All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
- Fix IndexError on junk message (CVE-2015-3220).
- Fix unit-test failure (disable sha256 mac if maxversion < 1.2)
- Merge pull request #98 from davidben/chromium-patches-2
- Fix bug in SRP hashing.
- Merge pull request #106 from tomato42/name-fixes-trevp
- rename description_name
- rename level_name
- rename type_name
- rename cert_types
- rename _server_extensions
- rename _universal_extensions
- rename host_names
- rename server_names
- rename server_type
- rename ext_data
- rename ext_type
- Merge pull request #104 from tomato42/sni-fix
- fix parsing server side server_name extension
- travis.yml: follow redirects, debugging info logging
- Correctly enforce cipher suite version constraints.
- Fix Fault-based test framework.
- Fix client auth for TLS 1.2.
- If ignoreAbrubtClose is set, write failures don't break sessions.
- Fix CertificateRequest initialization.
- Merge pull request #93 from tomato42/gitignore
- ignore coverage html output folder
- Merge pull request #88 from tomato42/handshakesettings-fixes
- promote HandshakeSettings._getCertificateTypes to public
- add check for interdependance of minKeySize and maxKeySize
- unit tests for HandshakeSettings
- promote HandshakeSettings._filter() to public
- adding acknowledgements
- Merge pull request #87 from davidben/chromium-patches-1
- Apply minimal padding.
- Implement FALLBACK_SCSV.
- Fix #! line in httpsserver.sh.
- Fix executable bits on files.
- Merge pull request #86 from tomato42/tests-with-deps-3
- Merge pull request #85 from tomato42/clienthello-tests
- remove BadNextProtos
- test ClientHello.parse with SSLv2 ClientHello
- Fix compatibility issues with pycrypto and gmpy
- fix setting ClientHello.server_name multiple times
- clientHello.supports_npn test
- ClientHello.tack test
- ClientHello.srp_username test
- Merge pull request #84 from tomato42/messages-tests
- test coverage for getExtension and certificate_types
- test coverage for Alert
- Fix test failure on OSX.
- Adding acknowledgements for Mirko.
- Merge pull request #83 from MirkoDziadzka/session-cache
- remove unneeded import
- add tests to reproduce the problem
- fix session cache problem
- Merge pull request #82 from tomato42/test-coverage
- RecordHeader3 test coverage
- test coverage to RecordHeader2
- Trying this coveralls things for test coverage.
- Merge pull request #80 from tomato42/coverage
- add coverage checks to test-dev
- measure coverage in travis-ci
- Merge pull request #78 from tomato42/test-intermediate-10
- add check for code style
- Merge pull request #77 from tomato42/merged-2
- fix all problems with tests
- Merge pull request #68 from tomato42/fix-6568ad9
- fix bug introduced in 6568ad9
- Merge pull request #57 from tomato42/test-intermediate-3
- run tests for every commit in pull request or push [v2]
- make-based tests
- Merge pull request #54 from tomato42/revert-53-test-intermediate
- Revert "More detailed CI"
- Merge pull request #53 from tomato42/test-intermediate
- run tests for every commit in pull request or push
- Merge pull request #51 from tomato42/python26-fix
- add unittest2 import
- Trying travis
- Merge pull request #43 from tomato42/tests-fixes
- Merge pull request #46 from tomato42/cleanup
- don't pollute global namespace with `sieve` temporary variable
- characterisation tests for isPrime
- don't pollute global namespace with `length`
- Merge pull request #45 from tomato42/test-coverage-2
- fix pylint reported formatting issues
- fix missing import in tlslite.extensions
- better test coverage for TACKExtension
- don't use explicit short-circuit in compare
- better test coverage for __eq__ in TLSExtension
- remove duplicate check
- unit tests compatibility with Python2.6
- run self tests using both python2 and python3
- python 2.7.9 compatibility
- change certificate to self signed
- strict is deprecated and removed in 3.4
- deal with unclean socket shutdown
- Merge pull request #40 from tomato42/debugging-aids
- Merge pull request #42 from tomato42/docstring
- fix addExtension docstring
- add __repr__ to ClientHello
- add __str__ to ClientHello
- add __repr__ support to Alert
- add __str__ support to Alert
- add __repr__ to extensions
- add __repr__ to ServerHello
- add __str__ to ServerHello
- add __repr__ to RecordHeader3
- add __str__ handling to RecordHeader3
- Merge pull request #37 from tomato42/server-extensions-4
- Merge pull request #38 from tomato42/parsePEMKey-fixes
- be more precise in naming libraries
- make comment more descriptive in OpenSSL_RSAKey.parse()
- make OpenSSL wrapper handle PKCS#8 files
- characterisation tests for parsePEMKey
- Merge pull request #36 from tomato42/comments
- use extension parsers and serialisers in server hello
- convert server hello to using extensions list
- implement server side version of TACK extension
- fix typo in ClientHello docs
- remove some code duplication in ClientHello
- don't use reserved keyword for name of ServerName type field
- extend note about backwards compatibility for certificate_types
- extend extension handler to ServerHello extensions
- implement server side version of cert type extension
- add tests for cert_type and NPN ServerHello extensions
- Merge branch 'writer-fixes' of git://github.com/tomato42/tlslite-1
into tomato42-writer-fixes
- Merge pull request #34 from tomato42/new-extensions-3
- raise exception when overflowing integers
- Writer characterisation tests
- rename tlsextension to extensions
- harmonise get_extension method name with other method names
- tests for the new extensions variable
- use array to store ClientHello extensions
- make TLSExtension parse() into a factory function
- implement the ClientHello version of cert_type extension
- implement SRP extension
- implement NextProtocolNegotiation extension
- codec: method to return remaining buffer size
- implement class for ServerNameIndication extension
- add class handling generic TLS Extensions
- Merge pull request #32 from tomato42/client-hello-ext-parser-tests
- add parser tests for extensions in ClientHello
- clean up also in unit_tests directory
- Merge pull request #30 from tomato42/epydoc-fixes
- Merge pull request #31 from tomato42/parser-fixes
- fix getFixBytes boundary checking
- add characterisation tests for Parser
- add graphs to generated documentation
- add docs/ directory to .gitignore
- add test for epydoc to test-dev target
- fix epydoc warnings
- Merge pull request #29 from tomato42/test-suite-2
- ServerHello unit tests
- simple unit tests for ClientHello class (v3)
- remove dead code
0.4.8 - 11/12/2014
- Added more acknowledgements and security considerations
0.4.7 - 11/12/2014
- Added TLS 1.2 support (Yngve Pettersen and Paul Sokolovsky)
- Don't offer SSLv3 by default (e.g. POODLE)
- Fixed bug with PyCrypto_RSA integration
- Fixed harmless bug that added non-prime into sieves list
- Added "make test" and "make test-dev" targets (Hubert Kario)
0.4.5 - 3/20/2013
- **API CHANGE**: TLSClosedConnectionError instead of ValueError when writing
to a closed connection. This inherits from socket.error, so should
interact better with SocketServer (see http://bugs.python.org/issue14574)
and other things expecting a socket.error in this situation.
