[issue40457] Python fails to compile/load _ssl module if OpenSSL is compiled with no-tls1-method

2020-05-02 Thread Mitch Lindgren 


Mitch Lindgren  added the comment:

Thanks for the quick turnaround!

--

___
Python tracker 
<https://bugs.python.org/issue40457>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40457] Python fails to compile/load _ssl module if OpenSSL is compiled with no-tls1-method

2020-04-30 Thread Mitch Lindgren 


Mitch Lindgren  added the comment:

I'd be happy to work on a patch for this. I think the simplest approach would 
be to change this block starting on line 3087:

if (proto_version == PY_SSL_VERSION_TLS1)
ctx = SSL_CTX_new(TLSv1_method());
#if HAVE_TLSv1_2
else if (proto_version == PY_SSL_VERSION_TLS1_1)
ctx = SSL_CTX_new(TLSv1_1_method());
else if (proto_version == PY_SSL_VERSION_TLS1_2)
ctx = SSL_CTX_new(TLSv1_2_method());
#endif
#ifndef OPENSSL_NO_SSL3
else if (proto_version == PY_SSL_VERSION_SSL3)
ctx = SSL_CTX_new(SSLv3_method());
#endif
#ifndef OPENSSL_NO_SSL2
else if (proto_version == PY_SSL_VERSION_SSL2)
ctx = SSL_CTX_new(SSLv2_method());
#endif
else if (proto_version == PY_SSL_VERSION_TLS) /* SSLv23 */
ctx = SSL_CTX_new(TLS_method());
else if (proto_version == PY_SSL_VERSION_TLS_CLIENT)
ctx = SSL_CTX_new(TLS_client_method());
else if (proto_version == PY_SSL_VERSION_TLS_SERVER)
ctx = SSL_CTX_new(TLS_server_method());
else
proto_version = -1;

into a switch and add additional #if !defined(OPENSSL_NO_XXX) macros to exclude 
version-specific methods. Please let me know if this sounds okay.

--

___
Python tracker 
<https://bugs.python.org/issue40457>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40457] Python fails to compile/load _ssl module if OpenSSL is compiled with no-tls1-method

2020-04-30 Thread Mitch Lindgren 

New submission from Mitch Lindgren :

I'm working on a project which uses OpenSSL 1.1.1g. For security and compliance 
reasons, it is built with SSL and TLS < 1.2 methods compiled out, using the 
following OpenSSL build options:

no-ssl no-ssl3 no-tls1 no-tls1_1 no-ssl3-method no-tls1-method no-tls1_1-method

When compiling Python v3.8.2 with CFLAGS="-DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 
-DOPENSSL_NO_TLS1 -DOPENSSL_NO_TLS1_1" and 
--with-openssl=/path/to/custom/openssl, _ssl.c fails to compile with the 
following error:

gcc -pthread -fPIC -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 
-Wall -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_TLS1 -DOPENSSL_NO_TLS1_1 
-DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_TLS1 -DOPENSSL_NO_TLS1_1 
-std=c99 -Wextra -Wno-unused-result -Wno-unused-parameter 
-Wno-missing-field-initializers -Werror=implicit-function-declaration 
-I./Include/internal -I/home/mitch/openssl/include -I./Include -I. 
-I/usr/include/x86_64-linux-gnu -I/usr/local/include 
-I/home/mitch/cpython/Include -I/home/mitch/cpython -c 
/home/mitch/cpython/Modules/_ssl.c -o 
build/temp.linux-x86_64-3.8/home/mitch/cpython/Modules/_ssl.o
/home/mitch/cpython/Modules/_ssl.c: In function ‘_ssl__SSLContext_impl’:
/home/mitch/cpython/Modules/_ssl.c:3088:27: error: implicit declaration of 
function ‘TLSv1_method’; did you mean ‘DTLSv1_method’? 
[-Werror=implicit-function-declaration]
 ctx = SSL_CTX_new(TLSv1_method());
   ^~~~
   DTLSv1_method
/home/mitch/cpython/Modules/_ssl.c:3088:27: warning: passing argument 1 of 
‘SSL_CTX_new’ makes pointer from integer without a cast [-Wint-conversion]
In file included from /home/mitch/cpython/Modules/_ssl.c:62:0:
/home/mitch/openssl/include/openssl/ssl.h:1503:17: note: expected ‘const 
SSL_METHOD * {aka const struct ssl_method_st *}’ but argument is of type ‘int’
 __owur SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
 ^~~
/home/mitch/cpython/Modules/_ssl.c:3091:27: error: implicit declaration of 
function ‘TLSv1_1_method’; did you mean ‘TLSv1_2_method’? 
[-Werror=implicit-function-declaration]
 ctx = SSL_CTX_new(TLSv1_1_method());
   ^~
   TLSv1_2_method
/home/mitch/cpython/Modules/_ssl.c:3091:27: warning: passing argument 1 of 
‘SSL_CTX_new’ makes pointer from integer without a cast [-Wint-conversion]
In file included from /home/mitch/cpython/Modules/_ssl.c:62:0:
/home/mitch/openssl/include/openssl/ssl.h:1503:17: note: expected ‘const 
SSL_METHOD * {aka const struct ssl_method_st *}’ but argument is of type ‘int’
 __owur SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
 ^~~
cc1: some warnings being treated as errors

This also affects older versions. With v3.5.6, the _ssl module compiles 
successfully (it may be getting the declaration of TLSv1_method from the system 
default OpenSSL header since the --with-openssl option doesn't exist in this 
version), but importing the module at runtime fails:

root@10:/tmp/acmstest# python3
Python 3.5.6 (default, Mar 23 2020, 05:11:33)
[GCC 8.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python3.5/ssl.py", line 99, in 
import _ssl # if we can't import it, let the error propagate
ImportError: 
/usr/lib/python3.5/lib-dynload/_ssl.cpython-35m-aarch64-linux-gnu.so: undefined 
symbol: TLSv1_method

--
assignee: christian.heimes
components: SSL
messages: 367793
nosy: Mitch Lindgren, christian.heimes
priority: normal
severity: normal
status: open
title: Python fails to compile/load _ssl module if OpenSSL is compiled with 
no-tls1-method
type: compile error
versions: Python 3.5, Python 3.6, Python 3.7, Python 3.8

___
Python tracker 
<https://bugs.python.org/issue40457>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com