OLD | NEW |
(Empty) | |
| 1 |
| 2 tlslite version 0.4.6 Mar 20 2013 |
| 3 Trevor Perrin <tlslite at trevp.net> |
| 4 http://trevp.net/tlslite/ |
| 5 ============================================================================ |
| 6 |
| 7 |
| 8 Table of Contents |
| 9 ================== |
| 10 1 Introduction |
| 11 2 License/Acknowledgements |
| 12 3 Installation |
| 13 4 Getting Started with the Command-Line Tools |
| 14 5 Getting Started with the Library |
| 15 6 Using TLS Lite with httplib |
| 16 7 Using TLS Lite with poplib or imaplib |
| 17 8 Using TLS Lite with smtplib |
| 18 9 Using TLS Lite with SocketServer |
| 19 10 Using TLS Lite with asyncore |
| 20 11 SECURITY CONSIDERATIONS |
| 21 12 History |
| 22 |
| 23 |
| 24 1 Introduction |
| 25 =============== |
| 26 TLS Lite is an open source python library that implements SSL and TLS. TLS |
| 27 Lite supports RSA and SRP ciphersuites. TLS Lite is pure python, however it |
| 28 can use other libraries for faster crypto operations. TLS Lite integrates with |
| 29 several stdlib neworking libraries. |
| 30 |
| 31 API documentation is available in the 'docs' directory. |
| 32 |
| 33 If you have questions or feedback, feel free to contact me. For discussing |
| 34 improvements to tlslite, also see 'tlslite-dev@googlegroups.com'. |
| 35 |
| 36 |
| 37 2 Licenses/Acknowledgements |
| 38 ============================ |
| 39 TLS Lite is written (mostly) by Trevor Perrin. It includes code from Bram |
| 40 Cohen, Google, Kees Bos, Sam Rushing, Dimitris Moraitis, Marcelo Fernandez, |
| 41 Martin von Loewis, and Dave Baggett. |
| 42 |
| 43 All code in TLS Lite has either been dedicated to the public domain by its |
| 44 authors, or placed under a BSD-style license. See the LICENSE file for |
| 45 details. |
| 46 |
| 47 Thanks to Edward Loper for Epydoc, which generated the API docs. |
| 48 |
| 49 |
| 50 3 Installation |
| 51 =============== |
| 52 Requirements: |
| 53 Python 2.6 or higher is required. Python 3 is supported. |
| 54 |
| 55 Options: |
| 56 - If you have the M2Crypto interface to OpenSSL, this will be used for fast |
| 57 RSA operations and fast ciphers. |
| 58 |
| 59 - If you have pycrypto this will be used for fast RSA operations and fast |
| 60 ciphers. |
| 61 |
| 62 - If you have the GMPY interface to GMP, this will be used for fast RSA and |
| 63 SRP operations. |
| 64 |
| 65 - These modules don't need to be present at installation - you can install |
| 66 them any time. |
| 67 |
| 68 Run 'python setup.py install' |
| 69 |
| 70 Test the Installation: |
| 71 - From the distribution's ./tests subdirectory, run: |
| 72 ./tlstest.py server localhost:4443 . |
| 73 - While the test server is waiting, run: |
| 74 ./tlstest.py client localhost:4443 . |
| 75 |
| 76 If both say "Test succeeded" at the end, you're ready to go. |
| 77 |
| 78 |
| 79 4 Getting Started with the Command-Line Tools |
| 80 ============================================== |
| 81 tlslite installs two command-line scripts: 'tlsdb.py' and 'tls.py'. |
| 82 |
| 83 'tls.py' lets you run test clients and servers. It can be used for testing |
| 84 other TLS implementations, or as example code. Note that 'tls.py server' runs |
| 85 an HTTPS server which will serve files rooted at the current directory by |
| 86 default, so be careful. |
| 87 |
| 88 'tlsdb.py' lets you manage SRP verifier databases. These databases are used by |
| 89 a TLS server when authenticating clients with SRP. |
| 90 |
| 91 X.509 |
| 92 ------ |
| 93 To run an X.509 server, go to the ./tests directory and do: |
| 94 |
