[Python-checkins] bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)
miss-islington
webhook-mailer at python.org
Fri Apr 9 12:21:14 EDT 2021
https://github.com/python/cpython/commit/e18ebd9ec546a3647a57c282735350f60a26d66d
commit: e18ebd9ec546a3647a57c282735350f60a26d66d
branch: 3.8
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: miss-islington <31488909+miss-islington at users.noreply.github.com>
date: 2021-04-09T09:21:06-07:00
summary:
bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)
Signed-off-by: Christian Heimes <christian at python.org>
(cherry picked from commit 6f37ebc61e9e0d13bcb1a2ddb7fc9723c04b6372)
Co-authored-by: Christian Heimes <christian at python.org>
files:
A Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst
M Doc/library/ssl.rst
M Lib/test/test_ssl.py
M Modules/_ssl.c
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 24b46ca1c7dc1..12cd747c6ea9b 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -886,6 +886,14 @@ Constants
.. versionadded:: 3.6
+.. data:: OP_IGNORE_UNEXPECTED_EOF
+
+ Ignore unexpected shutdown of TLS connections.
+
+ This option is only available with OpenSSL 3.0.0 and later.
+
+ .. versionadded:: 3.10
+
.. data:: HAS_ALPN
Whether the OpenSSL library has built-in support for the *Application-Layer
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 292794c69b5a0..75ba8a9489bed 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -143,6 +143,7 @@ def data_file(*name):
OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
+OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0)
# Ubuntu has patched OpenSSL and changed behavior of security level 2
# see https://bugs.python.org/issue41561#msg389003
@@ -1161,7 +1162,8 @@ def test_options(self):
# SSLContext also enables these by default
default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
- OP_ENABLE_MIDDLEBOX_COMPAT)
+ OP_ENABLE_MIDDLEBOX_COMPAT |
+ OP_IGNORE_UNEXPECTED_EOF)
self.assertEqual(default, ctx.options)
ctx.options |= ssl.OP_NO_TLSv1
self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
diff --git a/Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst b/Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst
new file mode 100644
index 0000000000000..64894bdc017e5
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst
@@ -0,0 +1 @@
+Add :data:`ssl.OP_IGNORE_UNEXPECTED_EOF` constants (OpenSSL 3.0.0)
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 58d9f86489c4c..bb6cf63ee7fab 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -3214,6 +3214,10 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
#endif
#ifdef SSL_OP_SINGLE_ECDH_USE
options |= SSL_OP_SINGLE_ECDH_USE;
+#endif
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+ /* Make OpenSSL 3.0.0 behave like 1.1.1 */
+ options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
#endif
SSL_CTX_set_options(self->ctx, options);
@@ -6273,6 +6277,10 @@ PyInit__ssl(void)
PyModule_AddIntConstant(m, "OP_NO_RENEGOTIATION",
SSL_OP_NO_RENEGOTIATION);
#endif
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+ PyModule_AddIntConstant(m, "OP_IGNORE_UNEXPECTED_EOF",
+ SSL_OP_IGNORE_UNEXPECTED_EOF);
+#endif
#ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
PyModule_AddIntConstant(m, "HOSTFLAG_ALWAYS_CHECK_SUBJECT",
More information about the Python-checkins
mailing list