1 This patch comes from in-house. It has not yet been submitted upstream, |
1 This patch comes from in-house. It has not yet been submitted upstream, |
2 but submission is planned. |
2 but submission is planned. |
3 |
3 |
4 --- Python-3.4.2/Modules/_ssl.c.~1~ 2014-10-08 01:18:15.000000000 -0700 |
4 --- Python-3.4.3/Modules/_ssl.c.~1~ 2015-02-25 03:27:45.000000000 -0800 |
5 +++ Python-3.4.2/Modules/_ssl.c 2015-01-08 12:47:54.633548859 -0800 |
5 +++ Python-3.4.3/Modules/_ssl.c 2015-02-25 08:51:04.532103249 -0800 |
6 @@ -2059,6 +2059,8 @@ |
6 @@ -2061,6 +2061,8 @@ |
7 options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; |
7 options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; |
8 if (proto_version != PY_SSL_VERSION_SSL2) |
8 if (proto_version != PY_SSL_VERSION_SSL2) |
9 options |= SSL_OP_NO_SSLv2; |
9 options |= SSL_OP_NO_SSLv2; |
10 + if (proto_version != PY_SSL_VERSION_SSL3) |
10 + if (proto_version != PY_SSL_VERSION_SSL3) |
11 + options |= SSL_OP_NO_SSLv3; |
11 + options |= SSL_OP_NO_SSLv3; |
12 SSL_CTX_set_options(self->ctx, options); |
12 SSL_CTX_set_options(self->ctx, options); |
13 |
13 |
14 #ifndef OPENSSL_NO_ECDH |
14 #ifndef OPENSSL_NO_ECDH |
15 --- Python-3.4.2/Lib/test/test_ssl.py.~1~ 2014-10-08 01:18:14.000000000 -0700 |
15 --- Python-3.4.3/Lib/test/test_ssl.py.~1~ 2015-02-25 03:27:45.000000000 -0800 |
16 +++ Python-3.4.2/Lib/test/test_ssl.py 2015-01-08 18:09:09.276695442 -0800 |
16 +++ Python-3.4.3/Lib/test/test_ssl.py 2015-02-25 08:50:21.079031281 -0800 |
17 @@ -674,10 +674,7 @@ |
17 @@ -675,10 +675,7 @@ |
18 @skip_if_broken_ubuntu_ssl |
18 @skip_if_broken_ubuntu_ssl |
19 def test_options(self): |
19 def test_options(self): |
20 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) |
20 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) |
21 - # OP_ALL | OP_NO_SSLv2 is the default value |
21 - # OP_ALL | OP_NO_SSLv2 is the default value |
22 - self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2, |
22 - self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2, |
24 - ctx.options |= ssl.OP_NO_SSLv3 |
24 - ctx.options |= ssl.OP_NO_SSLv3 |
25 + # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value |
25 + # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value |
26 self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3, |
26 self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3, |
27 ctx.options) |
27 ctx.options) |
28 if can_clear_options(): |
28 if can_clear_options(): |
29 @@ -2149,15 +2146,15 @@ |
29 @@ -2171,17 +2168,17 @@ |
30 sys.stdout.write( |
|
31 " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n" |
30 " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n" |
32 % str(x)) |
31 % str(x)) |
33 - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True) |
32 if hasattr(ssl, 'PROTOCOL_SSLv3'): |
34 + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False) |
33 - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True) |
|
34 + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False) |
35 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True) |
35 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True) |
36 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True) |
36 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True) |
37 |
37 |
38 - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL) |
38 if hasattr(ssl, 'PROTOCOL_SSLv3'): |
39 + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL) |
39 - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL) |
|
40 + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL) |
40 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL) |
41 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL) |
41 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL) |
42 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL) |
42 |
43 |
43 - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED) |
44 if hasattr(ssl, 'PROTOCOL_SSLv3'): |
44 + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED) |
45 - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED) |
|
46 + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED) |
45 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED) |
47 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED) |
46 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED) |
48 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED) |
47 |
49 |
48 @@ -2186,7 +2183,8 @@ |
50 @@ -2213,7 +2210,8 @@ |
49 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False) |
51 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False) |
50 if no_sslv2_implies_sslv3_hello(): |
52 if no_sslv2_implies_sslv3_hello(): |
51 # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs |
53 # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs |
52 - try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, True, |
54 - try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, True, |
53 + # until we disabled SSLv3 for Poodle |
55 + # until we disabled SSLv3 for Poodle |