[issue13627] Python SSL stack doesn't support Elliptic Curve ciphers

Sat Feb 18 01:45:29 CET 2012

Vinay Sajip <vinay_sajip at yahoo.co.uk> added the comment:

Almost there. The file now compiles, but a failure occurs in a later step due to compression functionality being unavailable:

building '_ssl' extension
gcc -fno-strict-aliasing -fno-common -dynamic -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -IInclude -I. -I./Include -I/Users/vinay/projects/pythonv -c /Users/vinay/projects/pythonv/Modules/_ssl.c -o build/temp.macosx-10.5-i386-3.3/Users/vinay/projects/pythonv/Modules/_ssl.o
/Users/vinay/projects/pythonv/Modules/_ssl.c: In function ‘_get_peer_alt_names’:
/Users/vinay/projects/pythonv/Modules/_ssl.c:645: warning: passing argument 2 of ‘ASN1_item_d2i’ from incompatible pointer type
/Users/vinay/projects/pythonv/Modules/_ssl.c:650: warning: passing argument 2 of ‘method->d2i’ from incompatible pointer type
/Users/vinay/projects/pythonv/Modules/_ssl.c: In function ‘PySSL_compression’:
/Users/vinay/projects/pythonv/Modules/_ssl.c:1022: warning: implicit declaration of function ‘SSL_get_current_compression’
/Users/vinay/projects/pythonv/Modules/_ssl.c:1022: warning: assignment makes pointer from integer without a cast
gcc -bundle -undefined dynamic_lookup build/temp.macosx-10.5-i386-3.3/Users/vinay/projects/pythonv/Modules/_ssl.o -L/usr/local/lib -lssl -lcrypto -o build/lib.macosx-10.5-i386-3.3/_ssl.so
*** WARNING: renaming "_ssl" since importing it failed: dlopen(build/lib.macosx-10.5-i386-3.3/_ssl.so, 2): Symbol not found: _SSL_get_current_compression
  Referenced from: /Users/vinay/projects/pythonv/build/lib.macosx-10.5-i386-3.3/_ssl.so
  Expected in: dynamic lookup

Failed to build these modules:
_ssl                                                  

It looks as if OPENSSL_NO_COMP needs to be defined in _ssl.c if the OpenSSL version is too old and not already defined. With this change:

#if OPENSSL_VERSION_NUMBER < 0x0090800fL && !defined(OPENSSL_NO_COMP)
# define OPENSSL_NO_COMP
#endif

the ssl library builds without errors. However, test_ssl fails because it still expects OP_SINGLE_ECDH_USE to be defined. With this change in test_constants:

        if ssl.HAS_ECDH:
            ssl.OP_SINGLE_ECDH_USE

all tests pass.

I notice that the test there for OP_NO_COMPRESSION is version-based rather than capability-based, and it might be a good idea to change this too.

----------

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13627>
_______________________________________