +9 −0 Doc/library/ssl.rst
  2. +2 −0 Misc/NEWS.d/next/Library/2018-02-26-09-08-07.bpo-32257.6ElnUt.rst
  3. +4 −0 Modules/_ssl.c
@@ -803,6 +803,15 @@ Constants
The option is deprecated since OpenSSL 1.1.0. It was added to 2.7.15,
3.6.3 and 3.7.0 for backwards compatibility with OpenSSL 1.0.2.

.. data:: OP_NO_RENEGOTIATION

Disable all renegotiation in TLSv1.2 and earlier. Do not send
HelloRequest messages, and ignore renegotiation requests via ClientHello.

This option is only available with OpenSSL 1.1.0h and later.

.. versionadded:: 3.7

.. data:: OP_CIPHER_SERVER_PREFERENCE

Use the server's cipher ordering preference, rather than the client's.
@@ -0,0 +1,2 @@
The ssl module now contains OP_NO_RENEGOTIATION constant, available with
OpenSSL 1.1.0h or 1.1.1.
@@ -5845,6 +5845,10 @@ PyInit__ssl(void)
PyModule_AddIntConstant(m, "OP_ENABLE_MIDDLEBOX_COMPAT",
SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
#endif
#ifdef SSL_OP_NO_RENEGOTIATION
PyModule_AddIntConstant(m, "OP_NO_RENEGOTIATION",
SSL_OP_NO_RENEGOTIATION);
#endif

#ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
PyModule_AddIntConstant(m, "HOSTFLAG_ALWAYS_CHECK_SUBJECT",

0 comments on commit 67c4801

Please sign in to comment.
You can’t perform that action at this time.