89 lines
3.7 KiB
Diff
89 lines
3.7 KiB
Diff
From ae650968ab1514883be8015df381f666ec496b34 Mon Sep 17 00:00:00 2001
|
|
From: Christian Heimes <christian@python.org>
|
|
Date: Fri, 9 Apr 2021 16:40:22 +0200
|
|
Subject: [PATCH] bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by
|
|
default
|
|
|
|
Signed-off-by: Christian Heimes <christian@python.org>
|
|
---
|
|
Doc/library/ssl.rst | 8 ++++++++
|
|
Lib/test/test_ssl.py | 4 +++-
|
|
Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst | 1 +
|
|
Modules/_ssl.c | 8 ++++++++
|
|
4 files changed, 20 insertions(+), 1 deletion(-)
|
|
create mode 100644 Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst
|
|
|
|
Index: Python-3.6.15/Doc/library/ssl.rst
|
|
===================================================================
|
|
--- Python-3.6.15.orig/Doc/library/ssl.rst
|
|
+++ Python-3.6.15/Doc/library/ssl.rst
|
|
@@ -844,6 +844,14 @@ Constants
|
|
|
|
.. versionadded:: 3.6
|
|
|
|
+.. data:: OP_IGNORE_UNEXPECTED_EOF
|
|
+
|
|
+ Ignore unexpected shutdown of TLS connections.
|
|
+
|
|
+ This option is only available with OpenSSL 3.0.0 and later.
|
|
+
|
|
+ .. versionadded:: 3.10
|
|
+
|
|
.. data:: HAS_ALPN
|
|
|
|
Whether the OpenSSL library has built-in support for the *Application-Layer
|
|
Index: Python-3.6.15/Lib/test/test_ssl.py
|
|
===================================================================
|
|
--- Python-3.6.15.orig/Lib/test/test_ssl.py
|
|
+++ Python-3.6.15/Lib/test/test_ssl.py
|
|
@@ -97,6 +97,7 @@ OP_SINGLE_DH_USE = getattr(ssl, "OP_SING
|
|
OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
|
|
OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
|
|
OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
|
|
+OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0)
|
|
|
|
def clean_OpenSSL30_san(in_tup):
|
|
if ssl._OPENSSL_API_VERSION >= (3, 0, 0):
|
|
@@ -981,7 +982,8 @@ class ContextTests(unittest.TestCase):
|
|
# SSLContext also enables these by default
|
|
default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
|
|
OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
|
|
- OP_ENABLE_MIDDLEBOX_COMPAT)
|
|
+ OP_ENABLE_MIDDLEBOX_COMPAT |
|
|
+ OP_IGNORE_UNEXPECTED_EOF)
|
|
self.assertEqual(default, ctx.options)
|
|
ctx.options |= ssl.OP_NO_TLSv1
|
|
self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
|
|
Index: Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst
|
|
@@ -0,0 +1 @@
|
|
+Add :data:`ssl.OP_IGNORE_UNEXPECTED_EOF` constants (OpenSSL 3.0.0)
|
|
Index: Python-3.6.15/Modules/_ssl.c
|
|
===================================================================
|
|
--- Python-3.6.15.orig/Modules/_ssl.c
|
|
+++ Python-3.6.15/Modules/_ssl.c
|
|
@@ -2870,6 +2870,10 @@ _ssl__SSLContext_impl(PyTypeObject *type
|
|
#ifdef SSL_OP_SINGLE_ECDH_USE
|
|
options |= SSL_OP_SINGLE_ECDH_USE;
|
|
#endif
|
|
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
|
|
+ /* Make OpenSSL 3.0.0 behave like 1.1.1 */
|
|
+ options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
|
|
+#endif
|
|
SSL_CTX_set_options(self->ctx, options);
|
|
|
|
/* A bare minimum cipher list without completely broken cipher suites.
|
|
@@ -5625,6 +5629,10 @@ PyInit__ssl(void)
|
|
PyModule_AddIntConstant(m, "OP_ENABLE_MIDDLEBOX_COMPAT",
|
|
SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
|
|
#endif
|
|
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
|
|
+ PyModule_AddIntConstant(m, "OP_IGNORE_UNEXPECTED_EOF",
|
|
+ SSL_OP_IGNORE_UNEXPECTED_EOF);
|
|
+#endif
|
|
|
|
#ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
|
|
PyModule_AddIntConstant(m, "HOSTFLAG_ALWAYS_CHECK_SUBJECT",
|