Commit Graph

67 Commits

Author SHA1 Message Date
Zachary Ware d83e30cadd
gh-123700: Update OpenSSL versions in multissltests and CI (#123701)
Remove EOL 1.1.1w from CI and move it to the 'old' set in multissltests,
add latest 3.3.2 to both CI and multissltests.
2024-09-04 14:29:41 -05:00
Zachary Ware 56b00f4705
gh-123418: Update CI to use fresh OpenSSL releases (GH-123675)
Also adds openssl/openssl GitHub URL template for newer OpenSSL downloads
2024-09-04 13:16:53 -05:00
Victor Stinner d9b4316374
gh-120417: Remove unused imports in Tools (#120623) 2024-06-17 18:09:26 +02:00
Ned Deily 299e16ca0f
gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.13. (#115050)
Also update multissltests to use 1.1.1w, 3.0.13, 3.1.5, and 3.2.1.
2024-02-05 21:10:11 -05:00
Serhiy Storchaka b3d2427f22
gh-58032: Do not use argparse.FileType in module CLIs and scripts (GH-113649)
Open and close files manually. It prevents from leaking files,
preliminary creation of output files, and accidental closing of stdin
and stdout.
2024-01-10 15:07:19 +02:00
Victor Stinner a46e960768
gh-109649: Use os.process_cpu_count() (#110165)
Replace os.cpu_count() with os.process_cpu_count() in modules:

* compileall
* concurrent.futures
* multiprocessing

Replace os.cpu_count() with os.process_cpu_count() in programs:

* _decimal deccheck.py test
* freeze.py
* multissltests.py
* python -m test (regrtest)
* wasm_build.py

Other changes:

* test.pythoninfo logs os.process_cpu_count().
* regrtest gets os.process_cpu_count() / os.cpu_count() in headers.
2023-10-01 03:14:57 +02:00
Ned Deily c88037d137
gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11 and multissltests to use 1.1.1w, 3.0.11, and 3.1.3. (gh-110002) 2023-09-28 00:45:13 -04:00
Ned Deily ed25f09716
gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10, and 3.1.2. (GH-107896) 2023-08-18 15:48:20 -04:00
Gregory P. Smith ede89af605
gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (#105174)
Upgrade builds to OpenSSL 1.1.1u.

This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t.

The Mac/BuildScript/build-installer.py was already updated.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9, and adds a new _ssl_data_31.h file from 3.1.1 along with the ssl.c code to use it.

Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting).

backports of this prior to 3.12 will not include the openssl 3.1 header.
2023-06-01 09:42:18 -07:00
Gregory P. Smith b41c47cd06
gh-101726: Update the OpenSSL version to 1.1.1t (GH-101727)
Fixes CVE-2023-0286 (High) and a couple of Medium security issues.
https://www.openssl.org/news/secadv/20230207.txt
2023-02-09 17:40:51 +00:00
Illia Volochii a23cb72ac8
gh-100454: Start running SSL tests with OpenSSL 3.1.0-beta1 (#100456) 2022-12-23 18:04:20 -08:00
Gregory P. Smith e00d730efe
Update github CI to use OpenSSL 1.1.1s and 3.0.7. (#99364) 2022-11-11 01:33:55 -08:00
Christian Heimes 873554ef84
gh-94682: Build and test with OpenSSL 1.1.1q (gh-94683) 2022-08-29 18:19:15 +02:00
Christian Heimes 81dca70d70
gh-93939: Build C extensions without setup.py (GH-94474)
Combines GH-93940, GH-94452, and GH-94433
2022-07-14 00:51:49 -07:00
Victor Stinner 47e35625ff
gh-84623: Remove unused imports (#94132) 2022-06-22 19:14:27 +02:00
Christian Heimes af0a50de4b
bpo-47024: Update OpenSSL to 1.1.1n (GH-31895)
Co-authored-by: Zachary Ware <zachary.ware@gmail.com>
2022-03-15 21:03:04 +01:00
Kumar Aditya fc54e722a2
bpo-46106: Update OpenSSL to 1.1.1m (GH-30211)
Co-authored-by: Ned Deily <nad@python.org>
2021-12-21 21:20:16 -05:00
Christian Heimes 2985feac4e
bpo-46114: Fix OpenSSL version check for 3.0.1 (GH-30170) 2021-12-17 16:17:32 +01:00
Christian Heimes 512dbf6f56
Fix out-of-tree build support for multissltest (GH-29694) 2021-11-22 10:50:53 +01:00
Christian Heimes cc7c680194
bpo-38820: Test with OpenSSL 3.0.0 final (GH-28205)
Signed-off-by: Christian Heimes <christian@python.org>
2021-09-07 19:04:55 +02:00
Łukasz Langa d6cb5dd9e1
bpo-45007: Update multissl to openssl 1.1.1l as well (GH-28044)
This was missed while upgrading CI.
2021-08-30 05:24:51 -07:00
Christian Heimes 44fb551499
bpo-38820: Test with OpenSSL 3.0.0-beta1 (GH-26769)
Signed-off-by: Christian Heimes <christian@python.org>
2021-06-19 11:08:41 +02:00
Christian Heimes 7109624d45
bpo-38820: Test with OpenSSL 3.0.0-alpha17 (#26266) 2021-05-20 16:46:38 +02:00
Christian Heimes e8525567dd
bpo-38820: Test with OpenSSL 3.0.0-alpha16 (GH-25942)
Also use new make target to install FIPS provider.
2021-05-06 16:30:12 +02:00
Christian Heimes 3c586ca500
bpo-38820: Old OpenSSL 3.0.0 releases are in /old/3.0/ (GH-25624)
Signed-off-by: Christian Heimes <christian@python.org>
2021-04-26 10:54:12 +02:00
Christian Heimes dcf658157d
bpo-38820: Test with OpenSSL 3.0.0-alpha15 (GH-25537)
Signed-off-by: Christian Heimes <christian@python.org>
2021-04-23 14:19:21 +02:00
Christian Heimes 39258d3595
bpo-43669: PEP 644: Require OpenSSL 1.1.1 or newer (GH-23014)
- Remove HAVE_X509_VERIFY_PARAM_SET1_HOST check
- Update hashopenssl to require OpenSSL 1.1.1
- multissltests only OpenSSL > 1.1.0
- ALPN is always supported
- SNI is always supported
- Remove deprecated NPN code. Python wrappers are no-op.
- ECDH is always supported
- Remove OPENSSL_VERSION_1_1 macro
- Remove locking callbacks
- Drop PY_OPENSSL_1_1_API macro
- Drop HAVE_SSL_CTX_CLEAR_OPTIONS macro
- SSL_CTRL_GET_MAX_PROTO_VERSION is always defined now
- security level is always available now
- get_num_tickets is available with TLS 1.3
- X509_V_ERR MISMATCH is always available now
- Always set SSL_MODE_RELEASE_BUFFERS
- X509_V_FLAG_TRUSTED_FIRST is always available
- get_ciphers is always supported
- SSL_CTX_set_keylog_callback is always available
- Update Modules/Setup with static link example
- Mention PEP in whatsnew
- Drop 1.0.2 and 1.1.0 from GHA tests
2021-04-17 11:36:35 +02:00
Christian Heimes 150af75432
bpo-43788: Generate version specific _ssl_data.h (GH-25300)
Signed-off-by: Christian Heimes <christian@python.org>

