1 files changed, 234 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch b/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch
new file mode 100644
index 0000000000..cb744deec8
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch
@@ -0,0 +1,234 @@
+From 46c719ec4f79d6830c55ab7f5a03d826eabd0bd5 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Thu, 7 Sep 2017 20:23:52 -0700
+Subject: [PATCH 2/4] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3
+ (GH-1363) (#3444)
+* bpo-29136: Add TLS 1.3 support
+TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
+cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
+Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
+will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
+AES-GCM and ChaCha20 suites.
+Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
+OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
+now.
+Signed-off-by: Christian Heimes <christian@python.org>.
+(cherry picked from commit cb5b68abdeb1b1d56c581d5b4d647018703d61e3)
+Upstream-Status: Backport
+[https://github.com/python/cpython/commit/cb5b68abdeb1b1d56c581d5b4d647018703d61e3]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Doc/library/ssl.rst                           | 21 ++++++++++++++
+ Lib/ssl.py                                    | 14 +++++++++
+ Lib/test/test_ssl.py                          | 29 ++++++++++++++++++-
+ .../2017-09-04-16-39-49.bpo-29136.vSn1oR.rst  |  1 +
+ Modules/_ssl.c                                | 13 +++++++++
+ 5 files changed, 77 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst
+diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
+index 14f2d68217..29c5e94cf6 100644
+--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
+@@ -285,6 +285,11 @@ purposes.
+ 
+      3DES was dropped from the default cipher string.
+ 
+   .. versionchanged:: 3.7
+
+     TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
+     and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string.
+
+ 
+ Random generation
+ ^^^^^^^^^^^^^^^^^
+@@ -719,6 +724,16 @@ Constants
+ 
+    .. versionadded:: 3.4
+ 
+.. data:: OP_NO_TLSv1_3
+
+   Prevents a TLSv1.3 connection. This option is only applicable in conjunction
+   with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.3 as
+   the protocol version. TLS 1.3 is available with OpenSSL 1.1.1 or later.
+   When Python has been compiled against an older version of OpenSSL, the
+   flag defaults to *0*.
+
+   .. versionadded:: 3.7
+
+ .. data:: OP_CIPHER_SERVER_PREFERENCE
+ 
+    Use the server's cipher ordering preference, rather than the client's.
+@@ -783,6 +798,12 @@ Constants
+ 
+    .. versionadded:: 3.3
+ 
+.. data:: HAS_TLSv1_3
+
+   Whether the OpenSSL library has built-in support for the TLS 1.3 protocol.
+
+   .. versionadded:: 3.7
+
+ .. data:: CHANNEL_BINDING_TYPES
+ 
+    List of supported TLS channel binding types.  Strings in this list
+diff --git a/Lib/ssl.py b/Lib/ssl.py
+index 4d302a78fa..ac2c0cbaf3 100644
+--- a/Lib/ssl.py
+++ b/Lib/ssl.py
+@@ -122,6 +122,14 @@ _import_symbols('OP_')
+ _import_symbols('ALERT_DESCRIPTION_')
+ _import_symbols('SSL_ERROR_')
+ _import_symbols('VERIFY_')
+from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_TLSv1_3
+from _ssl import _OPENSSL_API_VERSION
+
+
+_IntEnum._convert(
+    '_SSLMethod', __name__,
+    lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
+    source=_ssl)
+ 
+ from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN
+ 
+@@ -162,6 +170,7 @@ else:
+ # (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
+ # Enable a better set of ciphers by default
+ # This list has been explicitly chosen to:
+#   * TLS 1.3 ChaCha20 and AES-GCM cipher suites
+ #   * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
+ #   * Prefer ECDHE over DHE for better performance
+ #   * Prefer AEAD over CBC for better performance and security
+@@ -173,6 +182,8 @@ else:
+ #   * Disable NULL authentication, NULL encryption, 3DES and MD5 MACs
+ #     for security reasons
+ _DEFAULT_CIPHERS = (
