[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Change by STINNER Victor : -- pull_requests: +12619 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Change by STINNER Victor : -- pull_requests: +12202 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Roundup Robot added the comment: New changeset d92f26a53b70 by Christian Heimes in branch 'default': Issue #26470: Use short name rather than name for compression name to fix #27958. https://hg.python.org/cpython/rev/d92f26a53b70 -- ___ Python

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Roundup Robot added the comment: New changeset 5566732c8ac5 by Christian Heimes in branch '3.5': Issue #26470: Use short name rather than name for compression name to fix #27958. https://hg.python.org/cpython/rev/5566732c8ac5 New changeset 2593ed9a6a62 by Christian Heimes in branch '2.7':

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Roundup Robot added the comment: New changeset 5c75b315152b by Christian Heimes in branch '3.5': Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. https://hg.python.org/cpython/rev/5c75b315152b New changeset bc5ba11973f5 by Christian Heimes in branch 'default': Issue #26470: Port ssl

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Added file: http://bugs.python.org/file44360/Port-Python-s-SSL-module-to-OpenSSL-1.1.0-5.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Christian Heimes added the comment: Antoine, I have reconsidered your idea. Let's make the default value PROTOCOL_TLS in 3.6 and deprecated the other protocol methods. We can remove them in 3.8 or 3.9. I'll push another patch later today. -- ___

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Bernard Spil added the comment: Sorry for the noise Christian, I thought the former EGD handling was still in place. That was fixed with https://github.com/python/cpython/commit/968ec1d29b44ca7a600df5984adff00a78392368 on 07 Jul 2016 -- ___ Python

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Christian Heimes added the comment: Yes, I plan to change this for Python 3.7 along with #27876. -- ___ Python tracker ___

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Christian Heimes added the comment: Bernard, where do you see HAVE_RAND_EGD in my patch or in any recent version of _ssl.c? There is no reference to HAVE_RAND_EGD. The patches use OPENSSL_NO_EGD. -- ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Bernard Spil added the comment: Hi Christian, Great stuff! Please can you replace the HAVE_RAND_EGD ifdefs into OPENSSL_NO_EGD checks? Then the RAND_egd checks in configure.ac can also be removed. This was introduced by OpenSSL in

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Antoine Pitrou added the comment: Christian, thanks a lot for doing this! Do you plan to change the SSLContext constructor and make the protocol argument optional? It sounds like that would be a logical followup to the OpenSSL API changes. -- ___

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Added file: http://bugs.python.org/file44297/Port-Python-s-SSL-module-to-OpenSSL-1.1.0-4.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Added file: http://bugs.python.org/file44296/Port-Python-2.7-s-SSL-module-to-OpenSSL-1.1.0-4.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Christian Heimes added the comment: Awesome! I have removed the surplus functions, made the other additional functions static and fixed minor test issue with LibreSSL and OpenSSL < 1.0.1. My branches on github compile and pass all tests with OpenSSL "0.9.8zc", "0.9.8zh", "1.0.1t", "1.0.2",

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Zachary Ware added the comment: Looks like that took care of it, build succeeded with no new warnings, and test.ssltests passed. -- ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Christian Heimes added the comment: Hi Zachary, you have found a bug in my patch. I mistakenly defined SSL_CTX_set_default_passwd_cb() and SSL_CTX_set_default_passwd_cb_userdata() for OpenSSL < 1.1.0. Both functions already exist. Only the getters are missing for < 1.1.0. Please remove both

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Zachary Ware added the comment: This will require significant updates to PCbuild/prepare_ssl.py and/or the way we build OpenSSL on Windows before we can even properly test this on Windows. I don't think that should hold up acceptance of the rest of the patch (provided 1.0.2 support remains

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Christian Heimes added the comment: Thanks Alex, I ported the Python and C code to 2.7 but forgot to address doc updates. You can find an updated patch on github: https://github.com/python/cpython/compare/2.7...tiran:feature/openssl110_27 I'll submit a new patch after your review. Chi Hsuan

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Alex Gaynor added the comment: - The 2.7 patch contains numerous references to 3.6, these should be rewritten to 2.7.x - -- ___ Python tracker ___

