Christian Heimes added the comment:
The op hasn't replied in over 3 months. I'm closing the bug as staled.
--
resolution: -> out of date
stage: -> resolved
status: open -> closed
___
Python tracker
<https://bugs.python.or
Change by Christian Heimes :
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
___
Python tracker
<https://bugs.python.or
Christian Heimes added the comment:
New changeset 7f1305ef9ea7234e1a5aacbea17490232e9b7dc2 by Christian Heimes in
branch 'master':
bpo-42333: Port _ssl extension to multiphase initialization (PEP 489) (GH-23253)
https://github.com/python/cpython/commit
Christian Heimes added the comment:
* ssl.SSLContext() without a protocol argument
* ssl.match_hostname()
--
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
It looks like we might be able to update the files after all. It's hard to say,
though. The older tickets and commits for config.guess don't contain much
context or explanation.
--
___
Python tracker
<ht
Christian Heimes added the comment:
The files are auto-generated by autoconf. The common Linux platforms do not
have autoconf 2.71 yet. A large amount of core developers use Debian, Fedora,
or Ubuntu. The latest releases of these distros only have autoconf 2.69.
Until we can update, you
Christian Heimes added the comment:
New changeset b8d0fa035d74ae6ae00794c9af636b427c5dc650 by Christian Heimes in
branch 'master':
bpo-43669: Remove OpenSSL 0.9 to 1.1.0 specific documentation (GH-25453)
https://github.com/python/cpython/commit/b8d0fa035d74ae6ae00794c9af636b427c5dc650
Change by Christian Heimes :
--
keywords: +patch
pull_requests: +24183
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/25455
___
Python tracker
<https://bugs.python.org/issu
New submission from Christian Heimes :
With PEP 644 accepted I can finally raise deprecation warnings for a lot of
features that have been deprecated since Python 3.6 / 3.7 or by OpenSSL 1.1.1:
* ssl.OP_NO_SSLv2
* ssl.OP_NO_SSLv3
* ssl.OP_NO_TLSv1
* ssl.OP_NO_TLSv1_1
* ssl.OP_NO_TLSv1_2
Change by Christian Heimes :
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
___
Python tracker
<https://bugs.python.or
Christian Heimes added the comment:
Workaround has been added to upcoming 3.8 to 3.10 releases. Older versions will
get fixed by next OpenSSL update.
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
type: -&
Change by Christian Heimes :
--
pull_requests: +24182
pull_request: https://github.com/python/cpython/pull/25453
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
- Remove HAVE_X509_VERIFY_PARAM_SET1_HOST check
- Update hashopenssl to require OpenSSL 1.1.1
- multissltests only OpenSSL > 1.1.0
- ALPN is always supported
- SNI is always supported
- Remove deprecated NPN code. Python wrappers are no-op.
- ECDH is alw
Christian Heimes added the comment:
New changeset 39258d3595300bc7b952854c915f63ae2d4b9c3e by Christian Heimes in
branch 'master':
bpo-43669: PEP 644: Require OpenSSL 1.1.1 or newer (GH-23014)
https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e
Christian Heimes added the comment:
New changeset f77ca86f75d5ad9b52e5f3cd19c0024b204b168c by Christian Heimes in
branch '3.8':
[3.8] bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899)
(GH-25452)
https://github.com/python/cpython/commit/f77ca86f75d5ad9b52e5f3cd19c0024b204b168c
Christian Heimes added the comment:
New changeset cdf02879790b8e52456df6e9d58fb8c0842fc359 by Christian Heimes in
branch '3.9':
[3.9] bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899)
(GH-25451)
https://github.com/python/cpython/commit/cdf02879790b8e52456df6e9d58fb8c0842fc359
Change by Christian Heimes :
--
pull_requests: +24180
pull_request: https://github.com/python/cpython/pull/25451
___
Python tracker
<https://bugs.python.org/issue43
Change by Christian Heimes :
--
pull_requests: +24181
pull_request: https://github.com/python/cpython/pull/25452
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
New changeset b467d9a24011992242c95d9157d3455f8a84466b by Christian Heimes in
branch 'master':
bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899)
https://github.com/python/cpython/commit/b467d9a24011992242c95d9157d3455f8a84466b
Christian Heimes added the comment:
It would help us if you or Michael could provide a minimal reproducer of the
crash in form of a unit test and submit it as pull request.
