[issue32378] test_npn_protocols broken with LibreSSL 2.6.1+
Bernard Spil <pyt...@bachfreund.nl> added the comment: My pleasure! Glad we sorted this out for no-nextprotoneg and LibreSSL :D -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32378> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32378] test_npn_protocols broken with LibreSSL 2.6.1+
Bernard Spil <pyt...@bachfreund.nl> added the comment: See also https://github.com/python/cpython/pull/5343 Note: I am Sp1l on Github, spil here, CLA has been signed. -- nosy: +spil pull_requests: +5190 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32378> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0
Bernard Spil added the comment: Sorry for the noise Christian, I thought the former EGD handling was still in place. That was fixed with https://github.com/python/cpython/commit/968ec1d29b44ca7a600df5984adff00a78392368 on 07 Jul 2016 -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26470> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0
Bernard Spil added the comment: Hi Christian, Great stuff! Please can you replace the HAVE_RAND_EGD ifdefs into OPENSSL_NO_EGD checks? Then the RAND_egd checks in configure.ac can also be removed. This was introduced by OpenSSL in https://github.com/openssl/openssl/commit/0423f812dc61f70c6ae6643191259ca9e5692c7f and is consistent with the naming in LibreSSL. Cheers, Bernard. -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26470> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0
Bernard Spil added the comment: Can you please replace the HAVE_RAND_EGD bits with OPENSSL_NO_EGD as defined by both OpenSSL 1.1 and LibreSSL? EGD default disabled https://github.com/openssl/openssl/blob/master/Configure#L363 EGD methods not available https://github.com/openssl/openssl/blob/master/include/openssl/rand.h#L61 -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26470> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24557] Refactor LibreSSL / EGD detection
Bernard Spil added the comment: It's been a year since this was created. Can we move this forward? For the OpenSSL 1.1 changes, see https://github.com/openssl/openssl/blob/master/Configure#L363 (egd is disabled in the default configuration) and https://github.com/openssl/openssl/blob/master/include/openssl/rand.h#L61 When OPENSSL_NO_EGD is defined, the EGD related methods are rempved. This is still causing build problems on some isntallations, seems there can be diffences in detection between configure and build phase. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=205960# -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue24557> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0
Bernard Spil added the comment: Checking version numbers to see if a feature is available is a bad practice. How can features ever be removed this way! Would be better to check for the feature itself (using autoconf). The patch was mostly OK but any check for OPENSSL_VERSION_NUMBER for now also requires a negative check for LIBRESSL_VERSION_NUMBER as LibreSSL froze features at 1.0.1g. Next to that, anything requiring compression (CRIME attack) should be guarded using and #infdef OPENSSL_NO_COMP. This patch allowed me to build Python 3.5 with LibreSSL 2.3 (i.e. without SSLv3, Compression, RC4, SHA-0, etc) -- Added file: http://bugs.python.org/file42480/patch-lang_python35-OpenSSL-1.1.0+LibreSSL ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26470> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0
Bernard Spil added the comment: Testing this patch on HardenedBSD/LibreSSL (base SSL libs replaced with LibreSSL) -- nosy: +spil ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26470> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24557] Refactor LibreSSL / EGD detection
Bernard Spil added the comment: This is now also required for the upcoming OpenSSL 1.1.0 which also removed EGD by default -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue24557> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23329] _ssl cannot be compiled with LibreSSL anymore (on OpenBSD 5.5) because of ALPN
Bernard Spil added the comment: Checking if the method is actually defined is the smart way to go >From include/openssl/tls1.h # define TLSEXT_TYPE_application_layer_protocol_negotiation So #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation would show you if the feature is available regardless of the implementation (Open|Boring|Libre)SSL -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue23329> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23329] _ssl cannot be compiled with LibreSSL anymore (on OpenBSD 5.5) because of ALPN
Bernard Spil added the comment: ALPN was removed originally but added again later http://marc.info/?l=openbsd-announce=142193407304782 -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue23329> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24557] Refactor LibreSSL / EGD detection
New submission from Bernard Spil: LibreSSL added a define OPENSSL_NO_EGD to their headers in version 2.2.0 in line with the defines of the other removed features. These patches remove detection of RAND_egd from configure and replace the detection in the source code. -- messages: 246169 nosy: spil priority: normal severity: normal status: open title: Refactor LibreSSL / EGD detection type: enhancement versions: Python 2.7, Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24557 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23177] test_ssl: failures on OpenBSD with LibreSSL
Bernard Spil added the comment: LibreSSL defines in opensslv.h #define LIBRESSL_VERSION_NUMBER 0x2000L #define OPENSSL_VERSION_NUMBER 0x2000L And FreeBSD replaces #define OPENSSL_VERSION_NUMBER 0x1000107fL Proper way would be to check for LIBRESSL_VERSION_NUMBER string, FreeBSD modifies the OpenSSL version number to indicate its compatibility level (as stated in commit log) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23177 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23177] test_ssl: failures on OpenBSD with LibreSSL