Automerge-Triggered-By: GH:tiran
2021-04-09 08:02:00 -07:00
Christian Heimes a54fc683f2
bpo-43631: Update to OpenSSL 1.1.1k (GH-25024)
- [x] Build OpenSSL 1.1.1k for macOS
- [x] Build OpenSSL 1.1.1k for Windows

I have also updated multissl tester and various CI configurations to use latest OpenSSL. The versions were all over the place.

Signed-off-by: Christian Heimes <christian@python.org>

Automerge-Triggered-By: GH:tiran
2021-03-29 17:00:34 -07:00
Christian Heimes 32eba61ea4
bpo-43466: Add --with-openssl-rpath configure option (GH-24820) 2021-03-19 10:29:25 +01:00
Serhiy Storchaka 9355868458
bpo-41043: Escape literal part of the path for glob(). (GH-20994) 2020-06-20 11:10:31 +03:00
Christian Heimes a871f692b4
bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)
Fix :mod:`ssl`` code to be compatible with OpenSSL 1.1.x builds that use
``no-deprecated`` and ``--api=1.1.0``.

Note: Tests assume full OpenSSL API and fail with limited API.

Signed-off-by: Christian Heimes <christian@python.org>
Co-authored-by: Mark Wright <gienah@gentoo.org>
2020-06-01 08:58:14 +02:00
Christian Heimes 6e8cda91d9
bpo-40457: Support OpenSSL without TLS 1.0/1.1 (GH-19862)
OpenSSL can be build without support for TLS 1.0 and 1.1. The ssl module
now correctly adheres to OPENSSL_NO_TLS1 and OPENSSL_NO_TLS1_1 flags.

Also update multissltest to test with latest OpenSSL and LibreSSL
releases.

Signed-off-by: Christian Heimes <christian@python.org>

Automerge-Triggered-By: @tiran
2020-05-15 18:33:05 -07:00
Christian Heimes 938717fd04
bpo-40163: Fix multissltest download of old OpenSSL (GH-19329) 2020-05-15 22:32:25 +02:00
Christian Heimes 62d618c06b
bpo-40479: Test with latest OpenSSL versions (GH-20108)
* 1.0.2u (EOL)
* 1.1.0l (EOL)
* 1.1.1g
* 3.0.0-alpha2 (disabled for now)

Build the FIPS provider and create a FIPS configuration file for OpenSSL
3.0.0.

