Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.

2025-08-22 17:55:18 +00:00 · 2016-09-05 23:23:24 +02:00 · 2016-09-05 23:23:24 +02:00 · 01113faef9
commit 01113faef9
parent ae8298bfb7 598894ff48
6 changed files with 400 additions and 165 deletions
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@ -51,6 +51,7 @@ The following constants identify various SSL protocol variants:
 PROTOCOL_SSLv2
 PROTOCOL_SSLv3
 PROTOCOL_SSLv23
+PROTOCOL_TLS
 PROTOCOL_TLSv1
 PROTOCOL_TLSv1_1
 PROTOCOL_TLSv1_2
@ -128,9 +129,10 @@ from _ssl import _OPENSSL_API_VERSION

 _IntEnum._convert(
        '_SSLMethod', __name__,
-        lambda name: name.startswith('PROTOCOL_'),
+        lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
        source=_ssl)

+PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_TLS
 _PROTOCOL_NAMES = {value: name for name, value in _SSLMethod.__members__.items()}

 try:
@ -357,13 +359,13 @@ class SSLContext(_SSLContext):
    __slots__ = ('protocol', '__weakref__')
    _windows_cert_stores = ("CA", "ROOT")

-    def __new__(cls, protocol, *args, **kwargs):
+    def __new__(cls, protocol=PROTOCOL_TLS, *args, **kwargs):
        self = _SSLContext.__new__(cls, protocol)
        if protocol != _SSLv2_IF_EXISTS:
            self.set_ciphers(_DEFAULT_CIPHERS)
        return self

-    def __init__(self, protocol):
+    def __init__(self, protocol=PROTOCOL_TLS):
        self.protocol = protocol

    def wrap_socket(self, sock, server_side=False,
@ -438,7 +440,7 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
    if not isinstance(purpose, _ASN1Object):
        raise TypeError(purpose)

-    context = SSLContext(PROTOCOL_SSLv23)
+    context = SSLContext(PROTOCOL_TLS)

    # SSLv2 considered harmful.
    context.options |= OP_NO_SSLv2
@ -475,7 +477,7 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
        context.load_default_certs(purpose)
    return context

-def _create_unverified_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None,
+def _create_unverified_context(protocol=PROTOCOL_TLS, *, cert_reqs=None,
                           check_hostname=False, purpose=Purpose.SERVER_AUTH,
                           certfile=None, keyfile=None,
                           cafile=None, capath=None, cadata=None):
@ -666,7 +668,7 @@ class SSLSocket(socket):

    def __init__(self, sock=None, keyfile=None, certfile=None,
                 server_side=False, cert_reqs=CERT_NONE,
-                 ssl_version=PROTOCOL_SSLv23, ca_certs=None,
+                 ssl_version=PROTOCOL_TLS, ca_certs=None,
                 do_handshake_on_connect=True,
                 family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None,
                 suppress_ragged_eofs=True, npn_protocols=None, ciphers=None,
@ -1055,7 +1057,7 @@ class SSLSocket(socket):

 def wrap_socket(sock, keyfile=None, certfile=None,
                server_side=False, cert_reqs=CERT_NONE,
-                ssl_version=PROTOCOL_SSLv23, ca_certs=None,
+                ssl_version=PROTOCOL_TLS, ca_certs=None,
                do_handshake_on_connect=True,
                suppress_ragged_eofs=True,
                ciphers=None):
@ -1124,7 +1126,7 @@ def PEM_cert_to_DER_cert(pem_cert_string):
    d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)]
    return base64.decodebytes(d.encode('ASCII', 'strict'))

-def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None):
+def get_server_certificate(addr, ssl_version=PROTOCOL_TLS, ca_certs=None):
    """Retrieve the certificate from the server at the specified address,
    and return it as a PEM-encoded string.
    If 'ca_certs' is specified, validate the server cert against it.