| 95 tls.py server -k serverX509Key.pem -c serverX509Cert.pem localhost:4443 |
| 96 |
| 97 Try connecting to the server with a web browser, or with: |
| 98 |
| 99 tls.py client localhost:4443 |
| 100 |
| 101 X.509 with TACK |
| 102 ---------------- |
| 103 To run an X.509 server using a TACK, install TACKpy, then run the same server |
| 104 command as above with added arguments: |
| 105 |
| 106 ... -t TACK1.pem localhost:4443 |
| 107 |
| 108 SRP |
| 109 ---- |
| 110 To run an SRP server, try something like: |
| 111 |
| 112 tlsdb.py createsrp verifierDB |
| 113 tlsdb.py add verifierDB alice abra123cadabra 1024 |
| 114 tlsdb.py add verifierDB bob swordfish 2048 |
| 115 |
| 116 tls.py server -v verifierDB localhost:4443 |
| 117 |
| 118 Then try connecting to the server with: |
| 119 |
| 120 tls.py client localhost:4443 alice abra123cadabra |
| 121 |
| 122 HTTPS |
| 123 ------ |
| 124 To run an HTTPS server with less typing, run ./tests/httpsserver.sh. |
| 125 |
| 126 To run an HTTPS client, run ./tests/httpsclient.py. |
| 127 |
| 128 |
| 129 5 Getting Started with the Library |
| 130 =================================== |
| 131 Whether you're writing a client or server, there are six steps: |
| 132 |
| 133 1) Create a socket and connect it to the other party. |
| 134 2) Construct a TLSConnection instance with the socket. |
| 135 3) Call a handshake function on TLSConnection to perform the TLS handshake. |
| 136 4) Check the results to make sure you're talking to the right party. |
| 137 5) Use the TLSConnection to exchange data. |
| 138 6) Call close() on the TLSConnection when you're done. |
| 139 |
| 140 TLS Lite also integrates with several stdlib python libraries. See the |
| 141 sections following this one for details. |
| 142 |
| 143 5 Step 1 - create a socket |
| 144 --------------------------- |
| 145 Below demonstrates a socket connection to Amazon's secure site. |
| 146 |
| 147 from socket import * |
| 148 sock = socket(AF_INET, SOCK_STREAM) |
| 149 sock.connect( ("www.amazon.com", 443) ) |
| 150 |
| 151 5 Step 2 - construct a TLSConnection |
| 152 ------------------------------------- |
| 153 You can import tlslite objects individually, such as: |
| 154 from tlslite import TLSConnection |
| 155 |
| 156 Or import the most useful objects through: |
| 157 from tlslite.api import * |
| 158 |
| 159 Then do: |
| 160 connection = TLSConnection(sock) |
| 161 |
| 162 5 Step 3 - call a handshake function (client) |
| 163 ---------------------------------------------- |
| 164 If you're a client, there's two different handshake functions you can call, |
| 165 depending on how you want to authenticate: |
| 166 |
| 167 connection.handshakeClientCert() |
| 168 connection.handshakeClientCert(certChain, privateKey) |
| 169 |
| 170 connection.handshakeClientSRP("alice", "abra123cadabra") |
| 171 |
| 172 The ClientCert function without arguments is used when connecting to a site |
| 173 like Amazon, which doesn't require client authentication, but which will |
| 174 authenticate itself using an X.509 certificate chain. |
| 175 |
| 176 The ClientCert function can also be used to do client authentication with an |
| 177 X.509 certificate chain and corresponding private key. To use X.509 chains, |
| 178 you'll need some way of creating these, such as OpenSSL (see |
| 179 http://www.openssl.org/docs/HOWTO/ for details). |
| 180 |
| 181 Below is an example of loading an X.509 chain and private key: |
| 182 |
| 183 from tlslite import X509, X509CertChain, parsePEMKey |
| 184 s = open("./test/clientX509Cert.pem").read() |
| 185 x509 = X509() |
| 186 x509.parse(s) |
