diff --git a/openssl-111-middlebox-compat.patch b/openssl-111-middlebox-compat.patch new file mode 100644 index 0000000..cd83563 --- /dev/null +++ b/openssl-111-middlebox-compat.patch @@ -0,0 +1,32 @@ +From 4fa35e8b1ebb2a8e88ba7c4c9cd2a17b35638ee6 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov +Date: Fri, 28 Sep 2018 16:34:16 +0100 +Subject: [PATCH] bpo-34834: Fix test_ssl.test_options to account for + OP_ENABLE_MIDDLEBOX_COMPAT. + +Signed-off-by: Dimitri John Ledkov + +https://bugs.python.org/issue34834 +--- + Lib/test/test_ssl.py | 5 +++++ + 1 file changed, 5 insertions(+) + +Index: Python-2.7.15/Lib/test/test_ssl.py +=================================================================== +--- Python-2.7.15.orig/Lib/test/test_ssl.py 2018-10-29 13:32:59.190865648 +0100 ++++ Python-2.7.15/Lib/test/test_ssl.py 2018-10-29 13:41:01.857624490 +0100 +@@ -777,8 +777,12 @@ class ContextTests(unittest.TestCase): + default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) + # SSLContext also enables these by default + default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE | +- ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE | +- ssl.OP_ENABLE_MIDDLEBOX_COMPAT) ++ ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE) ++ if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1): ++ # define MIDDLEBOX constant, as python2.7 does not know about it ++ # but it is used by default. ++ OP_ENABLE_MIDDLEBOX_COMPAT = 1048576L ++ default |= OP_ENABLE_MIDDLEBOX_COMPAT + self.assertEqual(default, ctx.options) + ctx.options |= ssl.OP_NO_TLSv1 + self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) diff --git a/openssl-111-ssl_options.patch b/openssl-111-ssl_options.patch new file mode 100644 index 0000000..d76ba48 --- /dev/null +++ b/openssl-111-ssl_options.patch @@ -0,0 +1,13 @@ +Index: Python-2.7.15/Lib/test/test_ssl.py +=================================================================== +--- Python-2.7.15.orig/Lib/test/test_ssl.py 2018-10-29 13:41:01.857624490 +0100 ++++ Python-2.7.15/Lib/test/test_ssl.py 2018-10-29 14:04:59.674004321 +0100 +@@ -776,7 +776,7 @@ class ContextTests(unittest.TestCase): + # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value + default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) + # SSLContext also enables these by default +- default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE | ++ default |= (ssl.OP_NO_COMPRESSION | + ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE) + if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1): + # define MIDDLEBOX constant, as python2.7 does not know about it diff --git a/openssl-111.patch b/openssl-111.patch new file mode 100644 index 0000000..8792dd9 --- /dev/null +++ b/openssl-111.patch @@ -0,0 +1,137 @@ +From 9e32244ea7d2621030f040b0f4e5af89480ecc0f Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Wed, 15 Aug 2018 09:07:28 +0200 +Subject: [PATCH] [2.7] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) + (GH-8760) + +Change TLS 1.3 cipher suite settings for compatibility with OpenSSL +1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by +default. + +Also update multissltests to test with latest OpenSSL. + +Signed-off-by: Christian Heimes . +(cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71) + +Co-authored-by: Christian Heimes +--- + Doc/library/ssl.rst | 8 ++-- + Lib/test/test_ssl.py | 37 +++++++++++-------- + .../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | 3 ++ + 3 files changed, 27 insertions(+), 21 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst + +Index: Python-2.7.15/Doc/library/ssl.rst +=================================================================== +--- Python-2.7.15.orig/Doc/library/ssl.rst ++++ Python-2.7.15/Doc/library/ssl.rst +@@ -291,11 +291,6 @@ purposes. + + 3DES was dropped from the default cipher string. + +- .. versionchanged:: 2.7.15 +- +- TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, +- and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string. +- + .. function:: _https_verify_certificates(enable=True) + + Specifies whether or not server certificates are verified when creating +@@ -1176,6 +1171,9 @@ to speed up repeated connections from th + when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will + give the currently selected cipher. + ++ OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites ++ cannot be disabled with :meth:`~SSLContext.set_ciphers`. ++ + .. method:: SSLContext.set_alpn_protocols(protocols) + + Specify which protocols the socket should advertise during the SSL/TLS +Index: Python-2.7.15/Lib/test/test_ssl.py +=================================================================== +--- Python-2.7.15.orig/Lib/test/test_ssl.py ++++ Python-2.7.15/Lib/test/test_ssl.py +@@ -775,8 +775,10 @@ class ContextTests(unittest.TestCase): + ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value + default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) +- if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0): +- default |= ssl.OP_NO_COMPRESSION ++ # SSLContext also enables these by default ++ default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE | ++ ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE | ++ ssl.OP_ENABLE_MIDDLEBOX_COMPAT) + self.assertEqual(default, ctx.options) + ctx.options |= ssl.OP_NO_TLSv1 + self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) +@@ -2765,19 +2767,24 @@ else: + sock.do_handshake() + self.assertEqual(cm.exception.errno, errno.ENOTCONN) + +- def test_default_ciphers(self): +- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) +- try: +- # Force a set of weak ciphers on our client context +- context.set_ciphers("DES") +- except ssl.SSLError: +- self.skipTest("no DES cipher available") +- with ThreadedEchoServer(CERTFILE, +- ssl_version=ssl.PROTOCOL_SSLv23, +- chatty=False) as server: +- with closing(context.wrap_socket(socket.socket())) as s: +- with self.assertRaises(ssl.SSLError): +- s.connect((HOST, server.port)) ++ def test_no_shared_ciphers(self): ++ server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ++ server_context.load_cert_chain(SIGNED_CERTFILE) ++ client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ++ client_context.verify_mode = ssl.CERT_REQUIRED ++ client_context.check_hostname = True ++ ++ # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test ++ client_context.options |= ssl.OP_NO_TLSv1_3 ++ # Force different suites on client and master ++ client_context.set_ciphers("AES128") ++ server_context.set_ciphers("AES256") ++ with ThreadedEchoServer(context=server_context) as server: ++ s = client_context.wrap_socket( ++ socket.socket(), ++ server_hostname="localhost") ++ with self.assertRaises(ssl.SSLError): ++ s.connect((HOST, server.port)) + self.assertIn("no shared cipher", str(server.conn_errors[0])) + + def test_version_basic(self): +@@ -2805,12 +2812,12 @@ else: + ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2 + ) + with ThreadedEchoServer(context=context) as server: +- with context.wrap_socket(socket.socket()) as s: ++ with closing(context.wrap_socket(socket.socket())) as s: + s.connect((HOST, server.port)) + self.assertIn(s.cipher()[0], [ +- 'TLS13-AES-256-GCM-SHA384', +- 'TLS13-CHACHA20-POLY1305-SHA256', +- 'TLS13-AES-128-GCM-SHA256', ++ 'TLS_AES_256_GCM_SHA384', ++ 'TLS_CHACHA20_POLY1305_SHA256', ++ 'TLS_AES_128_GCM_SHA256', + ]) + + @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL") +@@ -2819,6 +2826,7 @@ else: + # should be enabled by default on SSL contexts. + context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + context.load_cert_chain(CERTFILE) ++ context.options |= ssl.OP_NO_TLSv1_3 + # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled + # explicitly using the 'ECCdraft' cipher alias. Otherwise, + # our default cipher list should prefer ECDH-based ciphers +Index: Python-2.7.15/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst +=================================================================== +--- /dev/null ++++ Python-2.7.15/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst +@@ -0,0 +1,3 @@ ++Change TLS 1.3 cipher suite settings for compatibility with OpenSSL ++1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by ++default. diff --git a/python-base.changes b/python-base.changes index c530669..f5642d8 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Oct 26 10:48:44 UTC 2018 - Tomáš Chvátal + +- Add patch openssl-111.patch to work with openssl-1.1.1 + ------------------------------------------------------------------- Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl diff --git a/python-base.spec b/python-base.spec index 14f554a..0b6e11f 100644 --- a/python-base.spec +++ b/python-base.spec @@ -60,10 +60,15 @@ Patch38: reproducible.patch Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch +# https://github.com/python/cpython/pull/8771 +Patch42: openssl-111.patch # PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com # Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch -Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch -# +Patch43: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch +# https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834) +Patch47: openssl-111-middlebox-compat.patch +# PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE +Patch48: openssl-111-ssl_options.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -172,6 +177,9 @@ other applications. %endif %patch41 -p1 %patch42 -p1 +%patch43 -p1 +%patch47 -p1 +%patch48 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac diff --git a/python-doc.changes b/python-doc.changes index 129c573..3644ec2 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Oct 26 10:48:44 UTC 2018 - Tomáš Chvátal + +- Add patch openssl-111.patch to work with openssl-1.1.1 + ------------------------------------------------------------------- Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl diff --git a/python-doc.spec b/python-doc.spec index 8aa3ea3..c9be1be 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -61,10 +61,15 @@ Patch38: reproducible.patch Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch +# https://github.com/python/cpython/pull/8771 +Patch42: openssl-111.patch # PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com # Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch -Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch -# +Patch43: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch +# https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834) +Patch47: openssl-111-middlebox-compat.patch +# PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE +Patch48: openssl-111-ssl_options.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -119,6 +124,9 @@ Python, and Macintosh Module Reference in PDF format. %endif %patch41 -p1 %patch42 -p1 +%patch43 -p1 +%patch47 -p1 +%patch48 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac diff --git a/python.changes b/python.changes index 6cc20bc..0adc8ce 100644 --- a/python.changes +++ b/python.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Mon Oct 29 13:21:20 UTC 2018 - Vítězslav Čížek + +- Enable all the tests in %check +- Add more patches to successfully build with openssl 1.1.1 + (bsc#1113755) + * openssl-111-middlebox-compat.patch + * openssl-111-ssl_options.patch + +------------------------------------------------------------------- +Fri Oct 26 10:48:44 UTC 2018 - Tomáš Chvátal + +- Add patch openssl-111.patch to work with openssl-1.1.1 + ------------------------------------------------------------------- Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl diff --git a/python.spec b/python.spec index e217001..886703f 100644 --- a/python.spec +++ b/python.spec @@ -66,10 +66,15 @@ Patch38: reproducible.patch Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch +# https://github.com/python/cpython/pull/8771 +Patch42: openssl-111.patch # PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com # Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch -Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch -# +Patch43: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch +# https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834) +Patch47: openssl-111-middlebox-compat.patch +# PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE +Patch48: openssl-111-ssl_options.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -225,6 +230,9 @@ that rely on earlier non-verification behavior. %endif %patch41 -p1 %patch42 -p1 +%patch43 -p1 +%patch47 -p1 +%patch48 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac