python: fix failing ssl tests

Backport two and pick some other in-review patches from Ubuntu to fix ssl test failures because of OpenSSL 1.1.x changes. Fixes [YOCTO #12788] (From OE-Core rev: 4f4bbb936231dd30c3745ef573993f1062937ffd) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2018-10-04 13:09:16 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-10-08 14:13:54 +0100
commit: 2b4dce4925627c81ee2f27a0eeb2422e15029c3e (patch)
tree: 48e0333d2e1a1f5f5de14c3a0972de326c82418e
parent: 4b8fd52f6d3682be287cc63d73bd06cb751751f4 (diff)
download: poky-2b4dce4925627c81ee2f27a0eeb2422e15029c3e.tar.gz
6 files changed, 292 insertions, 1 deletions
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 901acd0219..66923678b1 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -7,7 +7,13 @@ INC_PR = "r1"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=f257cc14f81685691652a3d3e1b5d754"
-SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz"
+SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
+           file://0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch \
+           file://0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch \
+           file://0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch \
+           file://0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch \
+           file://0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch \
+           "
 SRC_URI[md5sum] = "a80ae3cc478460b922242f43a1b4094d"
 SRC_URI[sha256sum] = "22d9b1ac5b26135ad2b8c2901a9413537e08749a753356ee913c84dbd2df5574"
diff --git a/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch b/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch
new file mode 100644
index 0000000000..776bbdcf7a
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch
@@ -0,0 +1,57 @@
+From 19f6bd06af3c7fc0db5f96878aaa68f5589ff13e Mon Sep 17 00:00:00 2001
+From: Pablo Galindo <Pablogsal@gmail.com>
+Date: Thu, 24 May 2018 23:20:44 +0100
+Subject: [PATCH] bpo-33354: Fix test_ssl when a filename cannot be encoded
+ (GH-6613)
+Skip test_load_dh_params() of test_ssl when Python filesystem encoding
+cannot encode the provided path.
+Upstream-Status:
+Backport[https://github.com/python/cpython/commit/19f6bd06af3c7fc0db5f96878aaa68f5589ff13e]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Lib/test/test_ssl.py                                     | 9 ++++++++-
+ .../next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst  | 2 ++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index b59fe73f04..7ced90fdf6 100644
+--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
+@@ -989,6 +989,13 @@ class ContextTests(unittest.TestCase):
+ 
+ 
+     def test_load_dh_params(self):
+        filename = u'dhpäräm.pem'
+        fs_encoding = sys.getfilesystemencoding()
+        try:
+            filename.encode(fs_encoding)
+        except UnicodeEncodeError:
+            self.skipTest("filename %r cannot be encoded to the filesystem encoding %r" % (filename, fs_encoding))
+
+         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+         ctx.load_dh_params(DHFILE)
+         if os.name != 'nt':
+@@ -1001,7 +1008,7 @@ class ContextTests(unittest.TestCase):
+         with self.assertRaises(ssl.SSLError) as cm:
+             ctx.load_dh_params(CERTFILE)
+         with support.temp_dir() as d:
+-            fname = os.path.join(d, u'dhpäräm.pem')
+            fname = os.path.join(d, filename)
+             shutil.copy(DHFILE, fname)
+             ctx.load_dh_params(fname)
+ 
+diff --git a/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst b/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
+new file mode 100644
+index 0000000000..c66cecac32
+--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
+@@ -0,0 +1,2 @@
+Skip ``test_ssl.test_load_dh_params`` when Python filesystem encoding cannot encode the
+provided path.
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch b/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch
new file mode 100644
index 0000000000..1f70562fc0
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch
@@ -0,0 +1,120 @@
+From a333351592f097220fc862911b34d3a300f0985e Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Wed, 15 Aug 2018 09:07:28 +0200
+Subject: [PATCH 1/4] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
+ (GH-8760)
+Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
+1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
+default.
+Also update multissltests to test with latest OpenSSL.
+Signed-off-by: Christian Heimes <christian@python.org>.
+(cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71)
+Co-authored-by: Christian Heimes <christian@python.org>
+Upstream-Status: Accepted [https://github.com/python/cpython/pull/8771]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Doc/library/ssl.rst                           |  8 ++--
+ Lib/test/test_ssl.py                          | 37 +++++++++++--------
+ .../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst  |  3 ++
+ 3 files changed, 27 insertions(+), 21 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
+diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
+index 0421031772..7c7c85b833 100644
+--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
+@@ -294,11 +294,6 @@ purposes.
