diff --git a/.azure-pipelines/ci.yml b/.azure-pipelines/ci.yml
index 15a83dd0370..1576599379c 100644
--- a/.azure-pipelines/ci.yml
+++ b/.azure-pipelines/ci.yml
@@ -59,7 +59,7 @@ jobs:
variables:
testRunTitle: '$(build.sourceBranchName)-linux'
testRunPlatform: linux
- openssl_version: 1.1.0j
+ openssl_version: 1.1.1b
steps:
- template: ./posix-steps.yml
@@ -116,7 +116,7 @@ jobs:
variables:
testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
testRunPlatform: linux-coverage
- openssl_version: 1.1.0j
+ openssl_version: 1.1.1b
steps:
- template: ./posix-steps.yml
diff --git a/Lib/test/test_asyncio/test_sslproto.py b/Lib/test/test_asyncio/test_sslproto.py
index 7bc2ccf0bdd..079b2558556 100644
--- a/Lib/test/test_asyncio/test_sslproto.py
+++ b/Lib/test/test_asyncio/test_sslproto.py
@@ -497,8 +497,8 @@ class BaseStartTLS(func_tests.FunctionalTestCaseMixin):
server_context = test_utils.simple_server_sslcontext()
client_context = test_utils.simple_client_sslcontext()
- if sys.platform.startswith('freebsd'):
- # bpo-35031: Some FreeBSD buildbots fail to run this test
+ if sys.platform.startswith('freebsd') or sys.platform.startswith('win'):
+ # bpo-35031: Some FreeBSD and Windows buildbots fail to run this test
# as the eof was not being received by the server if the payload
# size is not big enough. This behaviour only appears if the
# client is using TLS1.3.
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 5b53b8250f6..d48d6e5569f 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -2188,7 +2188,7 @@ class ThreadedEchoServer(threading.Thread):
self.sock, server_side=True)
self.server.selected_npn_protocols.append(self.sslconn.selected_npn_protocol())
self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol())
- except (ConnectionResetError, BrokenPipeError) as e:
+ except (ConnectionResetError, BrokenPipeError, ConnectionAbortedError) as e:
# We treat ConnectionResetError as though it were an
# SSLError - OpenSSL on Ubuntu abruptly closes the
# connection when asked to use an unsupported protocol.
@@ -2196,6 +2196,9 @@ class ThreadedEchoServer(threading.Thread):
# BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL
# tries to send session tickets after handshake.
# https://github.com/openssl/openssl/issues/6342
+ #
+ # ConnectionAbortedError is raised in TLS 1.3 mode, when OpenSSL
+ # tries to send session tickets after handshake when using WinSock.
self.server.conn_errors.append(str(e))
if self.server.chatty:
handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
@@ -2326,7 +2329,7 @@ class ThreadedEchoServer(threading.Thread):
sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"
% (msg, ctype, msg.lower(), ctype))
self.write(msg.lower())
- except ConnectionResetError:
+ except (ConnectionResetError, ConnectionAbortedError):
# XXX: OpenSSL 1.1.1 sometimes raises ConnectionResetError
# when connection is not shut down gracefully.
if self.server.chatty and support.verbose:
@@ -2336,6 +2339,18 @@ class ThreadedEchoServer(threading.Thread):
)
self.close()
self.running = False
+ except ssl.SSLError as err:
+ # On Windows sometimes test_pha_required_nocert receives the
+ # PEER_DID_NOT_RETURN_A_CERTIFICATE exception
+ # before the 'tlsv13 alert certificate required' exception.
+ # If the server is stopped when PEER_DID_NOT_RETURN_A_CERTIFICATE
+ # is received test_pha_required_nocert fails with ConnectionResetError
+ # because the underlying socket is closed
+ if 'PEER_DID_NOT_RETURN_A_CERTIFICATE' == err.reason:
+ if self.server.chatty and support.verbose:
+ sys.stdout.write(err.args[1])
+ # test_pha_required_nocert is expecting this exception
+ raise ssl.SSLError('tlsv13 alert certificate required')
except OSError:
if self.server.chatty:
handle_error("Test server failure:\n")
diff --git a/Misc/ACKS b/Misc/ACKS
index f5a31a878c5..06e288dfcb2 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1104,6 +1104,7 @@ Florian Mladitsch
Doug Moen
Jakub Molinski
Juliette Monsel
+Paul Monson
The Dragon De Monsyne
Bastien Montagne
Skip Montanaro
diff --git a/Misc/NEWS.d/next/Windows/2019-03-01-16-43-45.bpo-35926.mLszHo.rst b/Misc/NEWS.d/next/Windows/2019-03-01-16-43-45.bpo-35926.mLszHo.rst
new file mode 100644
index 00000000000..03249c6a168
--- /dev/null
+++ b/Misc/NEWS.d/next/Windows/2019-03-01-16-43-45.bpo-35926.mLszHo.rst
@@ -0,0 +1 @@
+Update to OpenSSL 1.1.1b for Windows.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index e75e3466dd3..390a1af1e59 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -669,7 +669,7 @@ fill_and_set_sslerror(PySSLSocket *sslsock, PyObject *type, int ssl_errno,
if (msg == NULL)
goto fail;
- init_value = Py_BuildValue("iN", ssl_errno, msg);
+ init_value = Py_BuildValue("iN", ERR_GET_REASON(ssl_errno), msg);
if (init_value == NULL)
goto fail;
diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat
index b82b6e6588e..42ffe6f485f 100644
--- a/PCbuild/get_externals.bat
+++ b/PCbuild/get_externals.bat
@@ -53,7 +53,7 @@ echo.Fetching external libraries...