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Chi Hsuan Yen added the comment: There are still quite a few references to `PROTOCOL_SSLv23` in Doc/library/ssl.rst. Should they be updated as well? -- ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Added file: https://bugs.python.org/file44232/Port-Python-s-SSL-module-to-OpenSSL-1.1.0-3.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Removed file: https://bugs.python.org/file44038/Port-Python-s-SSL-module-to-OpenSSL-1.1.0.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Removed file: https://bugs.python.org/file44230/Port-Python-2.7-s-SSL-module-to-OpenSSL-1.1.0-3.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Removed file: https://bugs.python.org/file44048/Port-Python-s-SSL-module-to-OpenSSL-1.1.0-2.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Removed file: https://bugs.python.org/file44037/Port-Python-2.7-s-SSL-module-to-OpenSSL-1.1.0.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Removed file: https://bugs.python.org/file44229/Port-Python-2.7-s-SSL-module-to-OpenSSL-1.1.0-3.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Added file: https://bugs.python.org/file44230/Port-Python-2.7-s-SSL-module-to-OpenSSL-1.1.0-3.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Added file: https://bugs.python.org/file44231/Port-Python-2.7-s-SSL-module-to-OpenSSL-1.1.0-3.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Added file: https://bugs.python.org/file44229/Port-Python-2.7-s-SSL-module-to-OpenSSL-1.1.0-3.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Christian Heimes added the comment: OpenSSL 1.1.0 final was released a couple of hours ago. One test is failing because it uses 3DES. 1.1.0 has 3DES disabled by default. -- ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Chi Hsuan Yen : -- nosy: +Chi Hsuan Yen ___ Python tracker ___ ___

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Christian Heimes added the comment: Stéphane, I have addressed your code review. def __new__() no longer hard-codes protocol. We can change that in a later version of Python. OpenSSL has deprecated all SSL methods except of the generic TLS method. The TLS method was formerly known as SSLv23

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Stéphane Wirtel added the comment: Hi Christian, I have reviewed your patch, seems to be fine for me. -- nosy: +matrixise ___ Python tracker ___

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Added file: http://bugs.python.org/file44038/Port-Python-s-SSL-module-to-OpenSSL-1.1.0.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Added file: http://bugs.python.org/file44037/Port-Python-2.7-s-SSL-module-to-OpenSSL-1.1.0.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Removed file: http://bugs.python.org/file42526/0001-Port-Python-s-SSL-module-to-OpenSSL-1.1.0-WIP.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Bernard Spil added the comment: Can you please replace the HAVE_RAND_EGD bits with OPENSSL_NO_EGD as defined by both OpenSSL 1.1 and LibreSSL? EGD default disabled https://github.com/openssl/openssl/blob/master/Configure#L363 EGD methods not available

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : -- assignee: christian.heimes -> ___ Python tracker ___ ___

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Christian Heimes added the comment: PS: The patch depends on https://github.com/openssl/openssl/pull/979 -- ___ Python tracker ___

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Christian Heimes : Removed file: http://bugs.python.org/file42184/0001-Port-Python-s-SSL-module-to-OpenSSL-1.1.0-WIP.patch ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Christian Heimes added the comment: The patch makes Python compatible with OpenSSL 1.1.0-pre6-dev from git. The ssl and hashlib module are also compatible with OpenSSL 0.9.8zh, 1.0.1s, 1.0.2g as well as LibreSSL 2.3.3. -- Added file:

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Bernard Spil added the comment: Checking version numbers to see if a feature is available is a bad practice. How can features ever be removed this way! Would be better to check for the feature itself (using autoconf). The patch was mostly OK but any check for OPENSSL_VERSION_NUMBER for now

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Bernard Spil added the comment: Testing this patch on HardenedBSD/LibreSSL (base SSL libs replaced with LibreSSL) -- nosy: +spil ___ Python tracker ___

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Christian Heimes added the comment: Here is a first working patch. It requires 1.1.0-pre4. The failing ALPN test is caused by a regression in OpenSSL. -- keywords: +patch stage: needs patch -> patch review versions: +Python 3.6 Added file:

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by STINNER Victor : -- nosy: -haypo ___ Python tracker ___ ___

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by STINNER Victor : -- nosy: +haypo ___ Python tracker ___ ___

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Steven.Painter : -- nosy: +smpeepers ___ Python tracker ___ ___

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Michael Felt added the comment: Since you are looking, maybe look at whether it is also libreSSL compatible? -- nosy: +Michael.Felt ___ Python tracker

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

Changes by Zachary Ware : -- nosy: +zach.ware ___ Python tracker ___ ___

[issue26470] Make OpenSSL module compatible with OpenSSL 1.1.0

New submission from Christian Heimes: OpenSSL 1.1.0 is changing a lot of internals. Most structs are opaque, RC4 and SSLv2 are gone. I've a rough patch in my private repos. I'll submit the patch as soon as the code is compatible with OpenSSL 1.0.2, too.