+ 
+      3DES was dropped from the default cipher string.
+ 
+-   .. versionchanged:: 2.7.15
+-
+-     TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
+-     and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string.
+-
+ .. function:: _https_verify_certificates(enable=True)
+ 
+    Specifies whether or not server certificates are verified when creating
+@@ -1179,6 +1174,9 @@ to speed up repeated connections from the same clients.
+       when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
+       give the currently selected cipher.
+ 
+      OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites
+      cannot be disabled with :meth:`~SSLContext.set_ciphers`.
+
+ .. method:: SSLContext.set_alpn_protocols(protocols)
+ 
+    Specify which protocols the socket should advertise during the SSL/TLS
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index dc14e22ad1..f51572e319 100644
+--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
+@@ -2772,19 +2772,24 @@ else:
+                     sock.do_handshake()
+                 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
+ 
+-        def test_default_ciphers(self):
+-            context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+-            try:
+-                # Force a set of weak ciphers on our client context
+-                context.set_ciphers("DES")
+-            except ssl.SSLError:
+-                self.skipTest("no DES cipher available")
+-            with ThreadedEchoServer(CERTFILE,
+-                                    ssl_version=ssl.PROTOCOL_SSLv23,
+-                                    chatty=False) as server:
+-                with closing(context.wrap_socket(socket.socket())) as s:
+-                    with self.assertRaises(ssl.SSLError):
+-                        s.connect((HOST, server.port))
+        def test_no_shared_ciphers(self):
+            server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+            server_context.load_cert_chain(SIGNED_CERTFILE)
+            client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+            client_context.verify_mode = ssl.CERT_REQUIRED
+            client_context.check_hostname = True
+
+            # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
+            client_context.options |= ssl.OP_NO_TLSv1_3
+            # Force different suites on client and master
+            client_context.set_ciphers("AES128")
+            server_context.set_ciphers("AES256")
+            with ThreadedEchoServer(context=server_context) as server:
+                s = client_context.wrap_socket(
+                        socket.socket(),
+                        server_hostname="localhost")
+                with self.assertRaises(ssl.SSLError):
+                    s.connect((HOST, server.port))
+             self.assertIn("no shared cipher", str(server.conn_errors[0]))
+ 
+         def test_version_basic(self):
+@@ -2815,9 +2820,9 @@ else:
+                 with context.wrap_socket(socket.socket()) as s:
+                     s.connect((HOST, server.port))
+                     self.assertIn(s.cipher()[0], [
+-                        'TLS13-AES-256-GCM-SHA384',
+-                        'TLS13-CHACHA20-POLY1305-SHA256',
+-                        'TLS13-AES-128-GCM-SHA256',
+                        'TLS_AES_256_GCM_SHA384',
+                        'TLS_CHACHA20_POLY1305_SHA256',
+                        'TLS_AES_128_GCM_SHA256',
+                     ])
+ 
+         @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
+diff --git a/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
+new file mode 100644
+index 0000000000..bd719a47e8
+--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
+@@ -0,0 +1,3 @@
+Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
+1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
+default.
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch b/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch
new file mode 100644
index 0000000000..96882712e9
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch
@@ -0,0 +1,37 @@
+From 0e1f3856a7e1511fb64d99646c54ddf3897cd444 Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <xnox@ubuntu.com>
+Date: Fri, 28 Sep 2018 14:15:52 +0100
+Subject: [PATCH 2/4] bpo-34818: Add missing closing() wrapper in test_tls1_3.
+Python 2.7 socket classes do not implement context manager protocol,
+hence closing() is required around it. Resolves testcase error
+traceback.
+Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
+https://bugs.python.org/issue34818
+Patch taken from Ubuntu.
+Upstream-Status: Submitted [https://github.com/python/cpython/pull/9622]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Lib/test/test_ssl.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index f51572e319..7a14053cee 100644
+--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
+@@ -2817,7 +2817,7 @@ else:
+                 ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
+             )
+             with ThreadedEchoServer(context=context) as server:
+-                with context.wrap_socket(socket.socket()) as s:
+                with closing(context.wrap_socket(socket.socket())) as s:
+                     s.connect((HOST, server.port))
+                     self.assertIn(s.cipher()[0], [
+                         'TLS_AES_256_GCM_SHA384',
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch b/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch
new file mode 100644
index 0000000000..77016cb430
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch
@@ -0,0 +1,37 @@
+From 8b06d56d26eee289fec22b9b72ab4c7cc3d6c482 Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <xnox@ubuntu.com>
+Date: Fri, 28 Sep 2018 16:34:16 +0100
+Subject: [PATCH 3/4] bpo-34834: Fix test_ssl.test_options to account for
+ OP_ENABLE_MIDDLEBOX_COMPAT.
+Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
+https://bugs.python.org/issue34834
+Patch taken from Ubuntu.
+Upstream-Status: Submitted [https://github.com/python/cpython/pull/9624]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Lib/test/test_ssl.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index 7a14053cee..efc906a5ba 100644
+--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
+@@ -777,6 +777,11 @@ class ContextTests(unittest.TestCase):
+         default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
+         if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0):
+             default |= ssl.OP_NO_COMPRESSION
+        if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1):
+            # define MIDDLEBOX constant, as python2.7 does not know about it
+            # but it is used by default.
+            OP_ENABLE_MIDDLEBOX_COMPAT = 1048576L
+            default |= OP_ENABLE_MIDDLEBOX_COMPAT
+         self.assertEqual(default, ctx.options)
+         ctx.options |= ssl.OP_NO_TLSv1
+         self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch b/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch
new file mode 100644
index 0000000000..39e1bcfc86
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch
@@ -0,0 +1,34 @@
+From 946a7969345c6697697effd226ec396d3fea05b7 Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <xnox@ubuntu.com>
+Date: Fri, 28 Sep 2018 17:30:19 +0100
+Subject: [PATCH 4/4] bpo-34836: fix test_default_ecdh_curve, needs no tlsv1.3.
+Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
+https://bugs.python.org/issue34836
+Patch taken from Ubuntu.
+Upstream-Status: Submitted [https://github.com/python/cpython/pull/9626]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Lib/test/test_ssl.py | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index efc906a5ba..4a3286cd5f 100644
+--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
+@@ -2836,6 +2836,9 @@ else:
+             # should be enabled by default on SSL contexts.
+             context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+             context.load_cert_chain(CERTFILE)
+            # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
+            # cipher name.
+            context.options |= ssl.OP_NO_TLSv1_3
+             # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
+             # explicitly using the 'ECCdraft' cipher alias.  Otherwise,
+             # our default cipher list should prefer ECDH-based ciphers
+-- 
+2.17.1
author	Anuj Mittal <anuj.mittal@intel.com>	2018-10-04 13:09:16 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-10-08 14:13:54 +0100
commit	2b4dce4925627c81ee2f27a0eeb2422e15029c3e (patch)
tree	48e0333d2e1a1f5f5de14c3a0972de326c82418e
parent	4b8fd52f6d3682be287cc63d73bd06cb751751f4 (diff)
download	poky-2b4dce4925627c81ee2f27a0eeb2422e15029c3e.tar.gz

diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc index 901acd0219..66923678b1 100644 --- a/meta/recipes-devtools/python/python.inc +++ b/meta/recipes-devtools/python/python.inc
@@ -7,7 +7,13 @@ INC_PR = "r1"
7		7
8	LIC_FILES_CHKSUM = "file://LICENSE;md5=f257cc14f81685691652a3d3e1b5d754"	8	LIC_FILES_CHKSUM = "file://LICENSE;md5=f257cc14f81685691652a3d3e1b5d754"
9		9
10	SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz"	10	SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
		11	file://0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch \
		12	file://0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch \
		13	file://0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch \
		14	file://0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch \
		15	file://0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch \
		16	"
11		17
12	SRC_URI[md5sum] = "a80ae3cc478460b922242f43a1b4094d"	18	SRC_URI[md5sum] = "a80ae3cc478460b922242f43a1b4094d"
13	SRC_URI[sha256sum] = "22d9b1ac5b26135ad2b8c2901a9413537e08749a753356ee913c84dbd2df5574"	19	SRC_URI[sha256sum] = "22d9b1ac5b26135ad2b8c2901a9413537e08749a753356ee913c84dbd2df5574"


diff --git a/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch b/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch new file mode 100644 index 0000000000..776bbdcf7a --- /dev/null +++ b/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch
@@ -0,0 +1,57 @@
		1	From 19f6bd06af3c7fc0db5f96878aaa68f5589ff13e Mon Sep 17 00:00:00 2001
		2	From: Pablo Galindo <Pablogsal@gmail.com>
		3	Date: Thu, 24 May 2018 23:20:44 +0100
		4	Subject: [PATCH] bpo-33354: Fix test_ssl when a filename cannot be encoded
		5	(GH-6613)
		6
		7	Skip test_load_dh_params() of test_ssl when Python filesystem encoding
		8	cannot encode the provided path.