set libraries=
set libraries=%libraries% bzip2-1.0.6
if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries% libffi-3.3.0-rc0-r1
-if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.0j
+if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.1b
set libraries=%libraries% sqlite-3.21.0.0
if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.9.0
if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.9.0
@@ -77,7 +77,7 @@ echo.Fetching external binaries...
set binaries=
if NOT "%IncludeLibffi%"=="false" set binaries=%binaries% libffi
-if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.0j
+if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.1b
if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.9.0
if NOT "%IncludeSSLSrc%"=="false" set binaries=%binaries% nasm-2.11.06
diff --git a/PCbuild/openssl.props b/PCbuild/openssl.props
index 8c78cd4ab10..a7e16793c7f 100644
--- a/PCbuild/openssl.props
+++ b/PCbuild/openssl.props
@@ -11,7 +11,8 @@
<_DLLSuffix>-1_1
- <_DLLSuffix Condition="$(Platform) == 'x64'">$(_DLLSuffix)-x64
+ <_DLLSuffix Condition="$(Platform) == 'ARM'">$(_DLLSuffix)-arm
+ <_DLLSuffix Condition="$(Platform) == 'ARM64'">$(_DLLSuffix)-arm64
<_SSLDLL Include="$(opensslOutDir)\libcrypto$(_DLLSuffix).dll" />
diff --git a/PCbuild/openssl.vcxproj b/PCbuild/openssl.vcxproj
index 1a36d08ec06..0da6f674958 100644
--- a/PCbuild/openssl.vcxproj
+++ b/PCbuild/openssl.vcxproj
@@ -1,38 +1,22 @@
-
- Debug
- Win32
-
Release
Win32
-
- PGInstrument
- Win32
-
-
- PGInstrument
- x64
-
-
- PGUpdate
- Win32
-
-
- PGUpdate
- x64
-
-
- Debug
- x64
-
Release
x64
+
+ Release
+ ARM
+
+
+ Release
+ ARM64
+
{B5FD6F1D-129E-4BFF-9340-03606FAC7283}
@@ -40,15 +24,36 @@
-
-
+
+
Makefile
32
- 64
x86
- amd64
VC-WIN32
- VC-WIN64A
+ true
+
+
+
+ Makefile
+ 64
+ amd64
+ VC-WIN64A-masm
+ true
+
+
+
+ Makefile
+ ARM
+ ARM
+ VC-WIN32-ARM
+ true
+
+
+
+ Makefile
+ ARM64
+ ARM64
+ VC-WIN64-ARM
true
diff --git a/PCbuild/prepare_ssl.bat b/PCbuild/prepare_ssl.bat
index bd4b548528c..88fd0225f5e 100644
--- a/PCbuild/prepare_ssl.bat
+++ b/PCbuild/prepare_ssl.bat
@@ -42,7 +42,7 @@ if ERRORLEVEL 1 (echo Cannot locate MSBuild.exe on PATH or as MSBUILD variable &
call "%PCBUILD%\find_python.bat" "%PYTHON%"
if ERRORLEVEL 1 (echo Cannot locate python.exe on PATH or as PYTHON variable & exit /b 3)
-call "%PCBUILD%\get_externals.bat" --openssl-src %ORG_SETTING%
+call "%PCBUILD%\get_externals.bat" --openssl-src --no-openssl %ORG_SETTING%
if "%PERL%" == "" where perl > "%TEMP%\perl.loc" 2> nul && set /P PERL= <"%TEMP%\perl.loc" & del "%TEMP%\perl.loc"
if "%PERL%" == "" (echo Cannot locate perl.exe on PATH or as PERL variable & exit /b 4)
@@ -51,4 +51,8 @@ if "%PERL%" == "" (echo Cannot locate perl.exe on PATH or as PERL variable & exi
if errorlevel 1 exit /b
%MSBUILD% "%PCBUILD%\openssl.vcxproj" /p:Configuration=Release /p:Platform=x64
if errorlevel 1 exit /b
+%MSBUILD% "%PCBUILD%\openssl.vcxproj" /p:Configuration=Release /p:Platform=ARM
+if errorlevel 1 exit /b
+%MSBUILD% "%PCBUILD%\openssl.vcxproj" /p:Configuration=Release /p:Platform=ARM64
+if errorlevel 1 exit /b
diff --git a/PCbuild/python.props b/PCbuild/python.props
index 52bc99e0560..b3e5b92f292 100644
--- a/PCbuild/python.props
+++ b/PCbuild/python.props
@@ -26,6 +26,7 @@
-->
amd64
arm32
+ arm64
win32
@@ -56,8 +57,8 @@
$(ExternalsDir)libffi\
$(ExternalsDir)libffi\$(ArchName)\
$(libffiOutDir)include
- $(ExternalsDir)openssl-1.1.0j\
- $(ExternalsDir)openssl-bin-1.1.0j\$(ArchName)\
+ $(ExternalsDir)openssl-1.1.1b\
+ $(ExternalsDir)openssl-bin-1.1.1b\$(ArchName)\
$(opensslOutDir)include
$(ExternalsDir)\nasm-2.11.06\
$(ExternalsDir)\zlib-1.2.11\
diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt
index c8473286119..cf4aa4c9175 100644
--- a/PCbuild/readme.txt
+++ b/PCbuild/readme.txt
@@ -165,7 +165,7 @@ _lzma
Homepage:
http://tukaani.org/xz/
_ssl
- Python wrapper for version 1.1.0h of the OpenSSL secure sockets
+ Python wrapper for version 1.1.1b of the OpenSSL secure sockets
library, which is downloaded from our binaries repository at
https://github.com/python/cpython-bin-deps.