--
nosy: +christian.heimes
versions: +Python 3.10
___
Python tracker
Change by Christian Heimes :
--
nosy: +mark.dickinson
___
Python tracker
<https://bugs.python.org/issue43830>
___
___
Python-bugs-list mailing list
Unsubscribe:
Christian Heimes added the comment:
The new checks are only executed when one or more OpenSSL-related files are
modified. The checks run a handful of networking and hashing test suites. All
SSL checks are optional. This PR also introduces ccache to speed up
compilation. In common cases
Change by Christian Heimes :
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
___
Python tracker
<https://bugs.python.or
Christian Heimes added the comment:
New changeset b71aaa0df0f3a9640b034b4774651cd8c54d2fb9 by Christian Heimes in
branch '3.8':
[3.8] bpo-43799: OpenSSL 3.0.0: declare OPENSSL_API_COMPAT 1.1.1 (GH-25329)
(GH-25383)
https://github.com/python/cpython/commit
Change by Christian Heimes :
--
dependencies: +OpenSSL 3.0.0: define OPENSSL_API_COMPAT 1.1.1, Run GHA CI with
multiple OpenSSL versions
___
Python tracker
<https://bugs.python.org/issue38
Change by Christian Heimes :
--
pull_requests: +24115
pull_request: https://github.com/python/cpython/pull/25383
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
New changeset a4833883c9b81b6b272cc7c5b67fa1658b65304c by Christian Heimes in
branch 'master':
bpo-43799: OpenSSL 3.0.0: declare OPENSSL_API_COMPAT 1.1.1 (GH-25329)
https://github.com/python/cpython/commit/a4833883c9b81b6b272cc7c5b67fa1658b65304c
Christian Heimes added the comment:
> Usually, warnings are not treated as errors. Thanks for fixing test_asyncio!
Tests should treat any unhandled deprecation warnings as a test failure.
--
___
Python tracker
<https://bugs.python.org/issu
Christian Heimes added the comment:
OpenSSL 1.0.2, 1.1.0, 1.1.1 and 3.0.0 behave slightly differently. For example
I'm still getting a warning with 1.1.0. Only 3.0.0 supports
OPENSSL_NO_DEPRECATED.
After multiple failed attempts I decided to set the API level to 1.1.1 and
define the three
Christian Heimes added the comment:
New changeset 95bbb331ecb3ef5d05859d90b287cc3d27613c86 by Christian Heimes in
branch 'master':
bpo-43723: Fix deprecation error caused by thread.setDaemon() (GH-25361)
https://github.com/python/cpython/commit/95bbb331ecb3ef5d05859d90b287cc3d27613c86
Change by Christian Heimes :
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
___
Python tracker
<https://bugs.python.or
Christian Heimes added the comment:
The commit broke my PR https://github.com/python/cpython/pull/25329. You missed
a call in asyncio tests.
--
___
Python tracker
<https://bugs.python.org/issue43
Change by Christian Heimes :
--
nosy: +christian.heimes
nosy_count: 5.0 -> 6.0
pull_requests: +24095
pull_request: https://github.com/python/cpython/pull/25361
___
Python tracker
<https://bugs.python.org/issu
Change by Christian Heimes :
--
keywords: +patch
pull_requests: +24094
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/25360
___
Python tracker
<https://bugs.python.org/issu
Christian Heimes added the comment:
New changeset 3447750073aff229b049e4ccd6217db2811dcfd1 by Christian Heimes in
branch 'master':
bpo-41561: Fix testing with OpenSSL 1.0.2 (GH-25355)
https://github.com/python/cpython/commit/3447750073aff229b049e4ccd6217db2811dcfd1
Christian Heimes added the comment:
Github selects required actions based on the "name" attribute of a job.
Therefore I decided to keep the default "Ubuntu" job and moved the additional
OpenSSL tests to another job.
For future reference, my first approach was:
strat
New submission from Christian Heimes :
CI only tests one OpenSSL version, but Python supports multiple versions of
OpenSSL. OpenSSL 1.0.2, 1.1.0, 1.1.1, and 3.0.0 have different APIs and behave
differently. We should run minimal tests with all major OpenSSL versions to
ensure that Python
Change by Christian Heimes :
--
pull_requests: +24090
pull_request: https://github.com/python/cpython/pull/25355
___
Python tracker
<https://bugs.python.org/issue41
Change by Christian Heimes :
--
keywords: +patch
pull_requests: +24062
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/25329
___
Python tracker
<https://bugs.python.org/issu
New submission from Christian Heimes :
OpenSSL 1.1 introduced the macro OPENSSL_API_COMPAT to select which APIs are
exposed and which deprecation warnings are shown.