+    'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:'
+    'TLS13-AES-128-GCM-SHA256:'
+     'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:'
+     'ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:'
+     '!aNULL:!eNULL:!MD5:!3DES'
+@@ -180,6 +191,7 @@ _DEFAULT_CIPHERS = (
+ 
+ # Restricted and more secure ciphers for the server side
+ # This list has been explicitly chosen to:
+#   * TLS 1.3 ChaCha20 and AES-GCM cipher suites
+ #   * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
+ #   * Prefer ECDHE over DHE for better performance
+ #   * Prefer AEAD over CBC for better performance and security
+@@ -190,6 +202,8 @@ _DEFAULT_CIPHERS = (
+ #   * Disable NULL authentication, NULL encryption, MD5 MACs, DSS, RC4, and
+ #     3DES for security reasons
+ _RESTRICTED_SERVER_CIPHERS = (
+    'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:'
+    'TLS13-AES-128-GCM-SHA256:'
+     'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:'
+     'ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:'
+     '!aNULL:!eNULL:!MD5:!DSS:!RC4:!3DES'
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index f91af7bd05..1acc12ec2d 100644
+--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
+@@ -150,6 +150,13 @@ class BasicSocketTests(unittest.TestCase):
+             ssl.OP_NO_COMPRESSION
+         self.assertIn(ssl.HAS_SNI, {True, False})
+         self.assertIn(ssl.HAS_ECDH, {True, False})
+        ssl.OP_NO_SSLv2
+        ssl.OP_NO_SSLv3
+        ssl.OP_NO_TLSv1
+        ssl.OP_NO_TLSv1_3
+    if ssl.OPENSSL_VERSION_INFO >= (1, 0, 1):
+            ssl.OP_NO_TLSv1_1
+            ssl.OP_NO_TLSv1_2
+ 
+     def test_str_for_enums(self):
+         # Make sure that the PROTOCOL_* constants have enum-like string
+@@ -3028,12 +3035,33 @@ else:
+                     self.assertEqual(s.version(), 'TLSv1')
+                 self.assertIs(s.version(), None)
+ 
+        @unittest.skipUnless(ssl.HAS_TLSv1_3,
+                             "test requires TLSv1.3 enabled OpenSSL")
+        def test_tls1_3(self):
+            context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+            context.load_cert_chain(CERTFILE)
+            # disable all but TLS 1.3
+            context.options |= (
+                ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
+            )
+            with ThreadedEchoServer(context=context) as server:
+                with context.wrap_socket(socket.socket()) as s:
+                    s.connect((HOST, server.port))
+                    self.assertIn(s.cipher()[0], [
+                        'TLS13-AES-256-GCM-SHA384',
+                        'TLS13-CHACHA20-POLY1305-SHA256',
+                        'TLS13-AES-128-GCM-SHA256',
+                    ])
+
+         @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
+         def test_default_ecdh_curve(self):
+             # Issue #21015: elliptic curve-based Diffie Hellman key exchange
+             # should be enabled by default on SSL contexts.
+             context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+             context.load_cert_chain(CERTFILE)
+            # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
+            # cipher name.
+            context.options |= ssl.OP_NO_TLSv1_3
+             # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
+             # explicitly using the 'ECCdraft' cipher alias.  Otherwise,
+             # our default cipher list should prefer ECDH-based ciphers
+@@ -3394,7 +3422,6 @@ else:
+                         s.sendfile(file)
+                         self.assertEqual(s.recv(1024), TEST_DATA)
+ 
+-
+ def test_main(verbose=False):
+     if support.verbose:
+         import warnings
+diff --git a/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst b/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst
+new file mode 100644
+index 0000000000..e76997ef83
+--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst
+@@ -0,0 +1 @@
+Add TLS 1.3 cipher suites and OP_NO_TLSv1_3.