| 187 certChain = X509CertChain([x509]) |
| 188 s = open("./test/clientX509Key.pem").read() |
| 189 privateKey = parsePEMKey(s, private=True) |
| 190 |
| 191 The SRP function does mutual authentication with a username and password - see |
| 192 RFC 5054 for details. |
| 193 |
| 194 If you want more control over the handshake, you can pass in a |
| 195 HandshakeSettings instance. For example, if you're performing SRP, but you |
| 196 only want to use SRP parameters of at least 2048 bits, and you only want to |
| 197 use the AES-256 cipher, and you only want to allow TLS (version 3.1), not SSL |
| 198 (version 3.0), you can do: |
| 199 |
| 200 settings = HandshakeSettings() |
| 201 settings.minKeySize = 2048 |
| 202 settings.cipherNames = ["aes256"] |
| 203 settings.minVersion = (3,1) |
| 204 settings.useExperimentalTACKExtension = True # Needed for TACK support |
| 205 |
| 206 connection.handshakeClientSRP("alice", "abra123cadabra", settings=settings) |
| 207 |
| 208 If you want to check the server's certificate using TACK, you should set the |
| 209 "useExperiementalTACKExtension" value in HandshakeSettings. (Eventually, TACK |
| 210 support will be enabled by default, but for now it is an experimental feature |
| 211 which relies on a temporary TLS Extension number, and should not be used for |
| 212 production software.) This will cause the client to request the server to send |
| 213 you a TACK (and/or any TACK Break Signatures): |
| 214 |
| 215 Finally, every TLSConnection has a session object. You can try to resume a |
| 216 previous session by passing in the session object from the old session. If the |
| 217 server remembers this old session and supports resumption, the handshake will |
| 218 finish more quickly. Otherwise, the full handshake will be done. For example: |
| 219 |
| 220 connection.handshakeClientSRP("alice", "abra123cadabra") |
| 221 . |
| 222 . |
| 223 oldSession = connection.session |
| 224 connection2.handshakeClientSRP("alice", "abra123cadabra", session= |
| 225 oldSession) |
| 226 |
| 227 5 Step 3 - call a handshake function (server) |
| 228 ---------------------------------------------- |
| 229 If you're a server, there's only one handshake function, but you can pass it |
| 230 several different parameters, depending on which types of authentication |
| 231 you're willing to perform. |
| 232 |
| 233 To perform SRP authentication, you have to pass in a database of password |
| 234 verifiers. The VerifierDB class manages an in-memory or on-disk verifier |
| 235 database. |
| 236 |
| 237 verifierDB = VerifierDB("./test/verifierDB") |
| 238 verifierDB.open() |
| 239 connection.handshakeServer(verifierDB=verifierDB) |
| 240 |
| 241 To perform authentication with a certificate and private key, the server must |
| 242 load these as described in the previous section, then pass them in. If the |
| 243 server sets the reqCert boolean to True, a certificate chain will be requested |
| 244 from the client. |
| 245 |
| 246 connection.handshakeServer(certChain=certChain, privateKey=privateKey, |
| 247 reqCert=True) |
| 248 |
| 249 You can pass in a verifier database and/or a certificate chain+private key. |
| 250 The client will use one or both to authenticate the server. |
| 251 |
| 252 You can also pass in a HandshakeSettings object, as described in the last |
| 253 section, for finer control over handshaking details. |
| 254 |
| 255 If you are passing in a certificate chain+private key, you may additionally |
| 256 provide a TACK to assist the client in authenticating your certificate chain. |
| 257 This requires the TACKpy library. Load a TACKpy.TACK object, then do: |