https://www.openssl.org/docs/manmaster/man7/OPENSSL_API_COMPAT.html
"#define OPENSSL_API_COMPAT 0x10101000L"
Christian Heimes added the comment:
New changeset 2d7fdc90731e132f9d6b43852ee112f25831394b by Christian Heimes in
branch 'master':
bpo-38820: OpenSSL 3.0.0: Use supported hashing algos in doc test (GH-25319)
https://github.com/python/cpython/commit/2d7fdc90731e132f9d6b43852ee112f25831394b
Change by Christian Heimes :
--
pull_requests: +24054
pull_request: https://github.com/python/cpython/pull/25319
___
Python tracker
<https://bugs.python.org/issue38
Change by Christian Heimes :
--
pull_requests: +24051
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/25316
___
Python tracker
<https://bugs.python.org/issu
Christian Heimes added the comment:
BPO is just for CPython bugs. Packaging and PyPI are handled by different teams
and trackers. Please use https://github.com/pypa/pypi-support
--
nosy: +christian.heimes
___
Python tracker
<ht
Christian Heimes added the comment:
Do you want to work on a feature for 3.10? Feature freeze is in less than 4
weeks.
--
components: +Library (Lib) -Extension Modules
stage: -> needs patch
___
Python tracker
<https://bugs.python.org/issu
Christian Heimes added the comment:
Miro,
I have pushed several fixes for OpenSSL 3.0.0
* bpo-43788 addresses wrong library and error reason codes (e.g. KRB5_S_TKT_NYV)
* bpo-43789 fixes an issue with exception state in password callbacks
(_PyEval_EvalFrameDefault returned a result
Christian Heimes added the comment:
New changeset 70f2ca7ea46ac15d05c7b422a10b18aa3fe4a140 by Christian Heimes in
branch '3.8':
[3.8] bpo-43788: Generate version specific _ssl_data.h (GH-25300) (GH-25311)
https://github.com/python/cpython/commit/70f2ca7ea46ac15d05c7b422a10b18aa3fe4a140
Christian Heimes added the comment:
New changeset 299ae9c7a2a169d54921815b9bb41a8f9277a3aa by Christian Heimes in
branch '3.9':
[3.9] bpo-43788: Generate version specific _ssl_data.h (GH-25300) (GH-25310)
https://github.com/python/cpython/commit/299ae9c7a2a169d54921815b9bb41a8f9277a3aa
Christian Heimes added the comment:
New changeset 6f37ebc61e9e0d13bcb1a2ddb7fc9723c04b6372 by Christian Heimes in
branch 'master':
bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)
https://github.com/python/cpython/commit/6f37ebc61e9e0d13bcb1a2ddb7fc9723c04b6372
Change by Christian Heimes :
--
dependencies: +OpenSSL 3.0.0: Handle UNEXPECTED_EOF_WHILE_READING / wrap
SSL_OP_IGNORE_UNEXPECTED_EOF, OpenSSL 3.0.0: Make ssl_data.h version specific
___
Python tracker
<https://bugs.python.org/issue38
Change by Christian Heimes :
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
title: Make ssl_data.h version specific -> OpenSSL 3.0.0: Make ssl_data.h
version specific
___
Python tracker
<https://
Change by Christian Heimes :
--
pull_requests: +24046
pull_request: https://github.com/python/cpython/pull/25311
___
Python tracker
<https://bugs.python.org/issue43
Change by Christian Heimes :
--
pull_requests: +24045
pull_request: https://github.com/python/cpython/pull/25310
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
I'm keeping the bug open as a reminder to investigate the change of behavior
more carefully.
--
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
New changeset a28398e9c60848fc291c83dac44e5212694fb0b2 by Miss Islington (bot)
in branch '3.8':
[3.8] bpo-43789: OpenSSL 3.0.0 Don't call passwd callback again in error case
(GH-25303) (GH-25306)
https://github.com/python/cpython/commit
Change by Christian Heimes :
--
keywords: +patch
pull_requests: +24044
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/25309
___
Python tracker
<https://bugs.python.org/issu
New submission from Christian Heimes :
OpenSSL 3.0.0 state machine handles unexpected EOFs more strict and requires
peers to properly shut down connections. The old OpenSSL 1.1.1 behavior can be
get back with SSL_OP_IGNORE_UNEXPECTED_EOF.
I propose to add the option by default until Python's
Christian Heimes added the comment:
https://github.com/python/cpython/pull/25304 is merged PR to master.