Bernard Spil added the comment: Note that the FreeBSD port modifies the OPENSSL_VERSION_NUMBER and sets the version number to 1.0.1g. https://svnweb.freebsd.org/ports?view=revisionrevision=361642 -- nosy: +spil ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23177 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21356] Support LibreSSL (instead of OpenSSL): make RAND_egd optional
Bernard Spil added the comment: When configure is called with correct LDFLAGS and CPPFLAGS for LibreSSL these patches to configure, Modules/_ssl.c and Lib/_ssl.py will detect not having RAND_egd support in OpenSSL and make the build succeed. -- Added file: http://bugs.python.org/file37299/patch-configure.ac ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21356 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21356] Support LibreSSL (instead of OpenSSL): make RAND_egd optional
Changes by Bernard Spil pyt...@bachfreund.nl: Added file: http://bugs.python.org/file37300/patch-Lib_ssl.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21356 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21356] Support LibreSSL (instead of OpenSSL): make RAND_egd optional
Changes by Bernard Spil pyt...@bachfreund.nl: Added file: http://bugs.python.org/file37301/patch-Modules__ssl.c ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21356 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21356] Support LibreSSL (instead of OpenSSL): make RAND_egd optional
Changes by Bernard Spil pyt...@bachfreund.nl: Removed file: http://bugs.python.org/file37242/patch-Modules__ssl.c ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21356 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21356] Support LibreSSL (instead of OpenSSL): make RAND_egd optional
Bernard Spil added the comment: Victor: That is a change that has been implemented in the downstream port to fix wxPython, see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192365 this ended up in this patch as my primary objective was to fix it for the FreeBSD port. Antoine: Sorry, I'm not a python dev... I'm willing to do the work if you can provide the guidance... This was merely a works-for-me(TM) patch. Since nothing actually uses egd any longer I would not spend to much effort on it. The odds of anyone requiring EGD support _and_ using LibreSSL are negligable. EGD is last centuries technology, there's no sense in mixing that with current tech. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21356 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21356] Support LibreSSL (instead of OpenSSL): make RAND_egd optional
Bernard Spil added the comment: Remove https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192365 patch from this patch-set -- Added file: http://bugs.python.org/file37302/patch-configure.ac ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21356 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21356] Support LibreSSL (instead of OpenSSL): make RAND_egd optional
Changes by Bernard Spil pyt...@bachfreund.nl: Removed file: http://bugs.python.org/file37299/patch-configure.ac ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21356 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21356] Support LibreSSL (instead of OpenSSL): make RAND_egd optional
Bernard Spil added the comment: FAILED (failures=2, errors=2, skipped=5) That is OK, as these 2 tests should fail with LibreSSL since SSLv2 and SSLv3 support has been removed from LibreSSL. ERROR: test_protocol_sslv23 (__main__.ThreadedTests) ERROR: test_protocol_sslv3 (__main__.ThreadedTests) -- Added file: http://bugs.python.org/file37304/test_ssl.log ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21356 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21356] Support LibreSSL (instead of OpenSSL): make RAND_egd optional
Bernard Spil added the comment: Merged the patch from haypo back into the FreeBSD port for 2.7 at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192511 In the process I discovered during test_ssl that I had to patch Lib/socket.py as well to make RAND_egd conditional -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21356 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21356] Support LibreSSL (instead of OpenSSL): make RAND_egd optional
Bernard Spil added the comment: Hi, I think this can be found in LibreSSL's opensslv.h An ifdef LIBRESSL_VERSION_NUMBER should work See https://github.com/libressl-portable/openbsd/blob/master/src/lib/libssl/src/crypto/opensslv.h _ssl.c includes crypto.h which in turn includes opensslv.h so checking for LIBRESSL_VERSION_NUMBER should provide the correct check. Attached patch does this in C whereas it should be checked for in configure and disabled with a HAS_RAND_egd Have not figured out how to do this conditionally in Lib/ssl.py yet -- Added file: http://bugs.python.org/file37242/patch-Modules__ssl.c ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21356 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21356] Support LibreSSL (instead of OpenSSL): make RAND_egd optional
Bernard Spil added the comment: EGD was only necessary for some commercial UNIX systems, versions that needed it all reached end of life. It no longer makes sense to have any code referring to it. EGD needed untilOS release date IRIX6.5.19 feb 2003 Solaris 2.6 jul 1997 AIX 5.2 oct 2002 Tru64 5.1Bsep 2002 HP-UX 11i v2 sep 2003 Please check OpenBSD's patches to remove EGD support from Python for many versions. http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/python/2.7/patches/patch-Lib_ssl_py http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/python/3.4/patches/patch-Lib_ssl_py http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/python/3.4/patches/patch-Lib_ssl_py Alternatively see Gentoo's LibreSSL changes https://github.com/Sp1l/libressl/tree/master/dev-lang/python -- nosy: +spil ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21356 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com