| 258 |
| 259 settings = HandshakeSettings() |
| 260 settings.useExperimentalTACKExtension = True # Needed for TACK support |
| 261 |
| 262 connection.handshakeServer(certChain=certChain, privateKey=privateKey, |
| 263 tack=tack, settings=settings) |
| 264 |
| 265 Finally, the server can maintain a SessionCache, which will allow clients to |
| 266 use session resumption: |
| 267 |
| 268 sessionCache = SessionCache() |
| 269 connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache) |
| 270 |
| 271 It should be noted that the session cache, and the verifier databases, are all |
| 272 thread-safe. |
| 273 |
| 274 5 Step 4 - check the results |
| 275 ----------------------------- |
| 276 If the handshake completes without raising an exception, authentication |
| 277 results will be stored in the connection's session object. The following |
| 278 variables will be populated if applicable, or else set to None: |
| 279 |
| 280 connection.session.srpUsername # string |
| 281 connection.session.clientCertChain # X509CertChain |
| 282 connection.session.serverCertChain # X509CertChain |
| 283 connection.session.tackExt # TACKpy.TACK_Extension |
| 284 |
| 285 X.509 chain objects return the end-entity fingerprint via getFingerprint(), |
| 286 and ignore the other certificates. |
| 287 |
| 288 TACK objects return the (validated) TACK ID via getTACKID(). |
| 289 |
| 290 To save yourself the trouble of inspecting certificates and/or TACKs after the |
| 291 handshake, you can pass a Checker object into the handshake function. The |
| 292 checker will be called if the handshake completes successfully. If the other |
| 293 party isn't approved by the checker, a subclass of TLSAuthenticationError will |
| 294 be raised. |
| 295 |
| 296 If the handshake fails for any reason, including a Checker error, an exception |
| 297 will be raised and the socket will be closed. If the socket timed out or was |
| 298 unexpectedly closed, a socket.error or TLSAbruptCloseError will be raised. |
| 299 |
| 300 Otherwise, either a TLSLocalAlert or TLSRemoteAlert will be raised, depending |
| 301 on whether the local or remote implementation signalled the error. The |
| 302 exception object has a 'description' member which identifies the error based |
| 303 on the codes in RFC 2246. A TLSLocalAlert also has a 'message' string that may |
| 304 have more details. |
| 305 |
| 306 Example of handling a remote alert: |
| 307 |
| 308 try: |
| 309 [...] |
| 310 except TLSRemoteAlert as alert: |
| 311 if alert.description == AlertDescription.unknown_psk_identity: |
| 312 print "Unknown user." |
| 313 [...] |
| 314 |
| 315 Below are some common alerts and their probable causes, and whether they are |
| 316 signalled by the client or server. |
| 317 |
| 318 Client handshake_failure: |
| 319 - SRP parameters are not recognized by client |
| 320 - Server's TACK was unrelated to its certificate chain |
| 321 |
| 322 Client insufficient_security: |
| 323 - SRP parameters are too small |
| 324 |
| 325 Client protocol_version: |
| 326 - Client doesn't support the server's protocol version |
| 327 |
| 328 Server protocol_version: |
| 329 - Server doesn't support the client's protocol version |
| 330 |
| 331 Server bad_record_mac: |
| 332 - bad SRP username or password |
| 333 |
| 334 Server unknown_psk_identity |
| 335 - bad SRP username (bad_record_mac could be used for the same thing) |
| 336 |
| 337 Server handshake_failure: |
| 338 - no matching cipher suites |
| 339 |
| 340 5 Step 5 - exchange data |
| 341 ------------------------- |