--
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
New changeset 5151d642004c59cce58d669be85d9a5e987f51d3 by Christian Heimes in
branch 'master':
bpo-4379: Skip TLS 1.0/1.1 tests under OpenSSL 3.0.0 (GH-25304)
https://github.com/python/cpython/commit/5151d642004c59cce58d669be85d9a5e987f51d3
Change by Christian Heimes :
--
dependencies: +OpenSSL 3.0.0: TLS 1.0 / 1.1 connections fail with
TLSV1_ALERT_INTERNAL_ERROR, OpenSSL 3.0.0: password callback called multiple
times
versions: -Python 3.7
___
Python tracker
<ht
Christian Heimes added the comment:
New changeset d3b73f32ef7c693a6ae8c54eb0e62df3b5315caf by Christian Heimes in
branch 'master':
bpo-43789: OpenSSL 3.0.0 Don't call passwd callback again in error case
(GH-25303)
https://github.com/python/cpython/commit
Change by Christian Heimes :
--
nosy: +christian.heimes
nosy_count: 5.0 -> 6.0
pull_requests: +24036
pull_request: https://github.com/python/cpython/pull/25304
___
Python tracker
<https://bugs.python.org/iss
New submission from Christian Heimes :
With OpenSSL 3.0.0-alpha14 several tests for TLS 1.0 and 1.1 connections are
failing handshake with "[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal
error". OpenSSL is configured with default security level "1". Tes
Change by Christian Heimes :
--
keywords: +patch
pull_requests: +24035
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/25303
___
Python tracker
<https://bugs.python.org/issu
New submission from Christian Heimes :
OpenSSL 3.0.0 seems to invoke the password callback multiple times under some
circumstances. This triggers a fatal error in Python when the first invocation
sets an exception.
test_load_cert_chain (test.test_ssl.ContextTests) ... Fatal Python error
Change by Christian Heimes :
--
keywords: +patch
pull_requests: +24032
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/25300
___
Python tracker
<https://bugs.python.org/issu
New submission from Christian Heimes :
_ssl_data.h contains static tables with OpenSSL error names and reasons. The
stables are created by scrapping header files. The current approach has two
issues:
- error codes are version dependent. OpenSSL 1.1.1 uses different codes and has
a different
Christian Heimes added the comment:
Do we need separate jobs and ABI dumps for each platform and arch? I guess we
need at least separate dumps for 32 and 64bit.
--
nosy: +christian.heimes
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
Uh :(
No more holiday releases, please. The RMs and release team need their vacation.
--
nosy: +christian.heimes
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
The crash occurs inside glibc's dgettext() implementation. Its man page does
not list any limitation for domain or msgid length. This looks like a bug in
glibc.
#0 0x77c57a8f in __dcigettext () from /lib64/libc.so.6
#1 0x0058a235
Christian Heimes added the comment:
The issue has been waiting for contributions for 8 years now. So far nobody has
shown an interested to address the problem and contribute an IDNA 2008 codec to
Python's standard library.
--
___
Python tracker
Christian Heimes added the comment:
Lukas,
no, some guy called Bill approached me at our last Illuminati meeting in Hollow
Earth. He asked me to implement static linking for his next-gen secret brain
chip. In exchange for the favor I was allowed to ride his T-Rex. True story!
Thanks
Christian Heimes added the comment:
CI, macOS and Windows infrastructure have been updated.
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
___
Python tracker
<https://bugs.python.or
Change by Christian Heimes :
--
priority: critical -> high
type: security -> enhancement
versions: +Python 3.10 -Python 3.8, Python 3.9
___
Python tracker
<https://bugs.python.org/i
Change by Christian Heimes :
--
priority: high -> normal
type: security -> enhancement
versions: +Python 3.10 -Python 2.7, Python 3.7
___
Python tracker
<https://bugs.python.org/i
Change by Christian Heimes :
--
nosy: +lukasz.langa
priority: critical -> release blocker
___
Python tracker
<https://bugs.python.org/issue36384>
___
___
Py
Change by Christian Heimes :
--
nosy: +christian.heimes, lukasz.langa, ned.deily
priority: normal -> release blocker
___
Python tracker
<https://bugs.python.org/issu
Change by Christian Heimes :
--
nosy: +christian.heimes, lukasz.langa, ned.deily
priority: normal -> release blocker
___
Python tracker
<https://bugs.python.org/issu
Change by Christian Heimes :
--
keywords: +patch
pull_requests: +23844
stage: needs patch -> patch review
pull_request: https://github.com/python/cpython/pull/25099
___
Python tracker
<https://bugs.python.org/issu
Christian Heimes added the comment:
Serhiy was right, this is a security issue.