		9
		10	Upstream-Status:
		11	Backport[https://github.com/python/cpython/commit/19f6bd06af3c7fc0db5f96878aaa68f5589ff13e]
		12
		13	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		14	---
		15	Lib/test/test_ssl.py \| 9 ++++++++-
		16	.../next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst \| 2 ++
		17	2 files changed, 10 insertions(+), 1 deletion(-)
		18	create mode 100644 Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
		19
		20	diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
		21	index b59fe73f04..7ced90fdf6 100644
		22	--- a/Lib/test/test_ssl.py
		23	+++ b/Lib/test/test_ssl.py
		24	@@ -989,6 +989,13 @@ class ContextTests(unittest.TestCase):
		25
		26
		27	def test_load_dh_params(self):
		28	+ filename = u'dhpäräm.pem'
		29	+ fs_encoding = sys.getfilesystemencoding()
		30	+ try:
		31	+ filename.encode(fs_encoding)
		32	+ except UnicodeEncodeError:
		33	+ self.skipTest("filename %r cannot be encoded to the filesystem encoding %r" % (filename, fs_encoding))
		34	+
		35	ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
		36	ctx.load_dh_params(DHFILE)
		37	if os.name != 'nt':
		38	@@ -1001,7 +1008,7 @@ class ContextTests(unittest.TestCase):
		39	with self.assertRaises(ssl.SSLError) as cm:
		40	ctx.load_dh_params(CERTFILE)
		41	with support.temp_dir() as d:
		42	- fname = os.path.join(d, u'dhpäräm.pem')
		43	+ fname = os.path.join(d, filename)
		44	shutil.copy(DHFILE, fname)
		45	ctx.load_dh_params(fname)
		46
		47	diff --git a/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst b/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
		48	new file mode 100644
		49	index 0000000000..c66cecac32
		50	--- /dev/null
		51	+++ b/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
		52	@@ -0,0 +1,2 @@
		53	+Skip ``test_ssl.test_load_dh_params`` when Python filesystem encoding cannot encode the
		54	+provided path.
		55	--
		56	2.17.1
		57


diff --git a/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch b/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch new file mode 100644 index 0000000000..1f70562fc0 --- /dev/null +++ b/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch
@@ -0,0 +1,120 @@
		1	From a333351592f097220fc862911b34d3a300f0985e Mon Sep 17 00:00:00 2001
		2	From: Christian Heimes <christian@python.org>
		3	Date: Wed, 15 Aug 2018 09:07:28 +0200
		4	Subject: [PATCH 1/4] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
		5	(GH-8760)
		6
		7	Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
		8	1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
		9	default.
		10
		11	Also update multissltests to test with latest OpenSSL.
		12
		13	Signed-off-by: Christian Heimes <christian@python.org>.
		14	(cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71)
		15
		16	Co-authored-by: Christian Heimes <christian@python.org>
		17
		18	Upstream-Status: Accepted [https://github.com/python/cpython/pull/8771]
		19
		20	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		21	---
		22	Doc/library/ssl.rst \| 8 ++--
		23	Lib/test/test_ssl.py \| 37 +++++++++++--------
		24	.../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst \| 3 ++
		25	3 files changed, 27 insertions(+), 21 deletions(-)
		26	create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
		27
		28	diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
		29	index 0421031772..7c7c85b833 100644
		30	--- a/Doc/library/ssl.rst
		31	+++ b/Doc/library/ssl.rst
		32	@@ -294,11 +294,6 @@ purposes.
		33
		34	3DES was dropped from the default cipher string.
		35
		36	- .. versionchanged:: 2.7.15
		37	-
		38	- TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
		39	- and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string.
		40	-
		41	.. function:: _https_verify_certificates(enable=True)
		42
		43	Specifies whether or not server certificates are verified when creating
		44	@@ -1179,6 +1174,9 @@ to speed up repeated connections from the same clients.