| 342 Now that you have a connection, you can call read() and write() as if it were |
| 343 a socket.SSL object. You can also call send(), sendall(), recv(), and |
| 344 makefile() as if it were a socket. These calls may raise TLSLocalAlert, |
| 345 TLSRemoteAlert, socket.error, or TLSAbruptCloseError, just like the handshake |
| 346 functions. |
| 347 |
| 348 Once the TLS connection is closed by the other side, calls to read() or recv() |
| 349 will return an empty string. If the socket is closed by the other side without |
| 350 first closing the TLS connection, calls to read() or recv() will return a |
| 351 TLSAbruptCloseError, and calls to write() or send() will return a |
| 352 socket.error. |
| 353 |
| 354 5 Step 6 - close the connection |
| 355 -------------------------------- |
| 356 When you're finished sending data, you should call close() to close the |
| 357 connection and socket. When the connection is closed properly, the session |
| 358 object can be used for session resumption. |
| 359 |
| 360 If an exception is raised the connection will be automatically closed; you |
| 361 don't need to call close(). Furthermore, you will probably not be able to |
| 362 re-use the socket, the connection object, or the session object, and you |
| 363 shouldn't even try. |
| 364 |
| 365 By default, calling close() will close the underlying socket. If you set the |
| 366 connection's closeSocket flag to False, the socket will remain open after |
| 367 close. (NOTE: some TLS implementations will not respond properly to the |
| 368 close_notify alert that close() generates, so the connection will hang if |
| 369 closeSocket is set to True.) |
| 370 |
| 371 |
| 372 6 Using TLS Lite with httplib |
| 373 ============================== |
| 374 TLS Lite comes with an HTTPTLSConnection class that extends httplib to work |
| 375 over SSL/TLS connections. Depending on how you construct it, it will do |
| 376 different types of authentication. |
| 377 |
| 378 #No authentication whatsoever |
| 379 h = HTTPTLSConnection("www.amazon.com", 443) |
| 380 h.request("GET", "") |
| 381 r = h.getresponse() |
| 382 [...] |
| 383 |
| 384 #Authenticate server based on its TACK ID |
| 385 h = HTTPTLSConnection("localhost", 4443, |
| 386 tackID="B3ARS.EQ61B.F34EL.9KKLN.3WEW5", hardTack=False) |
| 387 [...] |
| 388 |
| 389 #Mutually authenticate with SRP |
| 390 h = HTTPTLSConnection("localhost", 443, |
| 391 username="alice", password="abra123cadabra") |
| 392 [...] |
| 393 |
| 394 |
| 395 7 Using TLS Lite with poplib or imaplib |
| 396 ======================================== |
| 397 TLS Lite comes with POP3_TLS and IMAP4_TLS classes that extend poplib and |
| 398 imaplib to work over SSL/TLS connections. These classes can be constructed |
| 399 with the same parameters as HTTPTLSConnection (see previous section), and |
| 400 behave similarly. |
| 401 |
| 402 #To connect to a POP3 server over SSL and display its fingerprint: |
| 403 from tlslite.api import * |
| 404 p = POP3_TLS("---------.net", port=995) |
| 405 print p.sock.session.serverCertChain.getFingerprint() |
| 406 [...] |
| 407 |
| 408 #To connect to an IMAP server once you know its fingerprint: |
| 409 from tlslite.api import * |
| 410 i = IMAP4_TLS("cyrus.andrew.cmu.edu", |
| 411 x509Fingerprint="00c14371227b3b677ddb9c4901e6f2aee18d3e45") |
| 412 [...] |
| 413 |
| 414 |
| 415 8 Using TLS Lite with smtplib |
| 416 ============================== |
| 417 TLS Lite comes with an SMTP_TLS class that extends smtplib to work |
| 418 over SSL/TLS connections. This class accepts the same parameters as |
