diff options
Diffstat (limited to 'meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch')
-rw-r--r-- | meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch | 110 |
1 files changed, 0 insertions, 110 deletions
diff --git a/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch b/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch deleted file mode 100644 index b97d5501e1..0000000000 --- a/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch +++ /dev/null | |||
@@ -1,110 +0,0 @@ | |||
1 | From 0c9354362bfa5f90fbea8ff8237a1f1f5dba686f Mon Sep 17 00:00:00 2001 | ||
2 | From: Christian Heimes <christian@python.org> | ||
3 | Date: Wed, 12 Sep 2018 15:20:31 +0800 | ||
4 | Subject: [PATCH] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) | ||
5 | |||
6 | Change TLS 1.3 cipher suite settings for compatibility with OpenSSL | ||
7 | 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by | ||
8 | default. | ||
9 | |||
10 | Also update multissltests and Travis config to test with latest OpenSSL. | ||
11 | |||
12 | Signed-off-by: Christian Heimes <christian@python.org> | ||
13 | (cherry picked from commit e8eb6cb7920ded66abc5d284319a8539bdc2bae3) | ||
14 | |||
15 | Co-authored-by: Christian Heimes <christian@python.org | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | [https://github.com/python/cpython/commit/3e630c541b35c96bfe5619165255e559f577ee71] | ||
19 | |||
20 | Tweaked patch to not take changes for multissltests and Travis config. | ||
21 | |||
22 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
23 | --- | ||
24 | Lib/test/test_ssl.py | 51 ++++++++++++++++++++++---------------------- | ||
25 | 1 file changed, 26 insertions(+), 25 deletions(-) | ||
26 | |||
27 | diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py | ||
28 | index a2e1d32a62..c484ead5ff 100644 | ||
29 | --- a/Lib/test/test_ssl.py | ||
30 | +++ b/Lib/test/test_ssl.py | ||
31 | @@ -3024,17 +3024,21 @@ else: | ||
32 | sock.do_handshake() | ||
33 | self.assertEqual(cm.exception.errno, errno.ENOTCONN) | ||
34 | |||
35 | - def test_default_ciphers(self): | ||
36 | - context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) | ||
37 | - try: | ||
38 | - # Force a set of weak ciphers on our client context | ||
39 | - context.set_ciphers("DES") | ||
40 | - except ssl.SSLError: | ||
41 | - self.skipTest("no DES cipher available") | ||
42 | - with ThreadedEchoServer(CERTFILE, | ||
43 | - ssl_version=ssl.PROTOCOL_SSLv23, | ||
44 | - chatty=False) as server: | ||
45 | - with context.wrap_socket(socket.socket()) as s: | ||
46 | + def test_no_shared_ciphers(self): | ||
47 | + server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) | ||
48 | + server_context.load_cert_chain(SIGNED_CERTFILE) | ||
49 | + client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) | ||
50 | + client_context.verify_mode = ssl.CERT_REQUIRED | ||
51 | + client_context.check_hostname = True | ||
52 | + | ||
53 | + client_context.set_ciphers("AES128") | ||
54 | + server_context.set_ciphers("AES256") | ||
55 | + # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test | ||
56 | + client_context.options |= ssl.OP_NO_TLSv1_3 | ||
57 | + with ThreadedEchoServer(context=server_context) as server: | ||
58 | + with client_context.wrap_socket( | ||
59 | + socket.socket(), | ||
60 | + server_hostname="localhost") as s: | ||
61 | with self.assertRaises(OSError): | ||
62 | s.connect((HOST, server.port)) | ||
63 | self.assertIn("no shared cipher", str(server.conn_errors[0])) | ||
64 | @@ -3067,9 +3071,9 @@ else: | ||
65 | with context.wrap_socket(socket.socket()) as s: | ||
66 | s.connect((HOST, server.port)) | ||
67 | self.assertIn(s.cipher()[0], [ | ||
68 | - 'TLS13-AES-256-GCM-SHA384', | ||
69 | - 'TLS13-CHACHA20-POLY1305-SHA256', | ||
70 | - 'TLS13-AES-128-GCM-SHA256', | ||
71 | + 'TLS_AES_256_GCM_SHA384', | ||
72 | + 'TLS_CHACHA20_POLY1305_SHA256', | ||
73 | + 'TLS_AES_128_GCM_SHA256', | ||
74 | ]) | ||
75 | |||
76 | @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL") | ||
77 | @@ -3391,22 +3395,19 @@ else: | ||
78 | client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) | ||
79 | client_context.verify_mode = ssl.CERT_REQUIRED | ||
80 | client_context.load_verify_locations(SIGNING_CA) | ||
81 | - if ssl.OPENSSL_VERSION_INFO >= (1, 0, 2): | ||
82 | - client_context.set_ciphers("AES128:AES256") | ||
83 | - server_context.set_ciphers("AES256") | ||
84 | - alg1 = "AES256" | ||
85 | - alg2 = "AES-256" | ||
86 | - else: | ||
87 | - client_context.set_ciphers("AES:3DES") | ||
88 | - server_context.set_ciphers("3DES") | ||
89 | - alg1 = "3DES" | ||
90 | - alg2 = "DES-CBC3" | ||
91 | + client_context.set_ciphers("AES128:AES256") | ||
92 | + server_context.set_ciphers("AES256") | ||
93 | + expected_algs = [ | ||
94 | + "AES256", "AES-256", | ||
95 | + # TLS 1.3 ciphers are always enabled | ||
96 | + "TLS_CHACHA20", "TLS_AES", | ||
97 | + ] | ||
98 | |||
99 | stats = server_params_test(client_context, server_context) | ||
100 | ciphers = stats['server_shared_ciphers'][0] | ||
101 | self.assertGreater(len(ciphers), 0) | ||
102 | for name, tls_version, bits in ciphers: | ||
103 | - if not alg1 in name.split("-") and alg2 not in name: | ||
104 | + if not any (alg in name for alg in expected_algs): | ||
105 | self.fail(name) | ||
106 | |||
107 | def test_read_write_after_close_raises_valuerror(self): | ||
108 | -- | ||
109 | 2.17.1 | ||
110 | |||