From 3e14217e745973b106e3adb3ba674084e45e6c4a Mon Sep 17 00:00:00 2001
From: xtkoba <69125751+xtkoba@users.noreply.github.com>
Date: Mon, 16 Aug 2021 12:55:48 +0900
Subject: [PATCH 1/7] Add ssl.OP_LEGACY_SERVER_CONNECT

Required for making OpenSSL 3.0.0 behave like 1.1.1.
---
 Modules/_ssl.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 84cc3697b07063..486ff1be79467c 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -5890,6 +5890,10 @@ sslmodule_init_constants(PyObject *m)
     PyModule_AddIntConstant(m, "OP_IGNORE_UNEXPECTED_EOF",
                             SSL_OP_IGNORE_UNEXPECTED_EOF);
 #endif
+#ifdef SSL_OP_LEGACY_SERVER_CONNECT
+    PyModule_AddIntConstant(m, "OP_LEGACY_SERVER_CONNECT",
+                            SSL_OP_LEGACY_SERVER_CONNECT);
+#endif
 
 #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
     PyModule_AddIntConstant(m, "HOSTFLAG_ALWAYS_CHECK_SUBJECT",

From 31706254272883baba844449542e2dbd94b1fe5a Mon Sep 17 00:00:00 2001
From: xtkoba <69125751+xtkoba@users.noreply.github.com>
Date: Wed, 18 Aug 2021 14:28:02 +0900
Subject: [PATCH 2/7] NEWS entry

---
 .../NEWS.d/next/Library/2021-08-18-05-14-36.bpo-44888.kpmYjl.rst | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 Misc/NEWS.d/next/Library/2021-08-18-05-14-36.bpo-44888.kpmYjl.rst

diff --git a/Misc/NEWS.d/next/Library/2021-08-18-05-14-36.bpo-44888.kpmYjl.rst b/Misc/NEWS.d/next/Library/2021-08-18-05-14-36.bpo-44888.kpmYjl.rst
new file mode 100644
index 00000000000000..5c8164863b8192
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2021-08-18-05-14-36.bpo-44888.kpmYjl.rst
@@ -0,0 +1 @@
+Add :data:`ssl.OP_LEGACY_SERVER_CONNECT`

From f07c086152b3d2a0bdebbacfa933c5cbba826e31 Mon Sep 17 00:00:00 2001
From: xtkoba <69125751+xtkoba@users.noreply.github.com>
Date: Wed, 18 Aug 2021 14:58:15 +0900
Subject: [PATCH 3/7] Documentation

---
 Doc/library/ssl.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 21077e0f4b42be..a7971a8cb9cf87 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -920,6 +920,13 @@ Constants
 
    .. versionadded:: 3.10
 
+.. data:: OP_LEGACY_SERVER_CONNECT
+
+   Allow legacy insecure renegotiation between OpenSSL and unpatched servers
+   only.
+
+   .. versionadded:: 3.11
+
 .. data:: HAS_ALPN
 
    Whether the OpenSSL library has built-in support for the *Application-Layer

From 4cb5f3d8770922a6e46429328fff9affb89f2aab Mon Sep 17 00:00:00 2001
From: xtkoba <69125751+xtkoba@users.noreply.github.com>
Date: Wed, 18 Aug 2021 15:03:52 +0900
Subject: [PATCH 4/7] Test case

---
 Lib/test/test_ssl.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index d9e184365ce082..2cdf5118b6032f 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -157,6 +157,7 @@ def data_file(*name):
 OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
 OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
 OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0)
+OP_LEGACY_SERVER_CONNECT = getattr(ssl, "OP_LEGACY_SERVER_CONNECT", 0)
 
 # Ubuntu has patched OpenSSL and changed behavior of security level 2
 # see https://bugs.python.org/issue41561#msg389003

From 832e67be406055c5c92a24b226347a95caab76da Mon Sep 17 00:00:00 2001
From: xtkoba <69125751+xtkoba@users.noreply.github.com>
Date: Wed, 18 Aug 2021 22:14:20 +0900
Subject: [PATCH 5/7] Doc: availability

---
 Doc/library/ssl.rst | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index a7971a8cb9cf87..5e2032dbc94dce 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -925,6 +925,9 @@ Constants
    Allow legacy insecure renegotiation between OpenSSL and unpatched servers
    only.
 
+   This option is only available with OpenSSL 0.9.8m and later, and is disabled
+   in default context since OpenSSL 3.0.0.
+
    .. versionadded:: 3.11
 
 .. data:: HAS_ALPN

From 5891371a2c4785521326d28d05640e369ea02b5c Mon Sep 17 00:00:00 2001
From: xtkoba <69125751+xtkoba@users.noreply.github.com>
Date: Wed, 18 Aug 2021 23:52:40 +0900
Subject: [PATCH 6/7] Test case: availability

---
 Lib/test/test_ssl.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 2cdf5118b6032f..8477661686cec9 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1192,6 +1192,9 @@ def test_options(self):
         ctx.options = 0
         # Ubuntu has OP_NO_SSLv3 forced on by default
         self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3)
+        # 0.9.8m or later
+        if ssl.OPENSSL_VERSION_INFO >= (0, 9, 8, 13, 15):
+            self.assertNotEqual(OP_LEGACY_SERVER_CONNECT, 0)
 
     def test_verify_mode_protocol(self):
         with warnings_helper.check_warnings():
@@ -1682,6 +1685,12 @@ def _assert_context_options(self, ctx):
         if OP_CIPHER_SERVER_PREFERENCE != 0:
             self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE,
                              OP_CIPHER_SERVER_PREFERENCE)
+        if OP_LEGACY_SERVER_CONNECT != 0:
+            if IS_OPENSSL_3_0_0:
+                self.assertEqual(ctx.options & OP_LEGACY_SERVER_CONNECT, 0)
+            else:
+                self.assertEqual(ctx.options & OP_LEGACY_SERVER_CONNECT,
+                                 OP_LEGACY_SERVER_CONNECT)
 
     def test_create_default_context(self):
         ctx = ssl.create_default_context()

From dc22a8c62b0663389397db02e0a167a9741bcb32 Mon Sep 17 00:00:00 2001
From: xtkoba <69125751+xtkoba@users.noreply.github.com>
Date: Thu, 19 Aug 2021 01:08:45 +0900
Subject: [PATCH 7/7] Test case: connection

---
 Lib/test/test_ssl.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 8477661686cec9..b53f092936d055 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -4083,6 +4083,18 @@ def test_compression_disabled(self):
                                    sni_name=hostname)
         self.assertIs(stats['compression'], None)
 
+    @unittest.skipUnless(hasattr(ssl, 'OP_LEGACY_SERVER_CONNECT'),
+                         "ssl.OP_LEGACY_SERVER_CONNECT needed for this test")
+    def test_legacy_server_connect(self):
+        client_context, server_context, hostname = testing_context()
+        if IS_OPENSSL_3_0_0:
+            client_context.options |= ssl.OP_LEGACY_SERVER_CONNECT
+        else:
+            client_context.options &= ~ssl.OP_LEGACY_SERVER_CONNECT
+        stats = server_params_test(client_context, server_context,
+                                   chatty=True, connectionchatty=True,
+                                   sni_name=hostname)
+
     @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
     def test_dh_params(self):
         # Check we can get a connection with ephemeral Diffie-Hellman