Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity

Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+ 

The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
This commit is contained in:
Christian Heimes 2013-11-23 11:24:32 +01:00
parent 4a281a12f1
commit 2427b50fdd
3 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Doc/library/ssl.rst
View File

@ -1126,6 +1126,7 @@ to speed up repeated connections from the same clients.
The flags for certificate verification operations. You can set flags like The flags for certificate verification operations. You can set flags like
:data:`VERIFY_CRL_CHECK_LEAF` by ORing them together. By default OpenSSL :data:`VERIFY_CRL_CHECK_LEAF` by ORing them together. By default OpenSSL
does neither require nor verify certificate revocation lists (CRLs). does neither require nor verify certificate revocation lists (CRLs).
Available only with openssl version 0.9.8+.
.. versionadded:: 3.4 .. versionadded:: 3.4

8
Lib/test/test_ssl.py
View File

@ -82,6 +82,10 @@ def no_sslv2_implies_sslv3_hello():
# 0.9.7h or higher # 0.9.7h or higher
return ssl.OPENSSL_VERSION_INFO >= (0, 9, 7, 8, 15) return ssl.OPENSSL_VERSION_INFO >= (0, 9, 7, 8, 15)
def have_verify_flags():
# 0.9.8 or higher
return ssl.OPENSSL_VERSION_INFO >= (0, 9, 8, 0, 15)
def asn1time(cert_time): def asn1time(cert_time):
# Some versions of OpenSSL ignore seconds, see #18207 # Some versions of OpenSSL ignore seconds, see #18207
# 0.9.8.i # 0.9.8.i
@ -667,6 +671,8 @@ class ContextTests(unittest.TestCase):
with self.assertRaises(ValueError): with self.assertRaises(ValueError):
ctx.verify_mode = 42 ctx.verify_mode = 42
@unittest.skipUnless(have_verify_flags(),
"verify_flags need OpenSSL > 0.9.8")
def test_verify_flags(self): def test_verify_flags(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
# default value by OpenSSL # default value by OpenSSL
@ -1809,6 +1815,8 @@ else:
self.assertLess(before, after) self.assertLess(before, after)
s.close() s.close()
@unittest.skipUnless(have_verify_flags(),
"verify_flags need OpenSSL > 0.9.8")
def test_crl_check(self): def test_crl_check(self):
if support.verbose: if support.verbose:
sys.stdout.write("\n") sys.stdout.write("\n")

9
Modules/_ssl.c
View File

@ -198,6 +198,11 @@ static unsigned int _ssl_locks_count = 0;
# define OPENSSL_NO_COMP # define OPENSSL_NO_COMP
#endif #endif
/* X509_VERIFY_PARAM got added to OpenSSL in 0.9.8 */
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
# define HAVE_OPENSSL_VERIFY_PARAM
#endif
typedef struct { typedef struct {
PyObject_HEAD PyObject_HEAD
@ -2230,6 +2235,7 @@ set_verify_mode(PySSLContext *self, PyObject *arg, void *c)
return 0; return 0;
} }
#ifdef HAVE_OPENSSL_VERIFY_PARAM
static PyObject * static PyObject *
get_verify_flags(PySSLContext *self, void *c) get_verify_flags(PySSLContext *self, void *c)
{ {
@ -2267,6 +2273,7 @@ set_verify_flags(PySSLContext *self, PyObject *arg, void *c)
} }
return 0; return 0;
} }
#endif
static PyObject * static PyObject *
get_options(PySSLContext *self, void *c) get_options(PySSLContext *self, void *c)
@ -3088,8 +3095,10 @@ get_ca_certs(PySSLContext *self, PyObject *args, PyObject *kwds)
static PyGetSetDef context_getsetlist[] = { static PyGetSetDef context_getsetlist[] = {
{"options", (getter) get_options, {"options", (getter) get_options,
(setter) set_options, NULL}, (setter) set_options, NULL},
#ifdef HAVE_OPENSSL_VERIFY_PARAM
{"verify_flags", (getter) get_verify_flags, {"verify_flags", (getter) get_verify_flags,
(setter) set_verify_flags, NULL}, (setter) set_verify_flags, NULL},
#endif
{"verify_mode", (getter) get_verify_mode, {"verify_mode", (getter) get_verify_mode,
(setter) set_verify_mode, NULL}, (setter) set_verify_mode, NULL},
{NULL}, /* sentinel */ {NULL}, /* sentinel */