aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch')
-rw-r--r--meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch173
1 files changed, 0 insertions, 173 deletions
diff --git a/meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch b/meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch
deleted file mode 100644
index 56d591d1b5..0000000000
--- a/meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-From 170a614904febd14ff6cfd7a75c9bccc114b3948 Mon Sep 17 00:00:00 2001
-From: Christian Heimes <christian@python.org>
-Date: Tue, 14 Aug 2018 16:56:32 +0200
-Subject: [PATCH] bpo-32947: Fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-8761)
-
-Backport of TLS 1.3 related fixes from 3.7.
-
-Misc fixes and workarounds for compatibility with OpenSSL 1.1.1 from git
-master and TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
-default. Some test cases only apply to TLS 1.2.
-
-OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
-1.3. The feature is enabled by default for maximum compatibility with
-broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
-it to verify default options
-
-Signed-off-by: Christian Heimes <christian@python.org>
-
-Upstream-Status: Backport
-[https://github.com/python/cpython/commit/2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826]
-
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- Doc/library/ssl.rst | 9 ++++++
- Lib/test/test_asyncio/test_events.py | 6 +++-
- Lib/test/test_ssl.py | 29 +++++++++++++++----
- .../2018-08-14-08-57-01.bpo-32947.mqStVW.rst | 2 ++
- Modules/_ssl.c | 4 +++
- 5 files changed, 44 insertions(+), 6 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst
-
-diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
-index 29c5e94cf6..f63a3deec5 100644
---- a/Doc/library/ssl.rst
-+++ b/Doc/library/ssl.rst
-@@ -757,6 +757,15 @@ Constants
-
- .. versionadded:: 3.3
-
-+.. data:: OP_ENABLE_MIDDLEBOX_COMPAT
-+
-+ Send dummy Change Cipher Spec (CCS) messages in TLS 1.3 handshake to make
-+ a TLS 1.3 connection look more like a TLS 1.2 connection.
-+
-+ This option is only available with OpenSSL 1.1.1 and later.
-+
-+ .. versionadded:: 3.6.7
-+
- .. data:: OP_NO_COMPRESSION
-
- Disable compression on the SSL channel. This is useful if the application
-diff --git a/Lib/test/test_asyncio/test_events.py b/Lib/test/test_asyncio/test_events.py
-index 492a84a231..6f208474b9 100644
---- a/Lib/test/test_asyncio/test_events.py
-+++ b/Lib/test/test_asyncio/test_events.py
-@@ -1169,7 +1169,11 @@ class EventLoopTestsMixin:
- self.loop.run_until_complete(f_c)
-
- # close connection
-- proto.transport.close()
-+ # transport may be None with TLS 1.3, because connection is
-+ # interrupted, server is unable to send session tickets, and
-+ # transport is closed.
-+ if proto.transport is not None:
-+ proto.transport.close()
- server.close()
-
- def test_legacy_create_server_ssl_match_failed(self):
-diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
-index 1acc12ec2d..a2e1d32a62 100644
---- a/Lib/test/test_ssl.py
-+++ b/Lib/test/test_ssl.py
-@@ -78,6 +78,7 @@ OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
- OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
- OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
- OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
-+OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
-
-
- def handle_error(prefix):
-@@ -155,8 +156,8 @@ class BasicSocketTests(unittest.TestCase):
- ssl.OP_NO_TLSv1
- ssl.OP_NO_TLSv1_3
- if ssl.OPENSSL_VERSION_INFO >= (1, 0, 1):
-- ssl.OP_NO_TLSv1_1
-- ssl.OP_NO_TLSv1_2
-+ ssl.OP_NO_TLSv1_1
-+ ssl.OP_NO_TLSv1_2
-
- def test_str_for_enums(self):
- # Make sure that the PROTOCOL_* constants have enum-like string
-@@ -854,7 +855,8 @@ class ContextTests(unittest.TestCase):
- default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
- # SSLContext also enables these by default
- default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
-- OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE)
-+ OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
-+ OP_ENABLE_MIDDLEBOX_COMPAT)
- self.assertEqual(default, ctx.options)
- ctx.options |= ssl.OP_NO_TLSv1
- self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
-@@ -1860,11 +1862,26 @@ else:
- self.sock, server_side=True)
- self.server.selected_npn_protocols.append(self.sslconn.selected_npn_protocol())
- self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol())
-- except (ssl.SSLError, ConnectionResetError) as e:
-+ except (ConnectionResetError, BrokenPipeError) as e:
- # We treat ConnectionResetError as though it were an
- # SSLError - OpenSSL on Ubuntu abruptly closes the
- # connection when asked to use an unsupported protocol.
- #
-+ # BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL
-+ # tries to send session tickets after handshake.
-+ # https://github.com/openssl/openssl/issues/6342
-+ self.server.conn_errors.append(str(e))
-+ if self.server.chatty:
-+ handle_error(
-+ "\n server: bad connection attempt from " + repr(
-+ self.addr) + ":\n")
-+ self.running = False
-+ self.close()
-+ return False
-+ except (ssl.SSLError, OSError) as e:
-+ # OSError may occur with wrong protocols, e.g. both
-+ # sides use PROTOCOL_TLS_SERVER.
-+ #
- # XXX Various errors can have happened here, for example
- # a mismatching protocol version, an invalid certificate,
- # or a low-level bug. This should be made more discriminating.
-@@ -2974,7 +2991,7 @@ else:
- # Block on the accept and wait on the connection to close.
- evt.set()
- remote, peer = server.accept()
-- remote.recv(1)
-+ remote.send(remote.recv(4))
-
- t = threading.Thread(target=serve)
- t.start()
-@@ -2982,6 +2999,8 @@ else:
- evt.wait()
- client = context.wrap_socket(socket.socket())
- client.connect((host, port))
-+ client.send(b'data')
-+ client.recv()
- client_addr = client.getsockname()
- client.close()
- t.join()
-diff --git a/Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst b/Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst
-new file mode 100644
-index 0000000000..28de360c36
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst
-@@ -0,0 +1,2 @@
-+Add OP_ENABLE_MIDDLEBOX_COMPAT and test workaround for TLSv1.3 for future
-+compatibility with OpenSSL 1.1.1.
-diff --git a/Modules/_ssl.c b/Modules/_ssl.c
-index c71d89607c..eb123a87ba 100644
---- a/Modules/_ssl.c
-+++ b/Modules/_ssl.c
-@@ -4858,6 +4858,10 @@ PyInit__ssl(void)
- PyModule_AddIntConstant(m, "OP_NO_COMPRESSION",
- SSL_OP_NO_COMPRESSION);
- #endif
-+#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
-+ PyModule_AddIntConstant(m, "OP_ENABLE_MIDDLEBOX_COMPAT",
-+ SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
-+#endif
-
- #if HAVE_SNI
- r = Py_True;
---
-2.17.1
-