		45	when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
		46	give the currently selected cipher.
		47
		48	+ OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites
		49	+ cannot be disabled with :meth:`~SSLContext.set_ciphers`.
		50	+
		51	.. method:: SSLContext.set_alpn_protocols(protocols)
		52
		53	Specify which protocols the socket should advertise during the SSL/TLS
		54	diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
		55	index dc14e22ad1..f51572e319 100644
		56	--- a/Lib/test/test_ssl.py
		57	+++ b/Lib/test/test_ssl.py
		58	@@ -2772,19 +2772,24 @@ else:
		59	sock.do_handshake()
		60	self.assertEqual(cm.exception.errno, errno.ENOTCONN)
		61
		62	- def test_default_ciphers(self):
		63	- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
		64	- try:
		65	- # Force a set of weak ciphers on our client context
		66	- context.set_ciphers("DES")
		67	- except ssl.SSLError:
		68	- self.skipTest("no DES cipher available")
		69	- with ThreadedEchoServer(CERTFILE,
		70	- ssl_version=ssl.PROTOCOL_SSLv23,
		71	- chatty=False) as server:
		72	- with closing(context.wrap_socket(socket.socket())) as s:
		73	- with self.assertRaises(ssl.SSLError):
		74	- s.connect((HOST, server.port))
		75	+ def test_no_shared_ciphers(self):
		76	+ server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
		77	+ server_context.load_cert_chain(SIGNED_CERTFILE)
		78	+ client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
		79	+ client_context.verify_mode = ssl.CERT_REQUIRED
		80	+ client_context.check_hostname = True
		81	+
		82	+ # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
		83	+ client_context.options \|= ssl.OP_NO_TLSv1_3
		84	+ # Force different suites on client and master
		85	+ client_context.set_ciphers("AES128")
		86	+ server_context.set_ciphers("AES256")
		87	+ with ThreadedEchoServer(context=server_context) as server:
		88	+ s = client_context.wrap_socket(
		89	+ socket.socket(),
		90	+ server_hostname="localhost")
		91	+ with self.assertRaises(ssl.SSLError):
		92	+ s.connect((HOST, server.port))
		93	self.assertIn("no shared cipher", str(server.conn_errors[0]))
		94
		95	def test_version_basic(self):
		96	@@ -2815,9 +2820,9 @@ else:
		97	with context.wrap_socket(socket.socket()) as s:
		98	s.connect((HOST, server.port))
		99	self.assertIn(s.cipher()[0], [
		100	- 'TLS13-AES-256-GCM-SHA384',
		101	- 'TLS13-CHACHA20-POLY1305-SHA256',
		102	- 'TLS13-AES-128-GCM-SHA256',
		103	+ 'TLS_AES_256_GCM_SHA384',
		104	+ 'TLS_CHACHA20_POLY1305_SHA256',
		105	+ 'TLS_AES_128_GCM_SHA256',
		106	])
		107
		108	@unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
		109	diff --git a/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
		110	new file mode 100644
		111	index 0000000000..bd719a47e8
		112	--- /dev/null
		113	+++ b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
		114	@@ -0,0 +1,3 @@
		115	+Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
		116	+1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
		117	+default.
		118	--
		119	2.17.1
		120


diff --git a/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch b/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch new file mode 100644 index 0000000000..96882712e9 --- /dev/null +++ b/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch
@@ -0,0 +1,37 @@
		1	From 0e1f3856a7e1511fb64d99646c54ddf3897cd444 Mon Sep 17 00:00:00 2001
		2	From: Dimitri John Ledkov <xnox@ubuntu.com>
		3	Date: Fri, 28 Sep 2018 14:15:52 +0100
		4	Subject: [PATCH 2/4] bpo-34818: Add missing closing() wrapper in test_tls1_3.
		5
		6	Python 2.7 socket classes do not implement context manager protocol,
		7	hence closing() is required around it. Resolves testcase error
		8	traceback.
