diff options
| author | Christian Heimes <christian@cheimes.de> | 2013-11-23 10:24:32 (GMT) |
|---|---|---|
| committer | Christian Heimes <christian@cheimes.de> | 2013-11-23 10:24:32 (GMT) |
| commit | 2427b50fdda5eafa75a7b3345826ad805ba95d53 (patch) | |
| tree | e33620a1a0f6c2ba4bccb6b9ac5f71aa1909ae77 | |
| parent | 4a281a12f1aa430a6d14db633cc808e50427adeb (diff) | |
| download | cpython-2427b50fdda5eafa75a7b3345826ad805ba95d53.zip cpython-2427b50fdda5eafa75a7b3345826ad805ba95d53.tar.gz cpython-2427b50fdda5eafa75a7b3345826ad805ba95d53.tar.bz2 | |
Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
| -rw-r--r-- | Doc/library/ssl.rst | 1 | ||||
| -rw-r--r-- | Lib/test/test_ssl.py | 8 | ||||
| -rw-r--r-- | Modules/_ssl.c | 9 |
3 files changed, 18 insertions, 0 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 4d87586..7a7ddac 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -1126,6 +1126,7 @@ to speed up repeated connections from the same clients. The flags for certificate verification operations. You can set flags like :data:`VERIFY_CRL_CHECK_LEAF` by ORing them together. By default OpenSSL does neither require nor verify certificate revocation lists (CRLs). + Available only with openssl version 0.9.8+. .. versionadded:: 3.4 diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 7374327..d6a7443 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -82,6 +82,10 @@ def no_sslv2_implies_sslv3_hello(): # 0.9.7h or higher return ssl.OPENSSL_VERSION_INFO >= (0, 9, 7, 8, 15) +def have_verify_flags(): + # 0.9.8 or higher + return ssl.OPENSSL_VERSION_INFO >= (0, 9, 8, 0, 15) + def asn1time(cert_time): # Some versions of OpenSSL ignore seconds, see #18207 # 0.9.8.i @@ -667,6 +671,8 @@ class ContextTests(unittest.TestCase): with self.assertRaises(ValueError): ctx.verify_mode = 42 + @unittest.skipUnless(have_verify_flags(), + "verify_flags need OpenSSL > 0.9.8") def test_verify_flags(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) # default value by OpenSSL @@ -1809,6 +1815,8 @@ else: self.assertLess(before, after) s.close() + @unittest.skipUnless(have_verify_flags(), + "verify_flags need OpenSSL > 0.9.8") def test_crl_check(self): if support.verbose: sys.stdout.write("\n") diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 180355b..c255376 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -198,6 +198,11 @@ static unsigned int _ssl_locks_count = 0; # define OPENSSL_NO_COMP #endif +/* X509_VERIFY_PARAM got added to OpenSSL in 0.9.8 */ +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL +# define HAVE_OPENSSL_VERIFY_PARAM +#endif + typedef struct { PyObject_HEAD @@ -2230,6 +2235,7 @@ set_verify_mode(PySSLContext *self, PyObject *arg, void *c) return 0; } +#ifdef HAVE_OPENSSL_VERIFY_PARAM static PyObject * get_verify_flags(PySSLContext *self, void *c) { @@ -2267,6 +2273,7 @@ set_verify_flags(PySSLContext *self, PyObject *arg, void *c) } return 0; } +#endif static PyObject * get_options(PySSLContext *self, void *c) @@ -3088,8 +3095,10 @@ get_ca_certs(PySSLContext *self, PyObject *args, PyObject *kwds) static PyGetSetDef context_getsetlist[] = { {"options", (getter) get_options, (setter) set_options, NULL}, +#ifdef HAVE_OPENSSL_VERIFY_PARAM {"verify_flags", (getter) get_verify_flags, (setter) set_verify_flags, NULL}, +#endif {"verify_mode", (getter) get_verify_mode, (setter) set_verify_mode, NULL}, {NULL}, /* sentinel */ |