mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-30 12:21:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)

Browse source 
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 6f37ebc61e)

Co-authored-by: Christian Heimes <christian@python.org>
This commit is contained in:
Miss Islington (bot) 2021-04-09 09:21:54 -07:00 committed by GitHub
parent 4a5c101936
commit 54d89a33e0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 20 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Doc/library/ssl.rst
View file

@ -886,6 +886,14 @@ Constants
.. versionadded:: 3.6 .. versionadded:: 3.6
.. data:: OP_IGNORE_UNEXPECTED_EOF
Ignore unexpected shutdown of TLS connections.
This option is only available with OpenSSL 3.0.0 and later.
.. versionadded:: 3.10
.. data:: HAS_ALPN .. data:: HAS_ALPN
Whether the OpenSSL library has built-in support for the *Application-Layer Whether the OpenSSL library has built-in support for the *Application-Layer

4
Lib/test/test_ssl.py
View file

@ -147,6 +147,7 @@ OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0) OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0) OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0) OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0)
# Ubuntu has patched OpenSSL and changed behavior of security level 2 # Ubuntu has patched OpenSSL and changed behavior of security level 2
# see https://bugs.python.org/issue41561#msg389003 # see https://bugs.python.org/issue41561#msg389003
@ -1164,7 +1165,8 @@ class ContextTests(unittest.TestCase):
# SSLContext also enables these by default # SSLContext also enables these by default
default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE | default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE | OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
OP_ENABLE_MIDDLEBOX_COMPAT) OP_ENABLE_MIDDLEBOX_COMPAT |
OP_IGNORE_UNEXPECTED_EOF)
self.assertEqual(default, ctx.options) self.assertEqual(default, ctx.options)
ctx.options |= ssl.OP_NO_TLSv1 ctx.options |= ssl.OP_NO_TLSv1
self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)

1
Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst Normal file
View file

@ -0,0 +1 @@
Add :data:`ssl.OP_IGNORE_UNEXPECTED_EOF` constants (OpenSSL 3.0.0)

8
Modules/_ssl.c
View file

@ -3212,6 +3212,10 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
#endif #endif
#ifdef SSL_OP_SINGLE_ECDH_USE #ifdef SSL_OP_SINGLE_ECDH_USE
options |= SSL_OP_SINGLE_ECDH_USE; options |= SSL_OP_SINGLE_ECDH_USE;
#endif
#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
/* Make OpenSSL 3.0.0 behave like 1.1.1 */
options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
#endif #endif
SSL_CTX_set_options(self->ctx, options); SSL_CTX_set_options(self->ctx, options);
@ -6270,6 +6274,10 @@ PyInit__ssl(void)
PyModule_AddIntConstant(m, "OP_NO_RENEGOTIATION", PyModule_AddIntConstant(m, "OP_NO_RENEGOTIATION",
SSL_OP_NO_RENEGOTIATION); SSL_OP_NO_RENEGOTIATION);
#endif #endif
#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
PyModule_AddIntConstant(m, "OP_IGNORE_UNEXPECTED_EOF",
SSL_OP_IGNORE_UNEXPECTED_EOF);
#endif
#ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
PyModule_AddIntConstant(m, "HOSTFLAG_ALWAYS_CHECK_SUBJECT", PyModule_AddIntConstant(m, "HOSTFLAG_ALWAYS_CHECK_SUBJECT",