		9
		10	Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
		11
		12	https://bugs.python.org/issue34818
		13
		14	Patch taken from Ubuntu.
		15
		16	Upstream-Status: Submitted [https://github.com/python/cpython/pull/9622]
		17	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		18	---
		19	Lib/test/test_ssl.py \| 2 +-
		20	1 file changed, 1 insertion(+), 1 deletion(-)
		21
		22	diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
		23	index f51572e319..7a14053cee 100644
		24	--- a/Lib/test/test_ssl.py
		25	+++ b/Lib/test/test_ssl.py
		26	@@ -2817,7 +2817,7 @@ else:
		27	ssl.OP_NO_TLSv1 \| ssl.OP_NO_TLSv1_1 \| ssl.OP_NO_TLSv1_2
		28	)
		29	with ThreadedEchoServer(context=context) as server:
		30	- with context.wrap_socket(socket.socket()) as s:
		31	+ with closing(context.wrap_socket(socket.socket())) as s:
		32	s.connect((HOST, server.port))
		33	self.assertIn(s.cipher()[0], [
		34	'TLS_AES_256_GCM_SHA384',
		35	--
		36	2.17.1
		37


diff --git a/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch b/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch new file mode 100644 index 0000000000..77016cb430 --- /dev/null +++ b/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch
@@ -0,0 +1,37 @@
		1	From 8b06d56d26eee289fec22b9b72ab4c7cc3d6c482 Mon Sep 17 00:00:00 2001
		2	From: Dimitri John Ledkov <xnox@ubuntu.com>
		3	Date: Fri, 28 Sep 2018 16:34:16 +0100
		4	Subject: [PATCH 3/4] bpo-34834: Fix test_ssl.test_options to account for
		5	OP_ENABLE_MIDDLEBOX_COMPAT.
		6
		7	Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
		8
		9	https://bugs.python.org/issue34834
		10
		11	Patch taken from Ubuntu.
		12	Upstream-Status: Submitted [https://github.com/python/cpython/pull/9624]
		13
		14	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		15	---
		16	Lib/test/test_ssl.py \| 5 +++++
		17	1 file changed, 5 insertions(+)
		18
		19	diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
		20	index 7a14053cee..efc906a5ba 100644
		21	--- a/Lib/test/test_ssl.py
		22	+++ b/Lib/test/test_ssl.py
		23	@@ -777,6 +777,11 @@ class ContextTests(unittest.TestCase):
		24	default = (ssl.OP_ALL \| ssl.OP_NO_SSLv2 \| ssl.OP_NO_SSLv3)
		25	if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0):
		26	default \|= ssl.OP_NO_COMPRESSION
		27	+ if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1):
		28	+ # define MIDDLEBOX constant, as python2.7 does not know about it
		29	+ # but it is used by default.
		30	+ OP_ENABLE_MIDDLEBOX_COMPAT = 1048576L
		31	+ default \|= OP_ENABLE_MIDDLEBOX_COMPAT
		32	self.assertEqual(default, ctx.options)
		33	ctx.options \|= ssl.OP_NO_TLSv1
		34	self.assertEqual(default \| ssl.OP_NO_TLSv1, ctx.options)
		35	--
		36	2.17.1
		37


diff --git a/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch b/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch new file mode 100644 index 0000000000..39e1bcfc86 --- /dev/null +++ b/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch
@@ -0,0 +1,34 @@
		1	From 946a7969345c6697697effd226ec396d3fea05b7 Mon Sep 17 00:00:00 2001
		2	From: Dimitri John Ledkov <xnox@ubuntu.com>
		3	Date: Fri, 28 Sep 2018 17:30:19 +0100
		4	Subject: [PATCH 4/4] bpo-34836: fix test_default_ecdh_curve, needs no tlsv1.3.
		5
		6	Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
		7
		8	https://bugs.python.org/issue34836
		9
		10	Patch taken from Ubuntu.
		11	Upstream-Status: Submitted [https://github.com/python/cpython/pull/9626]
		12
		13	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		14	---
		15	Lib/test/test_ssl.py \| 3 +++
		16	1 file changed, 3 insertions(+)
		17
		18	diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
		19	index efc906a5ba..4a3286cd5f 100644
		20	--- a/Lib/test/test_ssl.py
		21	+++ b/Lib/test/test_ssl.py
		22	@@ -2836,6 +2836,9 @@ else:
		23	# should be enabled by default on SSL contexts.
		24	context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
		25	context.load_cert_chain(CERTFILE)
		26	+ # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
		27	+ # cipher name.
		28	+ context.options \|= ssl.OP_NO_TLSv1_3
		29	# Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
		30	# explicitly using the 'ECCdraft' cipher alias. Otherwise,
		31	# our default cipher list should prefer ECDH-based ciphers
		32	--
		33	2.17.1
		34