author | John Beck <John.Beck@Oracle.COM> |
Wed, 25 Feb 2015 20:44:31 -0800 | |
branch | s11-update |
changeset 3876 | da37433d5103 |
parent 3790 | 29f21fba058a |
permissions | -rw-r--r-- |
3790
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
1 |
This patch comes from in-house. It has not yet been submitted upstream, |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
2 |
but submission is planned. |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
3 |
|
3876
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
4 |
--- Python-3.4.3/Modules/_ssl.c.~1~ 2015-02-25 03:27:45.000000000 -0800 |
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
5 |
+++ Python-3.4.3/Modules/_ssl.c 2015-02-25 08:51:04.532103249 -0800 |
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
6 |
@@ -2061,6 +2061,8 @@ |
3790
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
7 |
options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
8 |
if (proto_version != PY_SSL_VERSION_SSL2) |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
9 |
options |= SSL_OP_NO_SSLv2; |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
10 |
+ if (proto_version != PY_SSL_VERSION_SSL3) |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
11 |
+ options |= SSL_OP_NO_SSLv3; |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
12 |
SSL_CTX_set_options(self->ctx, options); |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
13 |
|
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
14 |
#ifndef OPENSSL_NO_ECDH |
3876
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
15 |
--- Python-3.4.3/Lib/test/test_ssl.py.~1~ 2015-02-25 03:27:45.000000000 -0800 |
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
16 |
+++ Python-3.4.3/Lib/test/test_ssl.py 2015-02-25 08:50:21.079031281 -0800 |
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
17 |
@@ -675,10 +675,7 @@ |
3790
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
18 |
@skip_if_broken_ubuntu_ssl |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
19 |
def test_options(self): |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
20 |
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
21 |
- # OP_ALL | OP_NO_SSLv2 is the default value |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
22 |
- self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2, |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
23 |
- ctx.options) |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
24 |
- ctx.options |= ssl.OP_NO_SSLv3 |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
25 |
+ # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
26 |
self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3, |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
27 |
ctx.options) |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
28 |
if can_clear_options(): |
3876
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
29 |
@@ -2171,17 +2168,17 @@ |
3790
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
30 |
" SSL2 client to SSL23 server test unexpectedly failed:\n %s\n" |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
31 |
% str(x)) |
3876
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
32 |
if hasattr(ssl, 'PROTOCOL_SSLv3'): |
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
33 |
- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True) |
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
34 |
+ try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False) |
3790
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
35 |
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True) |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
36 |
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True) |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
37 |
|
3876
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
38 |
if hasattr(ssl, 'PROTOCOL_SSLv3'): |
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
39 |
- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL) |
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
40 |
+ try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL) |
3790
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
41 |
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL) |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
42 |
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL) |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
43 |
|
3876
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
44 |
if hasattr(ssl, 'PROTOCOL_SSLv3'): |
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
45 |
- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED) |
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
46 |
+ try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED) |
3790
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
47 |
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED) |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
48 |
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED) |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
49 |
|
3876
da37433d5103
20605341 update Python to 3.4.3
John Beck <John.Beck@Oracle.COM>
parents:
3790
diff
changeset
|
50 |
@@ -2213,7 +2210,8 @@ |
3790
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
51 |
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False) |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
52 |
if no_sslv2_implies_sslv3_hello(): |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
53 |
# No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
54 |
- try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, True, |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
55 |
+ # until we disabled SSLv3 for Poodle |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
56 |
+ try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False, |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
57 |
client_options=ssl.OP_NO_SSLv2) |
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
58 |
|
29f21fba058a
20332546 problem in UTILITY/PYTHON
John Beck <John.Beck@Oracle.COM>
parents:
diff
changeset
|
59 |
@skip_if_broken_ubuntu_ssl |