| 419 HTTPTLSConnection (see previous section), and behaves similarly. Depending |
| 420 on how you call starttls(), it will do different types of authentication. |
| 421 |
| 422 #To connect to an SMTP server once you know its fingerprint: |
| 423 from tlslite.api import * |
| 424 s = SMTP_TLS("----------.net", port=587) |
| 425 s.ehlo() |
| 426 s.starttls(x509Fingerprint="7e39be84a2e3a7ad071752e3001d931bf82c32dc") |
| 427 [...] |
| 428 |
| 429 |
| 430 9 Using TLS Lite with SocketServer |
| 431 ==================================== |
| 432 You can use TLS Lite to implement servers using Python's SocketServer |
| 433 framework. TLS Lite comes with a TLSSocketServerMixIn class. You can combine |
| 434 this with a TCPServer such as HTTPServer. To combine them, define a new class |
| 435 that inherits from both of them (with the mix-in first). Then implement the |
| 436 handshake() method, doing some sort of server handshake on the connection |
| 437 argument. If the handshake method returns True, the RequestHandler will be |
| 438 triggered. See the tests/httpsserver.py example. |
| 439 |
| 440 |
| 441 10 Using TLS Lite with asyncore |
| 442 ================================ |
| 443 TLS Lite can be used with subclasses of asyncore.dispatcher. See the comments |
| 444 in TLSAsyncDispatcherMixIn.py for details. This is still experimental, and |
| 445 may not work with all asyncore.dispatcher subclasses. |
| 446 |
| 447 |
| 448 11 Security Considerations |
| 449 =========================== |
| 450 TLS Lite is beta-quality code. It hasn't received much security analysis. Use |
| 451 at your own risk. |
| 452 |
| 453 TLS Lite is probably vulnerable to the "Lucky 13" timing attack if AES or 3DES |
| 454 are used. Thus, TLS Lite prefers the RC4 cipher. |
| 455 |
| 456 |
| 457 12 History |
| 458 =========== |
| 459 0.4.6 - 3/20/2013 |
| 460 - **API CHANGE**: TLSClosedConnectionError instead of ValueError when writing |
| 461 to a closed connection. This inherits from socket.error, so should |
| 462 interact better with SocketServer (see http://bugs.python.org/issue14574) |
| 463 and other things expecting a socket.error in this situation. |
| 464 - Added support for RC4-MD5 ciphersuite (if enabled in settings) |
| 465 - This is allegedly necessary to connect to some Internet servers. |
| 466 - Added TLSConnection.unread() function |
| 467 - Switched to New-style classes (inherit from 'object') |
| 468 - Minor cleanups |
| 469 |
| 470 0.4.5 - (release engineering problem, skipped!) |
| 471 |
| 472 0.4.4 - 2/25/2013 |
| 473 - Added Python 3 support (Martin von Loewis) |
| 474 - Added NPN client support (Marcelo Fernandez) |
| 475 - Switched to RC4 as preferred cipher |
| 476 - faster in Python, avoids "Lucky 13" timing attacks |
| 477 - Fixed bug when specifying ciphers for anon ciphersuites |
| 478 - Made RSA hashAndVerify() tolerant of sigs w/o encoded NULL AlgorithmParam |
| 479 - (this function is not used for TLS currently, and this tolerance may |
| 480 not even be necessary) |
| 481 0.4.3 - 9/27/2012 |
| 482 - Minor bugfix (0.4.2 doesn't load tackpy) |
| 483 0.4.2 - 9/25/2012 |
| 484 - Updated TACK (compatible with tackpy 0.9.9) |
| 485 0.4.1 - 5/22/2012 |
| 486 - Fixed RSA padding bugs (w/help from John Randolph) |
| 487 - Updated TACK (compatible with tackpy 0.9.7) |
| 488 - Added SNI |
| 489 - Added NPN server support (Sam Rushing/Google) |
| 490 - Added AnonDH (Dimitris Moraitis) |
| 491 - Added X509CertChain.parsePemList |
| 492 - Improved XML-RPC (Kees Bos) |
| 493 |
| 494 0.4.0 - 2/11/2012 |
| 495 - Fixed pycrypto support |
| 496 - Fixed python 2.6 problems |
| 497 |
| 498 0.3.9.x - 2/7/2012 |
| 499 |
| 500 Much code cleanup, in particular decomposing the handshake functions so they |
| 501 are readable. The main new feature is support for TACK, an experimental |
| 502 authentication method that provides a new way to pin server certificates (See |
| 503 https://github.com/moxie0/Convergence/wiki/TACK ). |
| 504 |
| 505 Also: |
| 506 |
| 507 - Security Fixes |
| 508 - Sends SCSV ciphersuite as per RFC 5746, to signal non-renegotiated |
| 509 Client Hello. Does not support renegotiation (never has). |
| 510 - Change from e=3 to e=65537 for generated RSA keys, not strictly |
| 511 necessary but mitigates risk of sloppy verifier. |
| 512 - 1/(n-1) countermeasure for BEAST. |
| 513 |
| 514 - Behavior changes: |
| 515 - Split cmdline into tls.py and tlstest.py, improved options. |
| 516 - Formalized LICENSE. |
| 517 - Defaults to closing socket after sending close_notify, fixes hanging. |
| 518 problem that would occur sometime when waiting for other party's |
| 519 close_notify. |
| 520 - Update SRP to RFC 5054 compliance. |
| 521 - Removed client handshake "callbacks", no longer support the SRP |
| 522 re-handshake idiom within a single handshake function. |
| 523 |
| 524 - Bugfixes |
| 525 - Added hashlib support, removes Deprecation Warning due to sha and md5. |
| 526 - Handled GeneratorExit exceptions that are a new Python feature, and |
| 527 interfere with the async code if not handled. |
| 528 |
| 529 - Removed: |
| 530 - Shared keys (it was based on an ancient I-D, not TLS-PSK). |
| 531 - cryptlib support, it wasn't used much, we have enough other options. |
| 532 - cryptoIDs (TACK is better). |
| 533 - win32prng extension module, as os.urandom is now available. |
| 534 - Twisted integration (unused?, slowed down loading). |
| 535 - Jython code (ancient, didn't work). |
| 536 - Compat support for python versions < 2.7. |
| 537 |
| 538 - Additions |
| 539 - Support for TACK via TACKpy. |
| 540 - Support for CertificateRequest.certificate_authorities ("reqCAs") |
| 541 - Added TLSConnection.shutdown() to better mimic socket. |
| 542 - Enabled Session resumption for XMLRPCTransport. |
| 543 |
| 544 0.3.8 - 2/21/2005 |
| 545 - Added support for poplib, imaplib, and smtplib |
| 546 - Added python 2.4 windows installer |
| 547 - Fixed occassional timing problems with test suite |
| 548 0.3.7 - 10/05/2004 |
| 549 - Added support for Python 2.2 |
| 550 - Cleaned up compatibility code, and docs, a bit |
| 551 0.3.6 - 9/28/2004 |
| 552 - Fixed script installation on UNIX |
| 553 - Give better error message on old Python versions |
| 554 0.3.5 - 9/16/2004 |
| 555 - TLS 1.1 support |
| 556 - os.urandom() support |
| 557 - Fixed win32prng on some systems |
| 558 0.3.4 - 9/12/2004 |
| 559 - Updated for TLS/SRP draft 8 |
| 560 - Bugfix: was setting _versioncheck on SRP 1st hello, causing problems |
| 561 with GnuTLS (which was offering TLS 1.1) |
| 562 - Removed _versioncheck checking, since it could cause interop problems |
| 563 - Minor bugfix: when cryptlib_py and and cryptoIDlib present, cryptlib |
| 564 was complaining about being initialized twice |
| 565 0.3.3 - 6/10/2004 |
| 566 - Updated for TLS/SRP draft 7 |
| 567 - Updated test cryptoID cert chains for cryptoIDlib 0.3.1 |
| 568 0.3.2 - 5/21/2004 |
| 569 - fixed bug when handling multiple handshake messages per record (e.g. IIS) |
| 570 0.3.1 - 4/21/2004 |
| 571 - added xmlrpclib integration |
| 572 - fixed hanging bug in Twisted integration |
| 573 - fixed win32prng to work on a wider range of win32 sytems |
