diff options
Diffstat (limited to 'meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch')
-rw-r--r-- | meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch | 120 |
1 files changed, 0 insertions, 120 deletions
diff --git a/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch b/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch deleted file mode 100644 index 1f70562fc0..0000000000 --- a/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch +++ /dev/null @@ -1,120 +0,0 @@ -From a333351592f097220fc862911b34d3a300f0985e Mon Sep 17 00:00:00 2001 -From: Christian Heimes <christian@python.org> -Date: Wed, 15 Aug 2018 09:07:28 +0200 -Subject: [PATCH 1/4] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) - (GH-8760) - -Change TLS 1.3 cipher suite settings for compatibility with OpenSSL -1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by -default. - -Also update multissltests to test with latest OpenSSL. - -Signed-off-by: Christian Heimes <christian@python.org>. -(cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71) - -Co-authored-by: Christian Heimes <christian@python.org> - -Upstream-Status: Accepted [https://github.com/python/cpython/pull/8771] - -Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> ---- - Doc/library/ssl.rst | 8 ++-- - Lib/test/test_ssl.py | 37 +++++++++++-------- - .../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | 3 ++ - 3 files changed, 27 insertions(+), 21 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst - -diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst -index 0421031772..7c7c85b833 100644 ---- a/Doc/library/ssl.rst -+++ b/Doc/library/ssl.rst -@@ -294,11 +294,6 @@ purposes. - - 3DES was dropped from the default cipher string. - -- .. versionchanged:: 2.7.15 -- -- TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, -- and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string. -- - .. function:: _https_verify_certificates(enable=True) - - Specifies whether or not server certificates are verified when creating -@@ -1179,6 +1174,9 @@ to speed up repeated connections from the same clients. - when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will - give the currently selected cipher. - -+ OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites -+ cannot be disabled with :meth:`~SSLContext.set_ciphers`. -+ - .. method:: SSLContext.set_alpn_protocols(protocols) - - Specify which protocols the socket should advertise during the SSL/TLS -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py -index dc14e22ad1..f51572e319 100644 ---- a/Lib/test/test_ssl.py -+++ b/Lib/test/test_ssl.py -@@ -2772,19 +2772,24 @@ else: - sock.do_handshake() - self.assertEqual(cm.exception.errno, errno.ENOTCONN) - -- def test_default_ciphers(self): -- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) -- try: -- # Force a set of weak ciphers on our client context -- context.set_ciphers("DES") -- except ssl.SSLError: -- self.skipTest("no DES cipher available") -- with ThreadedEchoServer(CERTFILE, -- ssl_version=ssl.PROTOCOL_SSLv23, -- chatty=False) as server: -- with closing(context.wrap_socket(socket.socket())) as s: -- with self.assertRaises(ssl.SSLError): -- s.connect((HOST, server.port)) -+ def test_no_shared_ciphers(self): -+ server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) -+ server_context.load_cert_chain(SIGNED_CERTFILE) -+ client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) -+ client_context.verify_mode = ssl.CERT_REQUIRED -+ client_context.check_hostname = True -+ -+ # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test -+ client_context.options |= ssl.OP_NO_TLSv1_3 -+ # Force different suites on client and master -+ client_context.set_ciphers("AES128") -+ server_context.set_ciphers("AES256") -+ with ThreadedEchoServer(context=server_context) as server: -+ s = client_context.wrap_socket( -+ socket.socket(), -+ server_hostname="localhost") -+ with self.assertRaises(ssl.SSLError): -+ s.connect((HOST, server.port)) - self.assertIn("no shared cipher", str(server.conn_errors[0])) - - def test_version_basic(self): -@@ -2815,9 +2820,9 @@ else: - with context.wrap_socket(socket.socket()) as s: - s.connect((HOST, server.port)) - self.assertIn(s.cipher()[0], [ -- 'TLS13-AES-256-GCM-SHA384', -- 'TLS13-CHACHA20-POLY1305-SHA256', -- 'TLS13-AES-128-GCM-SHA256', -+ 'TLS_AES_256_GCM_SHA384', -+ 'TLS_CHACHA20_POLY1305_SHA256', -+ 'TLS_AES_128_GCM_SHA256', - ]) - - @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL") -diff --git a/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst -new file mode 100644 -index 0000000000..bd719a47e8 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst -@@ -0,0 +1,3 @@ -+Change TLS 1.3 cipher suite settings for compatibility with OpenSSL -+1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by -+default. --- -2.17.1 - |