- Added support for RC4-MD5 ciphersuite (if enabled in settings)
- This is allegedly necessary to connect to some Internet servers.
- Added TLSConnection.unread() function
- Switched to New-style classes (inherit from 'object')
- Minor cleanups
0.4.4 - 2/25/2013
- Added Python 3 support (Martin von Loewis)
- Added NPN client support (Marcelo Fernandez)
- Switched to RC4 as preferred cipher
- faster in Python, avoids "Lucky 13" timing attacks
- Fixed bug when specifying ciphers for anon ciphersuites
- Made RSA hashAndVerify() tolerant of sigs w/o encoded NULL AlgorithmParam
- (this function is not used for TLS currently, and this tolerance may
not even be necessary)
0.4.3 - 9/27/2012
- Minor bugfix (0.4.2 doesn't load tackpy)
0.4.2 - 9/25/2012
- Updated TACK (compatible with tackpy 0.9.9)
0.4.1 - 5/22/2012
- Fixed RSA padding bugs (w/help from John Randolph)
- Updated TACK (compatible with tackpy 0.9.7)
- Added SNI
- Added NPN server support (Sam Rushing/Google)
- Added AnonDH (Dimitris Moraitis)
- Added X509CertChain.parsePemList
- Improved XML-RPC (Kees Bos)
0.4.0 - 2/11/2012
- Fixed pycrypto support
- Fixed python 2.6 problems
0.3.9.x - 2/7/2012
Much code cleanup, in particular decomposing the handshake functions so they
are readable. The main new feature is support for TACK, an experimental
authentication method that provides a new way to pin server certificates (See
https://github.com/moxie0/Convergence/wiki/TACK ).
Also:
- Security Fixes
- Sends SCSV ciphersuite as per RFC 5746, to signal non-renegotiated
Client Hello. Does not support renegotiation (never has).
- Change from e=3 to e=65537 for generated RSA keys, not strictly
necessary but mitigates risk of sloppy verifier.
- 1/(n-1) countermeasure for BEAST.
- Behavior changes:
- Split cmdline into tls.py and tlstest.py, improved options.
- Formalized LICENSE.
- Defaults to closing socket after sending close_notify, fixes hanging.
problem that would occur sometime when waiting for other party's
close_notify.
- Update SRP to RFC 5054 compliance.
- Removed client handshake "callbacks", no longer support the SRP
re-handshake idiom within a single handshake function.
- Bugfixes
- Added hashlib support, removes Deprecation Warning due to sha and md5.
- Handled GeneratorExit exceptions that are a new Python feature, and
interfere with the async code if not handled.
- Removed:
- Shared keys (it was based on an ancient I-D, not TLS-PSK).
- cryptlib support, it wasn't used much, we have enough other options.
- cryptoIDs (TACK is better).
- win32prng extension module, as os.urandom is now available.
- Twisted integration (unused?, slowed down loading).
- Jython code (ancient, didn't work).
- Compat support for python versions < 2.7.
- Additions
- Support for TACK via TACKpy.
- Support for CertificateRequest.certificate_authorities ("reqCAs")
- Added TLSConnection.shutdown() to better mimic socket.
- Enabled Session resumption for XMLRPCTransport.
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
- assume that Python 2.4 and 2.5 are compatible and allow checking for
fallout.
- remove PYTHON_VERSIONS_COMPATIBLE that are obsoleted by the 2.3+
default. Modify the others to deal with the removals.
TLS Lite is a free python library that implements SSL 3.0, TLS 1.0,
and TLS 1.1. TLS Lite supports non-traditional authentication methods
such as SRP, shared keys, and cryptoIDs in addition to X.509
certificates. TLS Lite is pure Python, however it can access OpenSSL,
cryptlib, pycrypto, and GMPY for faster crypto operations. TLS Lite
integrates with httplib, xmlrpclib, poplib, imaplib, smtplib,
SocketServer, asyncore, and Twisted.