Signed-off-by: Christian Heimes <christian@python.org>

Automerge-Triggered-By: @tiran
2020-05-15 09:48:25 -07:00
Benjamin Peterson 584a3cfda4
closes bpo-40266, closes bpo-39953: Use numeric lib code if compiling against old OpenSSL. (GH-19506) 2020-04-13 22:11:40 -05:00
Benjamin Peterson 909b87d2bb
closes bpo-39953: Generate ifdefs around library code definitions. (GH-19490) 2020-04-12 13:59:31 -05:00
Benjamin Peterson 3e0dd3730b
closes bpo-39953: Update OpenSSL error codes table. (GH-19082)
I updated the error codes using the OpenSSL 1.1.1f source tree.
2020-04-11 15:36:12 -05:00
Benjamin Peterson cd16661f90
closes bpo-40125: Update multissltests.py to use OpenSSL 1.1.1f. (GH-19248) 2020-03-31 10:49:56 -05:00
Christian Heimes 58ab13479d bpo-38117: Test with OpenSSL 1.1.1d (GH-15983)
Signed-off-by: Christian Heimes <christian@python.org>
2019-09-11 18:45:52 +02:00
Min ho Kim c4cacc8c5e Fix typos in comments, docs and test names (#15018)
* Fix typos in comments, docs and test names

* Update test_pyparse.py

account for change in string length

* Apply suggestion: splitable -> splittable

Co-Authored-By: Terry Jan Reedy <tjreedy@udel.edu>

* Apply suggestion: splitable -> splittable

Co-Authored-By: Terry Jan Reedy <tjreedy@udel.edu>

* Apply suggestion: Dealloccte -> Deallocate

Co-Authored-By: Terry Jan Reedy <tjreedy@udel.edu>

* Update posixmodule checksum.

* Reverse idlelib changes.
2019-07-30 18:16:13 -04:00
Christian Heimes e35d1ba9ea
bpo-34271: Fix compatibility with 1.0.2 (GH-13728)
Fix various compatibility issues with LibreSSL and OpenSSL 1.0.2
introduced by bpo-34271.

Signed-off-by: Christian Heimes <christian@python.org>
2019-06-03 20:40:15 +02:00
Christian Heimes 06651ee418
bpo-37081: Test with OpenSSL 1.1.1c (GH-13631)
Signed-off-by: Christian Heimes <christian@python.org>
2019-06-03 20:10:19 +02:00
Christian Heimes 9fb051f032 bpo-34670: Add TLS 1.3 post handshake auth (GH-9460)
Add SSLContext.post_handshake_auth and
SSLSocket.verify_client_post_handshake for TLS 1.3 post-handshake
authentication.

Signed-off-by: Christian Heimes <christian@python.org>q


https://bugs.python.org/issue34670
2018-09-22 23:32:31 -07:00
Christian Heimes 529525fb5a
bpo-33618: Enable TLS 1.3 in tests (GH-7079)
TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS
client cert auth are now handled after the initialy handshake. Tests now
either send/recv data to trigger session and client certs. Or tests
ignore ConnectionResetError / BrokenPipeError on the server side to
handle clients that force-close the socket fd.

To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR
https://github.com/openssl/openssl/pull/6340) is required.

Signed-off-by: Christian Heimes <christian@python.org>
2018-05-23 22:24:45 +02:00
Christian Heimes e8eb6cb792
bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
default.

Also update multissltests and Travis config to test with latest OpenSSL.

Signed-off-by: Christian Heimes <christian@python.org>
2018-05-22 22:50:12 +02:00
Steve Dower e5f41d2f1e
bpo-33522: Enable CI builds on Visual Studio Team Services (#6865) 2018-05-16 17:50:29 -04:00
Christian Heimes 4ca0739c9d
bpo-33127: Compatibility patch for LibreSSL 2.7.0 (GH-6210)
LibreSSL 2.7 introduced OpenSSL 1.1.0 API. The ssl module now detects
LibreSSL 2.7 and only provides API shims for OpenSSL < 1.1.0 and
LibreSSL < 2.7.

Documentation updates and fixes for failing tests will be provided in
another patch set.

Signed-off-by: Christian Heimes <christian@python.org>
2018-03-24 15:41:37 +01:00
Christian Heimes 05d9fe32a1
bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes (#5663)
* bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes

Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and
TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
default. Some test cases only apply to TLS 1.2. Other tests currently
fail because the threaded or async test servers stop after failure.

I'm going to address these issues when OpenSSL 1.1.1 reaches beta.

OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
1.3. The feature is enabled by default for maximum compatibility with
broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
it to verify default options.

Signed-off-by: Christian Heimes <christian@python.org>
2018-02-27 08:55:39 +01:00
Christian Heimes ced9cb5303
bpo-32549: Compile OpenSSL 1.1.0 on Travis CI (#5180)
Use an improved version of multissl test helper to compile a local copy
of OpenSSL 1.1.0g.

Signed-off-by: Christian Heimes <christian@python.org>
2018-01-16 21:02:26 +01:00