The patch should not have landed in 3.8. At a bare minimum the patch should
have been postponed until documentation was updated. Since 3.8 the ipaddresss
does not behave as documented. A similar security issue
Change by Christian Heimes :
--
keywords: +patch
pull_requests: +23842
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/23014
___
Python tracker
<https://bugs.python.org/issu
New submission from Christian Heimes :
Tracker ticket for PEP 644, https://www.python.org/dev/peps/pep-0644/
This PEP proposes for CPython’s standard library to support only OpenSSL 1.1.1
LTS or newer. Support for OpenSSL versions past end-of-lifetime, incompatible
forks, and other TLS
Change by Christian Heimes :
--
pull_requests: +23835
pull_request: https://github.com/python/cpython/pull/25089
___
Python tracker
<https://bugs.python.org/issue43
Change by Christian Heimes :
--
pull_requests: +23834
pull_request: https://github.com/python/cpython/pull/25088
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
Thanks!
All tests are passing, but macOS is still using OpenSSL 1.1.1j.
--
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
Thanks!
My mail
https://mail.python.org/archives/list/python-...@python.org/thread/2GULUR43MNEW3IJM44LS5ZY2TOUANPNT/
contains a first analysis of the CVEs. I'm pretty sure any server application
with server-side TLS socket is vulnerable to CVE-2021-3449
Christian Heimes added the comment:
I introduced several build improvements for better support of custom OpenSSL
builds in bpo-43466. The issue mentions a new, undocumented, and unsupported
hack to create a shared extension modules with statically linked OpenSSL. The
Modules/Setup.local
Christian Heimes added the comment:
There are now multiple ways to build Python with a custom OpenSSL build on
Linux and BSD-like platforms:
1) Tools/ssl/multissltest.py
2) ./configure --with-openssl=/path/to/openssl --with-openssl-rpath=auto
3) undocumented hack from commit
Christian Heimes added the comment:
Excellent investigation!
Idle automatically picked Dejavu Sans Mono as default font. I have also several
fonts for e.g. unicode symbols and emojis installed. Noto Sans Mono CJK fonts
are working fine, too. However when I select the Noto Emoji font
Christian Heimes added the comment:
I cannot reproduce the issue on Fedora 33 with KDE 5 and libX11-1.6.12:
Python 3.9.2 (default, Feb 20 2021, 00:00:00)
[GCC 10.2.1 20201125 (Red Hat 10.2.1-9)] on linux
Type "help", "copyright", "credits" or "license()
Christian Heimes added the comment:
Thanks for the bug report! I ran into the issue a couple of weeks ago on one
machine that had autoconf but not the archive package installed.
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
versions: +Py
Christian Heimes added the comment:
New changeset e516290976626cf8535b88a14b1b34e37f88a78a by Christian Heimes in
branch '3.8':
[3.8] bpo-43617: Check autoconf-archive package in configure.ac (GH-25016)
(GH-25035)
https://github.com/python/cpython/commit
Christian Heimes added the comment:
New changeset 064bc07f241dceec2fc577cbf5c31fa6d63fe320 by Christian Heimes in
branch '3.9':
[3.9] bpo-43617: Check autoconf-archive package in configure.ac (GH-25016)
(GH-25034)
https://github.com/python/cpython/commit
Christian Heimes added the comment:
Please open a new bug and include a reference to this issue.
--
nosy: +christian.heimes
___
Python tracker
<https://bugs.python.org/issue38
Change by Christian Heimes :
--
pull_requests: +23783
pull_request: https://github.com/python/cpython/pull/25035
___
Python tracker
<https://bugs.python.org/issue43
Change by Christian Heimes :
--
pull_requests: +23782
pull_request: https://github.com/python/cpython/pull/25034
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
New changeset 5d6e8c1c1a5f667cdce99cb3c563ac922198678d by Christian Heimes in
branch 'master':
bpo-43617: Check autoconf-archive package in configure.ac (GH-25016)
https://github.com/python/cpython/commit/5d6e8c1c1a5f667cdce99cb3c563ac922198678d
Change by Christian Heimes :
--
keywords: +patch
pull_requests: +23774
pull_request: https://github.com/python/cpython/pull/25024
___
Python tracker
<https://bugs.python.org/issue43
New submission from Christian Heimes :
OpenSSL 1.1.1k contains fixes for two high severity CVEs
https://www.openssl.org/news/vulnerabilities.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449
--
assignee
Change by Christian Heimes :
--
resolution: fixed ->
stage: resolved -> needs patch
status: closed -> open
type: -> behavior
___
Python tracker
<https://bugs.python
1101 - 1200 of 6455 matches
Mail list logo