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index 0d5c121d2c..c71d89607c 100644
+--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
+@@ -4842,6 +4842,11 @@ PyInit__ssl(void)
+ #if HAVE_TLSv1_2
+     PyModule_AddIntConstant(m, "OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1);
+     PyModule_AddIntConstant(m, "OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2);
+#endif
+#ifdef SSL_OP_NO_TLSv1_3
+    PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", SSL_OP_NO_TLSv1_3);
+#else
+    PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", 0);
+ #endif
+     PyModule_AddIntConstant(m, "OP_CIPHER_SERVER_PREFERENCE",
+                             SSL_OP_CIPHER_SERVER_PREFERENCE);
+@@ -4890,6 +4895,14 @@ PyInit__ssl(void)
+     Py_INCREF(r);
+     PyModule_AddObject(m, "HAS_ALPN", r);
+ 
+#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3)
+    r = Py_True;
+#else
+    r = Py_False;
+#endif
+    Py_INCREF(r);
+    PyModule_AddObject(m, "HAS_TLSv1_3", r);
+
+     /* Mappings for error codes */
+     err_codes_to_names = PyDict_New();
+     err_names_to_codes = PyDict_New();
+-- 
+2.17.1

diff --git a/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch b/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch new file mode 100644 index 0000000000..cb744deec8 --- /dev/null +++ b/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch
@@ -0,0 +1,234 @@
	1	From 46c719ec4f79d6830c55ab7f5a03d826eabd0bd5 Mon Sep 17 00:00:00 2001
	2	From: Christian Heimes <christian@python.org>
	3	Date: Thu, 7 Sep 2017 20:23:52 -0700
	4	Subject: [PATCH 2/4] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3
	5	(GH-1363) (#3444)
	6
	7	* bpo-29136: Add TLS 1.3 support
	8
	9	TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
	10	cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
	11	Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
	12	will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
	13	AES-GCM and ChaCha20 suites.
	14
	15	Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
	16	OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
	17	now.
	18
	19	Signed-off-by: Christian Heimes <christian@python.org>.
	20	(cherry picked from commit cb5b68abdeb1b1d56c581d5b4d647018703d61e3)
	21
	22	Upstream-Status: Backport
	23	[https://github.com/python/cpython/commit/cb5b68abdeb1b1d56c581d5b4d647018703d61e3]
	24
	25	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
	26	---
	27	Doc/library/ssl.rst \| 21 ++++++++++++++
	28	Lib/ssl.py \| 14 +++++++++
	29	Lib/test/test_ssl.py \| 29 ++++++++++++++++++-
	30	.../2017-09-04-16-39-49.bpo-29136.vSn1oR.rst \| 1 +
	31	Modules/_ssl.c \| 13 +++++++++
	32	5 files changed, 77 insertions(+), 1 deletion(-)
	33	create mode 100644 Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst
	34
	35	diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
	36	index 14f2d68217..29c5e94cf6 100644
	37	--- a/Doc/library/ssl.rst
	38	+++ b/Doc/library/ssl.rst
	39	@@ -285,6 +285,11 @@ purposes.
	40
	41	3DES was dropped from the default cipher string.
	42
	43	+ .. versionchanged:: 3.7
	44	+
	45	+ TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
	46	+ and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string.
	47	+
	48
	49	Random generation
	50	^^^^^^^^^^^^^^^^^
	51	@@ -719,6 +724,16 @@ Constants
	52
	53	.. versionadded:: 3.4
	54
	55	+.. data:: OP_NO_TLSv1_3
	56	+
	57	+ Prevents a TLSv1.3 connection. This option is only applicable in conjunction
	58	+ with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.3 as
	59	+ the protocol version. TLS 1.3 is available with OpenSSL 1.1.1 or later.
	60	+ When Python has been compiled against an older version of OpenSSL, the
	61	+ flag defaults to 0.
