Issue 34834: test_ssl.test_options does not correctly account for built-in ctx defaults with openssl 1.1.1 (original) (raw)

Issue34834

Created on 2018-09-28 16:14 by xnox, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 9624 closed xnox,2018-09-28 16:18
Messages (3)
msg326642 - (view) Author: Dimitri John Ledkov (xnox) * Date: 2018-09-28 16:14
self.assertEqual(default, ctx.options) in test_options fails with openssl 1.1.1 as it does not correctly account for OP_ENABLE_MIDDLEBOX_COMPAT. It is not defined by the python2.7 ssl module either. either ssl.OP_ENABLE_MIDDLEBOX_COMPAT needs to be backported, or the test case should just add that constant in when openssl version is >= 1.1.1
msg333976 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-01-18 15:19
Python 2.7 doesn't support properly OpenSSL 1.1.1 yet, see: * PR 10607 * PR 10608 I would prefer to have _ssl.OP_ENABLE_MIDDLEBOX_COMPAT rather than have an hardcoded constant in test_ssl. In master, test_ssl has been fixed and the constant has been added by: commit 05d9fe32a1245b9a798e49e0c1eb91f110935b69 Author: Christian Heimes <christian@python.org> Date: Tue Feb 27 08:55:39 2018 +0100 bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes (#5663) * bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by default. Some test cases only apply to TLS 1.2. Other tests currently fail because the threaded or async test servers stop after failure. I'm going to address these issues when OpenSSL 1.1.1 reaches beta. OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS 1.3. The feature is enabled by default for maximum compatibility with broken middle boxes. Users should be able to disable the hack and CPython's test suite needs it to verify default options. Signed-off-by: Christian Heimes <christian@python.org> diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 7371024dce..5d5232eda3 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -831,6 +831,15 @@ Constants .. versionadded:: 3.3 +.. data:: OP_ENABLE_MIDDLEBOX_COMPAT + + Send dummy Change Cipher Spec (CCS) messages in TLS 1.3 handshake to make + a TLS 1.3 connection look more like a TLS 1.2 connection. + + This option is only available with OpenSSL 1.1.1 and later. + + .. versionadded:: 3.8 + .. data:: OP_NO_COMPRESSION Disable compression on the SSL channel. This is useful if the application (...)
msg360263 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2020-01-19 18:14
As this issue appears to only affect 2.7 which recently reached end-of-life status, I'm going to go ahead and close it.
History
Date User Action Args
2022-04-11 14:59:06 admin set github: 79015
2020-01-19 18:14:28 zach.ware set status: open -> closedassignee: christian.heimescomponents: + Tests, SSLnosy: + zach.waremessages: + resolution: out of datestage: patch review -> resolved
2019-01-18 15:19:32 vstinner set nosy: + vstinnermessages: +
2018-10-01 19:42:17 cstratak set nosy: + cstratak
2018-09-28 17:38:45 xtreak set nosy: + christian.heimes
2018-09-28 16🔞26 xnox set keywords: + patchstage: patch reviewpull_requests: + <pull%5Frequest9022>
2018-09-28 16:14:56 xnox create