| 574 - fixed import problem with cryptoIDlib |
| 575 - fixed port allocation problem when test scripts are run on some UNIXes |
| 576 - made tolerant of buggy IE sending wrong version in premaster secret |
| 577 0.3.0 - 3/20/2004 |
| 578 - added API docs thanks to epydoc |
| 579 - added X.509 path validation via cryptlib |
| 580 - much cleaning/tweaking/re-factoring/minor fixes |
| 581 0.2.7 - 3/12/2004 |
| 582 - changed Twisted error handling to use connectionLost() |
| 583 - added ignoreAbruptClose |
| 584 0.2.6 - 3/11/2004 |
| 585 - added Twisted errorHandler |
| 586 - added TLSAbruptCloseError |
| 587 - added 'integration' subdirectory |
| 588 0.2.5 - 3/10/2004 |
| 589 - improved asynchronous support a bit |
| 590 - added first-draft of Twisted support |
| 591 0.2.4 - 3/5/2004 |
| 592 - cleaned up asyncore support |
| 593 - added proof-of-concept for Twisted |
| 594 0.2.3 - 3/4/2004 |
| 595 - added pycrypto RSA support |
| 596 - added asyncore support |
| 597 0.2.2 - 3/1/2004 |
| 598 - added GMPY support |
| 599 - added pycrypto support |
| 600 - added support for PEM-encoded private keys, in pure python |
| 601 0.2.1 - 2/23/2004 |
| 602 - improved PRNG use (cryptlib, or /dev/random, or CryptoAPI) |
| 603 - added RSA blinding, to avoid timing attacks |
| 604 - don't install local copy of M2Crypto, too problematic |
| 605 0.2.0 - 2/19/2004 |
| 606 - changed VerifierDB to take per-user parameters |
| 607 - renamed tls_lite -> tlslite |
| 608 0.1.9 - 2/16/2004 |
| 609 - added post-handshake 'Checker' |
| 610 - made compatible with Python 2.2 |
| 611 - made more forgiving of abrupt closure, since everyone does it: |
| 612 if the socket is closed while sending/recv'ing close_notify, |
| 613 just ignore it. |
| 614 0.1.8 - 2/12/2004 |
| 615 - TLSConnections now emulate sockets, including makefile() |
| 616 - HTTPTLSConnection and TLSMixIn simplified as a result |
| 617 0.1.7 - 2/11/2004 |
| 618 - fixed httplib.HTTPTLSConnection with multiple requests |
| 619 - fixed SocketServer to handle close_notify |
| 620 - changed handshakeClientNoAuth() to ignore CertificateRequests |
| 621 - changed handshakeClient() to ignore non-resumable session arguments |
| 622 0.1.6 - 2/10/2004 |
| 623 - fixed httplib support |
| 624 0.1.5 - 2/09/2004 |
| 625 - added support for httplib and SocketServer |
| 626 - added support for SSLv3 |
| 627 - added support for 3DES |
| 628 - cleaned up read()/write() behavior |
| 629 - improved HMAC speed |
| 630 0.1.4 - 2/06/2004 |
| 631 - fixed dumb bug in tls.py |
| 632 0.1.3 - 2/05/2004 |
| 633 - change read() to only return requested number of bytes |
| 634 - added support for shared-key and in-memory databases |
| 635 - added support for PEM-encoded X.509 certificates |
| 636 - added support for SSLv2 ClientHello |
| 637 - fixed shutdown/re-handshaking behavior |
| 638 - cleaned up handling of missing_srp_username |
| 639 - renamed readString()/writeString() -> read()/write() |
| 640 - added documentation |
| 641 0.1.2 - 2/04/2004 |
| 642 - added clienttest/servertest functions |
| 643 - improved OpenSSL cipher wrappers speed |
| 644 - fixed server when it has a key, but client selects plain SRP |
| 645 - fixed server to postpone errors until it has read client's messages |
| 646 - fixed ServerHello to only include extension data if necessary |
| 647 0.1.1 - 2/02/2004 |
| 648 - fixed close_notify behavior |
| 649 - fixed handling of empty application data packets |
| 650 - fixed socket reads to not consume extra bytes |
| 651 - added testing functions to tls.py |
| 652 0.1.0 - 2/01/2004 |
| 653 - first release |
OLD | NEW |