diff options
| author | Christian Heimes <christian@python.org> | 2021-04-09 15:59:21 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-04-09 15:59:21 (GMT) |
| commit | 6f37ebc61e9e0d13bcb1a2ddb7fc9723c04b6372 (patch) | |
| tree | 9628d3fbacd52f426f15aa90150542d1acd7cb9b | |
| parent | 507a574de31a1bd7fed8ba4f04afa285d985109b (diff) | |
| download | cpython-6f37ebc61e9e0d13bcb1a2ddb7fc9723c04b6372.zip cpython-6f37ebc61e9e0d13bcb1a2ddb7fc9723c04b6372.tar.gz cpython-6f37ebc61e9e0d13bcb1a2ddb7fc9723c04b6372.tar.bz2 | |
bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)
Signed-off-by: Christian Heimes <christian@python.org>
| -rw-r--r-- | Doc/library/ssl.rst | 8 | ||||
| -rw-r--r-- | Lib/test/test_ssl.py | 4 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst | 1 | ||||
| -rw-r--r-- | Modules/_ssl.c | 8 |
4 files changed, 20 insertions, 1 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 9333168..587d3b3 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -893,6 +893,14 @@ Constants .. versionadded:: 3.6 +.. data:: OP_IGNORE_UNEXPECTED_EOF + + Ignore unexpected shutdown of TLS connections. + + This option is only available with OpenSSL 3.0.0 and later. + + .. versionadded:: 3.10 + .. data:: HAS_ALPN Whether the OpenSSL library has built-in support for the *Application-Layer diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index c0e040d..831f411 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -151,6 +151,7 @@ OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0) OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0) OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0) OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0) +OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0) # Ubuntu has patched OpenSSL and changed behavior of security level 2 # see https://bugs.python.org/issue41561#msg389003 @@ -1168,7 +1169,8 @@ class ContextTests(unittest.TestCase): # SSLContext also enables these by default default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE | OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE | - OP_ENABLE_MIDDLEBOX_COMPAT) + OP_ENABLE_MIDDLEBOX_COMPAT | + OP_IGNORE_UNEXPECTED_EOF) self.assertEqual(default, ctx.options) ctx.options |= ssl.OP_NO_TLSv1 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) diff --git a/Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst b/Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst new file mode 100644 index 0000000..64894bd --- /dev/null +++ b/Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst @@ -0,0 +1 @@ +Add :data:`ssl.OP_IGNORE_UNEXPECTED_EOF` constants (OpenSSL 3.0.0) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 3ee61e3..c08665b 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -3203,6 +3203,10 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) #ifdef SSL_OP_SINGLE_ECDH_USE options |= SSL_OP_SINGLE_ECDH_USE; #endif +#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF + /* Make OpenSSL 3.0.0 behave like 1.1.1 */ + options |= SSL_OP_IGNORE_UNEXPECTED_EOF; +#endif SSL_CTX_set_options(self->ctx, options); /* A bare minimum cipher list without completely broken cipher suites. @@ -6313,6 +6317,10 @@ sslmodule_init_constants(PyObject *m) PyModule_AddIntConstant(m, "OP_NO_RENEGOTIATION", SSL_OP_NO_RENEGOTIATION); #endif +#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF + PyModule_AddIntConstant(m, "OP_IGNORE_UNEXPECTED_EOF", + SSL_OP_IGNORE_UNEXPECTED_EOF); +#endif #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT PyModule_AddIntConstant(m, "HOSTFLAG_ALWAYS_CHECK_SUBJECT", |