bpo-30622: Change NPN detection: by melvyn-sopacua · Pull Request #2079 · python/cpython (original) (raw)
Bpo follows.
Changes NPN detection to match semantics of OpenSSL 1.1.
Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
Hello, and thanks for your contribution!
I'm a bot set up to make sure that the project can legally accept your contribution by verifying you have signed the PSF contributor agreement (CLA).
Unfortunately our records indicate you have not signed the CLA. For legal reasons we need you to sign this before we can look at your contribution. Please follow the steps outlined in the CPython devguide to rectify this issue.
Thanks again to your contribution and we look forward to looking at it!
Change NPN detection: bpo-30622: Change NPN detection:
Needs some more refinement. do_protocol_selection is used when ALPN is enabled. When NPN is disabled and ALPN is enabled, this function doesn't exist.
- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way
This created a working ssl module for me, with NPN disabled and ALPN enabled for OpenSSL 1.1.0f.
Concerns to address: The initial commit for NPN support into OpenSSL [1], had the OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG guard. The question is if that ever made it into a release. This would need an ugly hack, something like:
#if defined(OPENSSL_NO_NEXTPROTONEG) && \
!defined(OPENSSL_NPN_NEGOTIATED)
# define OPENSSL_NPN_UNSUPPORTED 0
# define OPENSSL_NPN_NEGOTIATED 1
# define OPENSSL_NPN_NO_OVERLAP 2
#endif[1] openssl/openssl@68b33cc5c7
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
tiran pushed a commit to tiran/cpython that referenced this pull request
- Change NPN detection:
Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- Refine NPN guard:
- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way
This created a working ssl module for me, with NPN disabled and ALPN enabled for OpenSSL 1.1.0f.
Concerns to address: The initial commit for NPN support into OpenSSL [1], had the OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG guard. The question is if that ever made it into a release. This would need an ugly hack, something like:
GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
!defined(OPENSSL_NPN_NEGOTIATED)
GH- define OPENSSL_NPN_UNSUPPORTED 0
GH- define OPENSSL_NPN_NEGOTIATED 1
GH- define OPENSSL_NPN_NO_OVERLAP 2
GH-endif[1] openssl/openssl@68b33cc5c7. (cherry picked from commit b2d096b)
tiran pushed a commit to tiran/cpython that referenced this pull request
- Change NPN detection:
Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- Refine NPN guard:
- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way
This created a working ssl module for me, with NPN disabled and ALPN enabled for OpenSSL 1.1.0f.
Concerns to address: The initial commit for NPN support into OpenSSL [1], had the OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG guard. The question is if that ever made it into a release. This would need an ugly hack, something like:
GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
!defined(OPENSSL_NPN_NEGOTIATED)
GH- define OPENSSL_NPN_UNSUPPORTED 0
GH- define OPENSSL_NPN_NEGOTIATED 1
GH- define OPENSSL_NPN_NO_OVERLAP 2
GH-endif[1] openssl/openssl@68b33cc5c7 (cherry picked from commit b2d096b)
zware added a commit to zware/cpython that referenced this pull request
zware added a commit that referenced this pull request
tiran added a commit that referenced this pull request
- Change NPN detection:
Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- Refine NPN guard:
- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way
This created a working ssl module for me, with NPN disabled and ALPN enabled for OpenSSL 1.1.0f.
Concerns to address: The initial commit for NPN support into OpenSSL [1], had the OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG guard. The question is if that ever made it into a release. This would need an ugly hack, something like:
GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
!defined(OPENSSL_NPN_NEGOTIATED)
GH- define OPENSSL_NPN_UNSUPPORTED 0
GH- define OPENSSL_NPN_NEGOTIATED 1
GH- define OPENSSL_NPN_NO_OVERLAP 2
GH-endif[1] openssl/openssl@68b33cc5c7. (cherry picked from commit b2d096b)
tiran added a commit that referenced this pull request
- Change NPN detection:
Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- Refine NPN guard:
- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way
This created a working ssl module for me, with NPN disabled and ALPN enabled for OpenSSL 1.1.0f.
Concerns to address: The initial commit for NPN support into OpenSSL [1], had the OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG guard. The question is if that ever made it into a release. This would need an ugly hack, something like:
GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
!defined(OPENSSL_NPN_NEGOTIATED)
GH- define OPENSSL_NPN_UNSUPPORTED 0
GH- define OPENSSL_NPN_NEGOTIATED 1
GH- define OPENSSL_NPN_NO_OVERLAP 2
GH-endif[1] openssl/openssl@68b33cc5c7 (cherry picked from commit b2d096b)
GadgetSteve pushed a commit to GadgetSteve/cpython that referenced this pull request
- Change NPN detection:
Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- Refine NPN guard:
- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way
This created a working ssl module for me, with NPN disabled and ALPN enabled for OpenSSL 1.1.0f.
Concerns to address: The initial commit for NPN support into OpenSSL [1], had the OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG guard. The question is if that ever made it into a release. This would need an ugly hack, something like:
#if defined(OPENSSL_NO_NEXTPROTONEG) && \
!defined(OPENSSL_NPN_NEGOTIATED)
# define OPENSSL_NPN_UNSUPPORTED 0
# define OPENSSL_NPN_NEGOTIATED 1
# define OPENSSL_NPN_NO_OVERLAP 2
#endif[1] openssl/openssl@68b33cc5c7
GadgetSteve pushed a commit to GadgetSteve/cpython that referenced this pull request