From 89c354c941a8f424b5cb986625eb5b612901c586 Mon Sep 17 00:00:00 2001
From: Chris Burr <christopher.burr@cern.ch>
Date: Wed, 15 Jan 2020 11:16:27 +0100
Subject: [PATCH 1/2] bpo-39342: Expose X509_V_FLAG_ALLOW_PROXY_CERTS as
 ssl.VERIFY_ALLOW_PROXY_CERTS

---
 Doc/library/ssl.rst                                        | 7 +++++++
 Lib/test/test_ssl.py                                       | 2 ++
 .../next/Library/2020-01-15-11-15-35.bpo-39342.S8PuJO.rst  | 4 ++++
 Modules/_ssl.c                                             | 2 ++
 4 files changed, 15 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Library/2020-01-15-11-15-35.bpo-39342.S8PuJO.rst

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 1cfd165202d0ef..0259f86a1febe0 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -634,6 +634,13 @@ Constants
 
    .. versionadded:: 3.4
 
+.. data:: VERIFY_ALLOW_PROXY_CERTS
+
+   Possible value for :attr:`SSLContext.verify_flags` to enables proxy
+   certificate verification.
+
+   .. versionadded:: 3.9
+
 .. data:: VERIFY_X509_TRUSTED_FIRST
 
    Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 67850c34e00c20..1710dda4389a04 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1305,6 +1305,8 @@ def test_verify_flags(self):
         self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_CHAIN)
         ctx.verify_flags = ssl.VERIFY_DEFAULT
         self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
+        ctx.verify_flags = ssl.VERIFY_ALLOW_PROXY_CERTS
+        self.assertEqual(ctx.verify_flags, ssl.VERIFY_ALLOW_PROXY_CERTS)
         # supports any value
         ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT
         self.assertEqual(ctx.verify_flags,
diff --git a/Misc/NEWS.d/next/Library/2020-01-15-11-15-35.bpo-39342.S8PuJO.rst b/Misc/NEWS.d/next/Library/2020-01-15-11-15-35.bpo-39342.S8PuJO.rst
new file mode 100644
index 00000000000000..6eb83a95b5e2c0
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2020-01-15-11-15-35.bpo-39342.S8PuJO.rst
@@ -0,0 +1,4 @@
+Expose ``X509_V_FLAG_ALLOW_PROXY_CERTS`` as
+:data:`~ssl.VERIFY_ALLOW_PROXY_CERTS` to allow proxy certificate validation
+as explained in
+https://www.openssl.org/docs/man1.1.1/man7/proxy-certificates.html.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 96d2796fcfad48..bea144cd9f9563 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -6181,6 +6181,8 @@ sslmodule_init_constants(PyObject *m)
                             X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
     PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
                             X509_V_FLAG_X509_STRICT);
+    PyModule_AddIntConstant(m, "VERIFY_ALLOW_PROXY_CERTS",
+                            X509_V_FLAG_ALLOW_PROXY_CERTS);
 #ifdef X509_V_FLAG_TRUSTED_FIRST
     PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST",
                             X509_V_FLAG_TRUSTED_FIRST);

From 065c1ccdb87fbc3016cf3af9378748f435518e9b Mon Sep 17 00:00:00 2001
From: Chris Burr <christopher.burr@cern.ch>
Date: Wed, 9 Dec 2020 15:06:31 +0100
Subject: [PATCH 2/2] bpo-39342: Update added in version to 3.10

---
 Doc/library/ssl.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 0259f86a1febe0..1adac843f4eec9 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -639,7 +639,7 @@ Constants
    Possible value for :attr:`SSLContext.verify_flags` to enables proxy
    certificate verification.
 
-   .. versionadded:: 3.9
+   .. versionadded:: 3.10
 
 .. data:: VERIFY_X509_TRUSTED_FIRST