Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 6e8cda9

Browse files
tirantiran
authored
bpo-40457: Support OpenSSL without TLS 1.0/1.1 (GH-19862)
OpenSSL can be build without support for TLS 1.0 and 1.1. The ssl module now correctly adheres to OPENSSL_NO_TLS1 and OPENSSL_NO_TLS1_1 flags. Also update multissltest to test with latest OpenSSL and LibreSSL releases. Signed-off-by: Christian Heimes <[email protected]> Automerge-Triggered-By: @tiran
1 parent 6b6092f commit 6e8cda9

3 files changed

Lines changed: 33 additions & 38 deletions

File tree

Misc/NEWS.d/next/Library/2020-05-02-17-17-37.bpo-40457.EXReI1.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
The ssl module now support OpenSSL builds without TLS 1.0 and 1.1 methods.

Modules/_ssl.c

Lines changed: 27 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -147,15 +147,6 @@ static void _PySSLFixErrno(void) {
147147
# define PY_OPENSSL_1_1_API 1
148148
#endif
149149

150-
/* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
151-
http://www.openssl.org/news/changelog.html
152-
*/
153-
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
154-
# define HAVE_TLSv1_2 1
155-
#else
156-
# define HAVE_TLSv1_2 0
157-
#endif
158-
159150
/* SNI support (client- and server-side) appeared in OpenSSL 1.0.0 and 0.9.8f
160151
* This includes the SSL_set_SSL_CTX() function.
161152
*/
@@ -326,13 +317,9 @@ enum py_ssl_version {
326317
PY_SSL_VERSION_SSL2,
327318
PY_SSL_VERSION_SSL3=1,
328319
PY_SSL_VERSION_TLS, /* SSLv23 */
329-
#if HAVE_TLSv1_2
330320
PY_SSL_VERSION_TLS1,
331321
PY_SSL_VERSION_TLS1_1,
332322
PY_SSL_VERSION_TLS1_2,
333-
#else
334-
PY_SSL_VERSION_TLS1,
335-
#endif
336323
PY_SSL_VERSION_TLS_CLIENT=0x10,
337324
PY_SSL_VERSION_TLS_SERVER,
338325
};
@@ -3086,35 +3073,45 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
30863073
#endif
30873074

30883075
PySSL_BEGIN_ALLOW_THREADS
3089-
if (proto_version == PY_SSL_VERSION_TLS1)
3076+
switch(proto_version) {
3077+
#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3)
3078+
case PY_SSL_VERSION_SSL3:
3079+
ctx = SSL_CTX_new(SSLv3_method());
3080+
break;
3081+
#endif
3082+
#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1)
3083+
case PY_SSL_VERSION_TLS1:
30903084
ctx = SSL_CTX_new(TLSv1_method());
3091-
#if HAVE_TLSv1_2
3092-
else if (proto_version == PY_SSL_VERSION_TLS1_1)
3093-
ctx = SSL_CTX_new(TLSv1_1_method());
3094-
else if (proto_version == PY_SSL_VERSION_TLS1_2)
3095-
ctx = SSL_CTX_new(TLSv1_2_method());
3085+
break;
30963086
#endif
3097-
#ifndef OPENSSL_NO_SSL3
3098-
else if (proto_version == PY_SSL_VERSION_SSL3)
3099-
ctx = SSL_CTX_new(SSLv3_method());
3087+
#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1)
3088+
case PY_SSL_VERSION_TLS1_1:
3089+
ctx = SSL_CTX_new(TLSv1_1_method());
3090+
break;
31003091
#endif
3101-
#ifndef OPENSSL_NO_SSL2
3102-
else if (proto_version == PY_SSL_VERSION_SSL2)
3103-
ctx = SSL_CTX_new(SSLv2_method());
3092+
#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2)
3093+
case PY_SSL_VERSION_TLS1_2:
3094+
ctx = SSL_CTX_new(TLSv1_2_method());
3095+
break;
31043096
#endif
3105-
else if (proto_version == PY_SSL_VERSION_TLS) /* SSLv23 */
3097+
case PY_SSL_VERSION_TLS:
3098+
/* SSLv23 */
31063099
ctx = SSL_CTX_new(TLS_method());
3107-
else if (proto_version == PY_SSL_VERSION_TLS_CLIENT)
3100+
break;
3101+
case PY_SSL_VERSION_TLS_CLIENT:
31083102
ctx = SSL_CTX_new(TLS_client_method());
3109-
else if (proto_version == PY_SSL_VERSION_TLS_SERVER)
3103+
break;
3104+
case PY_SSL_VERSION_TLS_SERVER:
31103105
ctx = SSL_CTX_new(TLS_server_method());
3111-
else
3106+
break;
3107+
default:
31123108
proto_version = -1;
3109+
}
31133110
PySSL_END_ALLOW_THREADS
31143111

31153112
if (proto_version == -1) {
31163113
PyErr_SetString(PyExc_ValueError,
3117-
"invalid protocol version");
3114+
"invalid or unsupported protocol version");
31183115
return NULL;
31193116
}
31203117
if (ctx == NULL) {
@@ -6185,23 +6182,19 @@ PyInit__ssl(void)
61856182
PY_SSL_VERSION_TLS_SERVER);
61866183
PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
61876184
PY_SSL_VERSION_TLS1);
6188-
#if HAVE_TLSv1_2
61896185
PyModule_AddIntConstant(m, "PROTOCOL_TLSv1_1",
61906186
PY_SSL_VERSION_TLS1_1);
61916187
PyModule_AddIntConstant(m, "PROTOCOL_TLSv1_2",
61926188
PY_SSL_VERSION_TLS1_2);
6193-
#endif
61946189

61956190
/* protocol options */
61966191
PyModule_AddIntConstant(m, "OP_ALL",
61976192
SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
61986193
PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2);
61996194
PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3);
62006195
PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1);
6201-
#if HAVE_TLSv1_2
62026196
PyModule_AddIntConstant(m, "OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1);
62036197
PyModule_AddIntConstant(m, "OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2);
6204-
#endif
62056198
#ifdef SSL_OP_NO_TLSv1_3
62066199
PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", SSL_OP_NO_TLSv1_3);
62076200
#else

Tools/ssl/multissltests.py

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -43,20 +43,21 @@
4343
log = logging.getLogger("multissl")
4444

4545
OPENSSL_OLD_VERSIONS = [
46+
"1.0.2u",
47+
"1.1.0l",
4648
]
4749

4850
OPENSSL_RECENT_VERSIONS = [
49-
"1.0.2u",
50-
"1.1.0l",
5151
"1.1.1g",
5252
# "3.0.0-alpha2"
5353
]
5454

5555
LIBRESSL_OLD_VERSIONS = [
56+
"2.9.2",
5657
]
5758

5859
LIBRESSL_RECENT_VERSIONS = [
59-
"2.9.2",
60+
"3.1.0",
6061
]
6162

6263
# store files in ../multissl
@@ -80,7 +81,7 @@
8081
parser.add_argument(
8182
'--disable-ancient',
8283
action='store_true',
83-
help="Don't test OpenSSL < 1.0.2 and LibreSSL < 2.5.3.",
84+
help="Don't test OpenSSL and LibreSSL versions without upstream support",
8485
)
8586
parser.add_argument(
8687
'--openssl',

0 commit comments

Comments
 (0)