upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-03-29 22:04:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
certbot/letsencrypt-auto-source
History
Adrien Ferrand 2ddaf3db04 Use built-in support for OCSP in cryptography >= 2.5 (#6603) 
In response to #6594. [Fixes #6594.]

To execute OCSP requests, certbot relies currently on a openssl binary execution. If openssl is not present in the PATH, the OCSP check will be silently ignored. Since version 2.4, cryptography has support for OCSP requests, without the need to have openssl binary available locally.

This PR takes advantage of it, and will use the built-in support of OCSP in cryptography for versions >= 2.4. Otherwise, fallback is done do a direct call to openssl binary, allowing oldest requirements to still work with legacy cryptography versions.

Update: requirement is now cryptography >= 2.5, to avoid to rely on a private method from cryptography.

* Implement logic using cryptography

* Working OSCP using pure cryptography

* Fix openssl usage in unit tests

* Reduce verbosity

* Add tests

* Improve naive skipIf

* Test resiliency

* Update ocsp.py

* Validate OCSP response. Unify OCSP URL get

* Improve resiliency checks, correct lint/mypy

* Improve hash selection

* Fix warnings when calling openssl bin

* Load OCSP tests assets as vectors.

* Update ocsp.py

* Protect against invalid ocsp response.

* Add checks to OCSP response

* Add more control on ocsp response

* Be lenient about assertion that next_update must be in the future, similarly to openssl.

* Construct a more advanced OCSP response mock to trigger more logic in ocsp module.

* Add test

* Refactor signature process to use crypto_util

* Fallback for cryptography 2.4

* Avoid a collision with a meteor.

* Correct method signature documentation

* Relax OCSP update interval

* Trigger built-in ocsp logic from cryptography with 2.5+

* Update pinned version of cryptography

* Update certbot/ocsp.py

Co-Authored-By: adferrand <adferrand@users.noreply.github.com>

* Update ocsp.py

* Update ocsp_test.py

* Update CHANGELOG.md

* Update CHANGELOG.md
2019-02-05 10:45:15 -08:00
..
pieces Use built-in support for OCSP in cryptography >= 2.5 (#6603) 2019-02-05 10:45:15 -08:00
tests Protect certbot-auto against automated downgrades (#6448) 2018-11-19 14:28:59 -08:00
build.py Pin dependency versions when using tools/venv.sh (#4629) 2017-05-11 10:06:05 -07:00
certbot-auto.asc Release 0.30.2 2019-01-25 12:36:19 -08:00
Dockerfile.centos6 Update setuptools pinned in pipstrap (#6699) (#6704) 2019-01-25 11:53:29 -08:00
Dockerfile.jessie Update outdated tests (#6515) 2019-01-16 13:17:37 -08:00
Dockerfile.trusty Explicitly add six as a dependency in letsencrypt-auto-source dockerfiles (#5808) 2018-03-29 15:34:38 -07:00
Dockerfile.xenial Update outdated tests (#6515) 2019-01-16 13:17:37 -08:00
letsencrypt-auto Use built-in support for OCSP in cryptography >= 2.5 (#6603) 2019-02-05 10:45:15 -08:00
letsencrypt-auto.sig Release 0.30.2 2019-01-25 12:36:19 -08:00
letsencrypt-auto.template Add VIRTUALENV_NO_DOWNLOAD=1 to all calls to virtualenv (#6690) 2019-01-24 11:50:41 -08:00
version.py Cleanup test farm tests and add test_sdists (#4089) 2017-01-30 19:37:23 -08:00