Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, I would like to upload python2.7 to fix a problem that it can't talk to SSL/TLS sites that use an ECDSA certificate different than P256, like a P384 certificate. Here is the debdiff: diff -u python2.7-2.7.13/debian/changelog python2.7-2.7.13/debian/changelog --- python2.7-2.7.13/debian/changelog +++ python2.7-2.7.13/debian/changelog @@ -1,3 +1,10 @@ +python2.7 (2.7.13-2+deb9u1) stretch; urgency=medium + + * Non-maintainer upload with maintainer's permission + * Support all groups in TLS communication (Closes: #868143) + + -- Kurt Roeckx <k...@roeckx.be> Thu, 09 Nov 2017 21:58:19 +0100 + python2.7 (2.7.13-2) unstable; urgency=medium * Lower priority of interpreter packages to optional. diff -u python2.7-2.7.13/debian/patches/series.in python2.7-2.7.13/debian/patches/series.in --- python2.7-2.7.13/debian/patches/series.in +++ python2.7-2.7.13/debian/patches/series.in @@ -71,0 +72 @@ +Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff only in patch2: unchanged: --- python2.7-2.7.13.orig/debian/patches/Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff +++ python2.7-2.7.13/debian/patches/Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff @@ -0,0 +1,28 @@ +From 97a145398ce7e36eb355f1fd75011ddbcb37d1b3 Mon Sep 17 00:00:00 2001 +From: Donald Stufft <don...@stufft.io> +Date: Thu, 2 Mar 2017 11:24:50 -0500 +Subject: [PATCH] bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ + +--- + Modules/_ssl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: python2.7-2.7.13/Modules/_ssl.c +=================================================================== +--- python2.7-2.7.13.orig/Modules/_ssl.c ++++ python2.7-2.7.13/Modules/_ssl.c +@@ -2166,12 +2166,12 @@ context_new(PyTypeObject *type, PyObject + options |= SSL_OP_NO_SSLv3; + SSL_CTX_set_options(self->ctx, options); + +-#ifndef OPENSSL_NO_ECDH ++#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1) + /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use + prime256v1 by default. This is Apache mod_ssl's initialization + policy, so we should be safe. OpenSSL 1.1 has it enabled by default. + */ +-#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1) ++#if defined(SSL_CTX_set_ecdh_auto) + SSL_CTX_set_ecdh_auto(self->ctx, 1); + #else + {