Issue #19940: ssl.cert_time_to_seconds() now interprets the given time string in the UTC timezone (as specified in RFC 5280), not the local timezone.

Patch by Akira.

Issue #20896: ssl.get_server_certificate() now uses PROTOCOL_SSLv23, not PROTOCOL_SSLv3, for maximum compatibility.

Closes #21013 by modfying ssl.create_default_context() to:

* Move the restricted ciphers to only apply when using
  ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
  is the lack of RC4 in the restricted. However there are servers that exist
  that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
  will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
  of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
  socket the context will prioritize our ciphers which have been carefully
  selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
  that end users can more easily determine if they need to unset
  ssl.OP_NO_SSLv3.

Closes #20995 by Enabling better security by prioritizing ciphers
such that:

* Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
* Prefer ECDHE over DHE for better performance
* Prefer any AES-GCM over any AES-CBC for better performance and security
* Then Use HIGH cipher suites as a fallback
* Then Use 3DES as fallback which is secure but slow
* Finally use RC4 as a fallback which is problematic but needed for
  compatibility some times.
* Disable NULL authentication, NULL encryption, and MD5 MACs for security
  reasons

Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.

with server_hostname on handshake.

create SSLContext objects in Python's stdlib module. It provides a single
configuration point and makes use of SSLContext.load_default_certs().

a new SSLContext object with secure default settings.

certificates from default stores or system stores. By default the method
loads CA certs for authentication of server certs.

CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.

of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.

Issue #19448: Add private API to SSL module to lookup ASN.1 objects by OID, NID, short name and long name.

for security reasons.  It now doesn't match multiple wildcards nor wildcards
inside IDN fragments.

Issue #9177: Calling read() or write() now raises ValueError, not AttributeError, on a closed SSL socket.
Patch by Senko Rasic.

ModuleNotFoundError.

the default locations for cafile and capath.

Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).

Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).

Issue #13721: SSLSocket.getpeercert() and SSLSocket.do_handshake() now raise an OSError with ENOTCONN, instead of an AttributeError, when the SSLSocket is not connected.

remove __del__ because it's evil and also prevents the ResourceWarning on the socket from happening (closes #16900)

Issue #8109: The ssl module now has support for server-side SNI, thanks to a :meth:`SSLContext.set_servername_callback` method.
Patch by Daniel Black.

Original patch by Jeff McNeil.

Issue #14204: The ssl module now has support for the Next Protocol Negotiation extension, if available in the underlying OpenSSL library.
Patch by Colin Marc.

(except when SSLv2 is explicitly asked for).

(except when SSLv2 is explicitly asked for).

SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option.

(followup to issue #13627)