From 3e14217e745973b106e3adb3ba674084e45e6c4a Mon Sep 17 00:00:00 2001 From: xtkoba <69125751+xtkoba@users.noreply.github.com> Date: Mon, 16 Aug 2021 12:55:48 +0900 Subject: [PATCH 1/7] Add ssl.OP_LEGACY_SERVER_CONNECT Required for making OpenSSL 3.0.0 behave like 1.1.1. --- Modules/_ssl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 84cc3697b07063..486ff1be79467c 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -5890,6 +5890,10 @@ sslmodule_init_constants(PyObject *m) PyModule_AddIntConstant(m, "OP_IGNORE_UNEXPECTED_EOF", SSL_OP_IGNORE_UNEXPECTED_EOF); #endif +#ifdef SSL_OP_LEGACY_SERVER_CONNECT + PyModule_AddIntConstant(m, "OP_LEGACY_SERVER_CONNECT", + SSL_OP_LEGACY_SERVER_CONNECT); +#endif #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT PyModule_AddIntConstant(m, "HOSTFLAG_ALWAYS_CHECK_SUBJECT", From 31706254272883baba844449542e2dbd94b1fe5a Mon Sep 17 00:00:00 2001 From: xtkoba <69125751+xtkoba@users.noreply.github.com> Date: Wed, 18 Aug 2021 14:28:02 +0900 Subject: [PATCH 2/7] NEWS entry --- .../NEWS.d/next/Library/2021-08-18-05-14-36.bpo-44888.kpmYjl.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Library/2021-08-18-05-14-36.bpo-44888.kpmYjl.rst diff --git a/Misc/NEWS.d/next/Library/2021-08-18-05-14-36.bpo-44888.kpmYjl.rst b/Misc/NEWS.d/next/Library/2021-08-18-05-14-36.bpo-44888.kpmYjl.rst new file mode 100644 index 00000000000000..5c8164863b8192 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2021-08-18-05-14-36.bpo-44888.kpmYjl.rst @@ -0,0 +1 @@ +Add :data:`ssl.OP_LEGACY_SERVER_CONNECT` From f07c086152b3d2a0bdebbacfa933c5cbba826e31 Mon Sep 17 00:00:00 2001 From: xtkoba <69125751+xtkoba@users.noreply.github.com> Date: Wed, 18 Aug 2021 14:58:15 +0900 Subject: [PATCH 3/7] Documentation --- Doc/library/ssl.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 21077e0f4b42be..a7971a8cb9cf87 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -920,6 +920,13 @@ Constants .. versionadded:: 3.10 +.. data:: OP_LEGACY_SERVER_CONNECT + + Allow legacy insecure renegotiation between OpenSSL and unpatched servers + only. + + .. versionadded:: 3.11 + .. data:: HAS_ALPN Whether the OpenSSL library has built-in support for the *Application-Layer From 4cb5f3d8770922a6e46429328fff9affb89f2aab Mon Sep 17 00:00:00 2001 From: xtkoba <69125751+xtkoba@users.noreply.github.com> Date: Wed, 18 Aug 2021 15:03:52 +0900 Subject: [PATCH 4/7] Test case --- Lib/test/test_ssl.py | 1 + 1 file changed, 1 insertion(+) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index d9e184365ce082..2cdf5118b6032f 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -157,6 +157,7 @@ def data_file(*name): OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0) OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0) OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0) +OP_LEGACY_SERVER_CONNECT = getattr(ssl, "OP_LEGACY_SERVER_CONNECT", 0) # Ubuntu has patched OpenSSL and changed behavior of security level 2 # see https://bugs.python.org/issue41561#msg389003 From 832e67be406055c5c92a24b226347a95caab76da Mon Sep 17 00:00:00 2001 From: xtkoba <69125751+xtkoba@users.noreply.github.com> Date: Wed, 18 Aug 2021 22:14:20 +0900 Subject: [PATCH 5/7] Doc: availability --- Doc/library/ssl.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index a7971a8cb9cf87..5e2032dbc94dce 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -925,6 +925,9 @@ Constants Allow legacy insecure renegotiation between OpenSSL and unpatched servers only. + This option is only available with OpenSSL 0.9.8m and later, and is disabled + in default context since OpenSSL 3.0.0. + .. versionadded:: 3.11 .. data:: HAS_ALPN From 5891371a2c4785521326d28d05640e369ea02b5c Mon Sep 17 00:00:00 2001 From: xtkoba <69125751+xtkoba@users.noreply.github.com> Date: Wed, 18 Aug 2021 23:52:40 +0900 Subject: [PATCH 6/7] Test case: availability --- Lib/test/test_ssl.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 2cdf5118b6032f..8477661686cec9 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -1192,6 +1192,9 @@ def test_options(self): ctx.options = 0 # Ubuntu has OP_NO_SSLv3 forced on by default self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3) + # 0.9.8m or later + if ssl.OPENSSL_VERSION_INFO >= (0, 9, 8, 13, 15): + self.assertNotEqual(OP_LEGACY_SERVER_CONNECT, 0) def test_verify_mode_protocol(self): with warnings_helper.check_warnings(): @@ -1682,6 +1685,12 @@ def _assert_context_options(self, ctx): if OP_CIPHER_SERVER_PREFERENCE != 0: self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE, OP_CIPHER_SERVER_PREFERENCE) + if OP_LEGACY_SERVER_CONNECT != 0: + if IS_OPENSSL_3_0_0: + self.assertEqual(ctx.options & OP_LEGACY_SERVER_CONNECT, 0) + else: + self.assertEqual(ctx.options & OP_LEGACY_SERVER_CONNECT, + OP_LEGACY_SERVER_CONNECT) def test_create_default_context(self): ctx = ssl.create_default_context() From dc22a8c62b0663389397db02e0a167a9741bcb32 Mon Sep 17 00:00:00 2001 From: xtkoba <69125751+xtkoba@users.noreply.github.com> Date: Thu, 19 Aug 2021 01:08:45 +0900 Subject: [PATCH 7/7] Test case: connection --- Lib/test/test_ssl.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 8477661686cec9..b53f092936d055 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -4083,6 +4083,18 @@ def test_compression_disabled(self): sni_name=hostname) self.assertIs(stats['compression'], None) + @unittest.skipUnless(hasattr(ssl, 'OP_LEGACY_SERVER_CONNECT'), + "ssl.OP_LEGACY_SERVER_CONNECT needed for this test") + def test_legacy_server_connect(self): + client_context, server_context, hostname = testing_context() + if IS_OPENSSL_3_0_0: + client_context.options |= ssl.OP_LEGACY_SERVER_CONNECT + else: + client_context.options &= ~ssl.OP_LEGACY_SERVER_CONNECT + stats = server_params_test(client_context, server_context, + chatty=True, connectionchatty=True, + sni_name=hostname) + @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows") def test_dh_params(self): # Check we can get a connection with ephemeral Diffie-Hellman