mirror of https://github.com/python/cpython
bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)
Signed-off-by: Christian Heimes <christian@python.org>
This commit is contained in:
parent
507a574de3
commit
6f37ebc61e
|
@ -893,6 +893,14 @@ Constants
|
|||
|
||||
.. versionadded:: 3.6
|
||||
|
||||
.. data:: OP_IGNORE_UNEXPECTED_EOF
|
||||
|
||||
Ignore unexpected shutdown of TLS connections.
|
||||
|
||||
This option is only available with OpenSSL 3.0.0 and later.
|
||||
|
||||
.. versionadded:: 3.10
|
||||
|
||||
.. data:: HAS_ALPN
|
||||
|
||||
Whether the OpenSSL library has built-in support for the *Application-Layer
|
||||
|
|
|
@ -151,6 +151,7 @@ OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
|
|||
OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
|
||||
OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
|
||||
OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
|
||||
OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0)
|
||||
|
||||
# Ubuntu has patched OpenSSL and changed behavior of security level 2
|
||||
# see https://bugs.python.org/issue41561#msg389003
|
||||
|
@ -1168,7 +1169,8 @@ class ContextTests(unittest.TestCase):
|
|||
# SSLContext also enables these by default
|
||||
default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
|
||||
OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
|
||||
OP_ENABLE_MIDDLEBOX_COMPAT)
|
||||
OP_ENABLE_MIDDLEBOX_COMPAT |
|
||||
OP_IGNORE_UNEXPECTED_EOF)
|
||||
self.assertEqual(default, ctx.options)
|
||||
ctx.options |= ssl.OP_NO_TLSv1
|
||||
self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
Add :data:`ssl.OP_IGNORE_UNEXPECTED_EOF` constants (OpenSSL 3.0.0)
|
|
@ -3202,6 +3202,10 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
|
|||
#endif
|
||||
#ifdef SSL_OP_SINGLE_ECDH_USE
|
||||
options |= SSL_OP_SINGLE_ECDH_USE;
|
||||
#endif
|
||||
#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
|
||||
/* Make OpenSSL 3.0.0 behave like 1.1.1 */
|
||||
options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
|
||||
#endif
|
||||
SSL_CTX_set_options(self->ctx, options);
|
||||
|
||||
|
@ -6313,6 +6317,10 @@ sslmodule_init_constants(PyObject *m)
|
|||
PyModule_AddIntConstant(m, "OP_NO_RENEGOTIATION",
|
||||
SSL_OP_NO_RENEGOTIATION);
|
||||
#endif
|
||||
#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
|
||||
PyModule_AddIntConstant(m, "OP_IGNORE_UNEXPECTED_EOF",
|
||||
SSL_OP_IGNORE_UNEXPECTED_EOF);
|
||||
#endif
|
||||
|
||||
#ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
|
||||
PyModule_AddIntConstant(m, "HOSTFLAG_ALWAYS_CHECK_SUBJECT",
|
||||
|
|
Loading…
Reference in New Issue