	62	+
	63	+ .. versionadded:: 3.7
	64	+
	65	.. data:: OP_CIPHER_SERVER_PREFERENCE
	66
	67	Use the server's cipher ordering preference, rather than the client's.
	68	@@ -783,6 +798,12 @@ Constants
	69
	70	.. versionadded:: 3.3
	71
	72	+.. data:: HAS_TLSv1_3
	73	+
	74	+ Whether the OpenSSL library has built-in support for the TLS 1.3 protocol.
	75	+
	76	+ .. versionadded:: 3.7
	77	+
	78	.. data:: CHANNEL_BINDING_TYPES
	79
	80	List of supported TLS channel binding types. Strings in this list
	81	diff --git a/Lib/ssl.py b/Lib/ssl.py
	82	index 4d302a78fa..ac2c0cbaf3 100644
	83	--- a/Lib/ssl.py
	84	+++ b/Lib/ssl.py
	85	@@ -122,6 +122,14 @@ _import_symbols('OP_')
	86	_import_symbols('ALERT_DESCRIPTION_')
	87	_import_symbols('SSL_ERROR_')
	88	_import_symbols('VERIFY_')
	89	+from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_TLSv1_3
	90	+from _ssl import _OPENSSL_API_VERSION
	91	+
	92	+
	93	+_IntEnum._convert(
	94	+ '_SSLMethod', __name__,
	95	+ lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
	96	+ source=_ssl)
	97
	98	from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN
	99
	100	@@ -162,6 +170,7 @@ else:
	101	# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
	102	# Enable a better set of ciphers by default
	103	# This list has been explicitly chosen to:
	104	+# * TLS 1.3 ChaCha20 and AES-GCM cipher suites
	105	# * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
	106	# * Prefer ECDHE over DHE for better performance
	107	# * Prefer AEAD over CBC for better performance and security
	108	@@ -173,6 +182,8 @@ else:
	109	# * Disable NULL authentication, NULL encryption, 3DES and MD5 MACs
	110	# for security reasons
	111	_DEFAULT_CIPHERS = (
	112	+ 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:'
	113	+ 'TLS13-AES-128-GCM-SHA256:'
	114	'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:'
	115	'ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:'
	116	'!aNULL:!eNULL:!MD5:!3DES'
	117	@@ -180,6 +191,7 @@ _DEFAULT_CIPHERS = (
	118
	119	# Restricted and more secure ciphers for the server side
	120	# This list has been explicitly chosen to:
	121	+# * TLS 1.3 ChaCha20 and AES-GCM cipher suites
	122	# * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
	123	# * Prefer ECDHE over DHE for better performance
	124	# * Prefer AEAD over CBC for better performance and security
	125	@@ -190,6 +202,8 @@ _DEFAULT_CIPHERS = (
	126	# * Disable NULL authentication, NULL encryption, MD5 MACs, DSS, RC4, and
	127	# 3DES for security reasons
	128	_RESTRICTED_SERVER_CIPHERS = (
	129	+ 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:'
	130	+ 'TLS13-AES-128-GCM-SHA256:'
	131	'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:'
	132	'ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:'
	133	'!aNULL:!eNULL:!MD5:!DSS:!RC4:!3DES'
	134	diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
	135	index f91af7bd05..1acc12ec2d 100644
	136	--- a/Lib/test/test_ssl.py
	137	+++ b/Lib/test/test_ssl.py
	138	@@ -150,6 +150,13 @@ class BasicSocketTests(unittest.TestCase):
	139	ssl.OP_NO_COMPRESSION
	140	self.assertIn(ssl.HAS_SNI, {True, False})
	141	self.assertIn(ssl.HAS_ECDH, {True, False})
	142	+ ssl.OP_NO_SSLv2
	143	+ ssl.OP_NO_SSLv3
	144	+ ssl.OP_NO_TLSv1
	145	+ ssl.OP_NO_TLSv1_3
	146	+ if ssl.OPENSSL_VERSION_INFO >= (1, 0, 1):
	147	+ ssl.OP_NO_TLSv1_1
