diff options
Diffstat (limited to 'meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch')
-rw-r--r-- | meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch | 120 |
1 files changed, 0 insertions, 120 deletions
diff --git a/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch b/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch deleted file mode 100644 index 1f70562fc0..0000000000 --- a/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch +++ /dev/null | |||
@@ -1,120 +0,0 @@ | |||
1 | From a333351592f097220fc862911b34d3a300f0985e Mon Sep 17 00:00:00 2001 | ||
2 | From: Christian Heimes <christian@python.org> | ||
3 | Date: Wed, 15 Aug 2018 09:07:28 +0200 | ||
4 | Subject: [PATCH 1/4] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) | ||
5 | (GH-8760) | ||
6 | |||
7 | Change TLS 1.3 cipher suite settings for compatibility with OpenSSL | ||
8 | 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by | ||
9 | default. | ||
10 | |||
11 | Also update multissltests to test with latest OpenSSL. | ||
12 | |||
13 | Signed-off-by: Christian Heimes <christian@python.org>. | ||
14 | (cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71) | ||
15 | |||
16 | Co-authored-by: Christian Heimes <christian@python.org> | ||
17 | |||
18 | Upstream-Status: Accepted [https://github.com/python/cpython/pull/8771] | ||
19 | |||
20 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
21 | --- | ||
22 | Doc/library/ssl.rst | 8 ++-- | ||
23 | Lib/test/test_ssl.py | 37 +++++++++++-------- | ||
24 | .../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | 3 ++ | ||
25 | 3 files changed, 27 insertions(+), 21 deletions(-) | ||
26 | create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | ||
27 | |||
28 | diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst | ||
29 | index 0421031772..7c7c85b833 100644 | ||
30 | --- a/Doc/library/ssl.rst | ||
31 | +++ b/Doc/library/ssl.rst | ||
32 | @@ -294,11 +294,6 @@ purposes. | ||
33 | |||
34 | 3DES was dropped from the default cipher string. | ||
35 | |||
36 | - .. versionchanged:: 2.7.15 | ||
37 | - | ||
38 | - TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, | ||
39 | - and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string. | ||
40 | - | ||
41 | .. function:: _https_verify_certificates(enable=True) | ||
42 | |||
43 | Specifies whether or not server certificates are verified when creating | ||
44 | @@ -1179,6 +1174,9 @@ to speed up repeated connections from the same clients. | ||
45 | when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will | ||
46 | give the currently selected cipher. | ||
47 | |||
48 | + OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites | ||
49 | + cannot be disabled with :meth:`~SSLContext.set_ciphers`. | ||
50 | + | ||
51 | .. method:: SSLContext.set_alpn_protocols(protocols) | ||
52 | |||
53 | Specify which protocols the socket should advertise during the SSL/TLS | ||
54 | diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py | ||
55 | index dc14e22ad1..f51572e319 100644 | ||
56 | --- a/Lib/test/test_ssl.py | ||
57 | +++ b/Lib/test/test_ssl.py | ||
58 | @@ -2772,19 +2772,24 @@ else: | ||
59 | sock.do_handshake() | ||
60 | self.assertEqual(cm.exception.errno, errno.ENOTCONN) | ||
61 | |||
62 | - def test_default_ciphers(self): | ||
63 | - context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) | ||
64 | - try: | ||
65 | - # Force a set of weak ciphers on our client context | ||
66 | - context.set_ciphers("DES") | ||
67 | - except ssl.SSLError: | ||
68 | - self.skipTest("no DES cipher available") | ||
69 | - with ThreadedEchoServer(CERTFILE, | ||
70 | - ssl_version=ssl.PROTOCOL_SSLv23, | ||
71 | - chatty=False) as server: | ||
72 | - with closing(context.wrap_socket(socket.socket())) as s: | ||
73 | - with self.assertRaises(ssl.SSLError): | ||
74 | - s.connect((HOST, server.port)) | ||
75 | + def test_no_shared_ciphers(self): | ||
76 | + server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) | ||
77 | + server_context.load_cert_chain(SIGNED_CERTFILE) | ||
78 | + client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) | ||
79 | + client_context.verify_mode = ssl.CERT_REQUIRED | ||
80 | + client_context.check_hostname = True | ||
81 | + | ||
82 | + # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test | ||
83 | + client_context.options |= ssl.OP_NO_TLSv1_3 | ||
84 | + # Force different suites on client and master | ||
85 | + client_context.set_ciphers("AES128") | ||
86 | + server_context.set_ciphers("AES256") | ||
87 | + with ThreadedEchoServer(context=server_context) as server: | ||
88 | + s = client_context.wrap_socket( | ||
89 | + socket.socket(), | ||
90 | + server_hostname="localhost") | ||
91 | + with self.assertRaises(ssl.SSLError): | ||
92 | + s.connect((HOST, server.port)) | ||
93 | self.assertIn("no shared cipher", str(server.conn_errors[0])) | ||
94 | |||
95 | def test_version_basic(self): | ||
96 | @@ -2815,9 +2820,9 @@ else: | ||
97 | with context.wrap_socket(socket.socket()) as s: | ||
98 | s.connect((HOST, server.port)) | ||
99 | self.assertIn(s.cipher()[0], [ | ||
100 | - 'TLS13-AES-256-GCM-SHA384', | ||
101 | - 'TLS13-CHACHA20-POLY1305-SHA256', | ||
102 | - 'TLS13-AES-128-GCM-SHA256', | ||
103 | + 'TLS_AES_256_GCM_SHA384', | ||
104 | + 'TLS_CHACHA20_POLY1305_SHA256', | ||
105 | + 'TLS_AES_128_GCM_SHA256', | ||
106 | ]) | ||
107 | |||
108 | @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL") | ||
109 | diff --git a/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | ||
110 | new file mode 100644 | ||
111 | index 0000000000..bd719a47e8 | ||
112 | --- /dev/null | ||
113 | +++ b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | ||
114 | @@ -0,0 +1,3 @@ | ||
115 | +Change TLS 1.3 cipher suite settings for compatibility with OpenSSL | ||
116 | +1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by | ||
117 | +default. | ||
118 | -- | ||
119 | 2.17.1 | ||
120 | |||