	148	+ ssl.OP_NO_TLSv1_2
	149
	150	def test_str_for_enums(self):
	151	# Make sure that the PROTOCOL_* constants have enum-like string
	152	@@ -3028,12 +3035,33 @@ else:
	153	self.assertEqual(s.version(), 'TLSv1')
	154	self.assertIs(s.version(), None)
	155
	156	+ @unittest.skipUnless(ssl.HAS_TLSv1_3,
	157	+ "test requires TLSv1.3 enabled OpenSSL")
	158	+ def test_tls1_3(self):
	159	+ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
	160	+ context.load_cert_chain(CERTFILE)
	161	+ # disable all but TLS 1.3
	162	+ context.options \|= (
	163	+ ssl.OP_NO_TLSv1 \| ssl.OP_NO_TLSv1_1 \| ssl.OP_NO_TLSv1_2
	164	+ )
	165	+ with ThreadedEchoServer(context=context) as server:
	166	+ with context.wrap_socket(socket.socket()) as s:
	167	+ s.connect((HOST, server.port))
	168	+ self.assertIn(s.cipher()[0], [
	169	+ 'TLS13-AES-256-GCM-SHA384',
	170	+ 'TLS13-CHACHA20-POLY1305-SHA256',
	171	+ 'TLS13-AES-128-GCM-SHA256',
	172	+ ])
	173	+
	174	@unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
	175	def test_default_ecdh_curve(self):
	176	# Issue #21015: elliptic curve-based Diffie Hellman key exchange
	177	# should be enabled by default on SSL contexts.
	178	context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
	179	context.load_cert_chain(CERTFILE)
	180	+ # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
	181	+ # cipher name.
	182	+ context.options \|= ssl.OP_NO_TLSv1_3
	183	# Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
	184	# explicitly using the 'ECCdraft' cipher alias. Otherwise,
	185	# our default cipher list should prefer ECDH-based ciphers
	186	@@ -3394,7 +3422,6 @@ else:
	187	s.sendfile(file)
	188	self.assertEqual(s.recv(1024), TEST_DATA)
	189
	190	-
	191	def test_main(verbose=False):
	192	if support.verbose:
	193	import warnings
	194	diff --git a/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst b/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst
	195	new file mode 100644
	196	index 0000000000..e76997ef83
	197	--- /dev/null
	198	+++ b/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst
	199	@@ -0,0 +1 @@
	200	+Add TLS 1.3 cipher suites and OP_NO_TLSv1_3.
	201	diff --git a/Modules/_ssl.c b/Modules/_ssl.c
	202	index 0d5c121d2c..c71d89607c 100644
	203	--- a/Modules/_ssl.c
	204	+++ b/Modules/_ssl.c
	205	@@ -4842,6 +4842,11 @@ PyInit__ssl(void)
	206	#if HAVE_TLSv1_2
	207	PyModule_AddIntConstant(m, "OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1);
	208	PyModule_AddIntConstant(m, "OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2);
	209	+#endif
	210	+#ifdef SSL_OP_NO_TLSv1_3
	211	+ PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", SSL_OP_NO_TLSv1_3);
	212	+#else
	213	+ PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", 0);
	214	#endif
	215	PyModule_AddIntConstant(m, "OP_CIPHER_SERVER_PREFERENCE",
	216	SSL_OP_CIPHER_SERVER_PREFERENCE);
	217	@@ -4890,6 +4895,14 @@ PyInit__ssl(void)
	218	Py_INCREF(r);
	219	PyModule_AddObject(m, "HAS_ALPN", r);
	220
	221	+#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3)
	222	+ r = Py_True;
	223	+#else
	224	+ r = Py_False;
	225	+#endif
	226	+ Py_INCREF(r);
	227	+ PyModule_AddObject(m, "HAS_TLSv1_3", r);
	228	+
	229	/* Mappings for error codes */
	230	err_codes_to_names = PyDict_New();
	231	err_names_to_codes = PyDict_New();
	232	--
	233	2.17.1
	234