Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gh-89051: Add ssl.OP_LEGACY_SERVER_CONNECT #93927

Merged
merged 6 commits into from
Dec 20, 2022
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions Doc/library/ssl.rst
Original file line number Diff line number Diff line change
Expand Up @@ -839,6 +839,13 @@ Constants

.. versionadded:: 3.10

.. data:: OP_LEGACY_SERVER_CONNECT

Allow legacy insecure renegotiation between OpenSSL and unpatched servers
only.

.. versionadded:: 3.12

.. data:: HAS_ALPN

Whether the OpenSSL library has built-in support for the *Application-Layer
Expand Down
16 changes: 16 additions & 0 deletions Lib/test/test_ssl.py
Original file line number Diff line number Diff line change
Expand Up @@ -1463,6 +1463,8 @@ def _assert_context_options(self, ctx):
if OP_CIPHER_SERVER_PREFERENCE != 0:
self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE,
OP_CIPHER_SERVER_PREFERENCE)
self.assertEqual(ctx.options & ssl.OP_LEGACY_SERVER_CONNECT,
0 if IS_OPENSSL_3_0_0 else ssl.OP_LEGACY_SERVER_CONNECT)

def test_create_default_context(self):
ctx = ssl.create_default_context()
Expand Down Expand Up @@ -3817,6 +3819,20 @@ def test_compression_disabled(self):
sni_name=hostname)
self.assertIs(stats['compression'], None)

def test_legacy_server_connect(self):
client_context, server_context, hostname = testing_context()
client_context.options |= ssl.OP_LEGACY_SERVER_CONNECT
server_params_test(client_context, server_context,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a mechanism for creating a bad TLS server that doesn't support secure renegotiation indication?

chatty=True, connectionchatty=True,
sni_name=hostname)

def test_no_legacy_server_connect(self):
client_context, server_context, hostname = testing_context()
client_context.options &= ~ssl.OP_LEGACY_SERVER_CONNECT
server_params_test(client_context, server_context,
chatty=True, connectionchatty=True,
sni_name=hostname)

@unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
def test_dh_params(self):
# Check we can get a connection with ephemeral Diffie-Hellman
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add :data:`ssl.OP_LEGACY_SERVER_CONNECT`
2 changes: 2 additions & 0 deletions Modules/_ssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -5862,6 +5862,8 @@ sslmodule_init_constants(PyObject *m)
SSL_OP_CIPHER_SERVER_PREFERENCE);
PyModule_AddIntConstant(m, "OP_SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE);
PyModule_AddIntConstant(m, "OP_NO_TICKET", SSL_OP_NO_TICKET);
PyModule_AddIntConstant(m, "OP_LEGACY_SERVER_CONNECT",
SSL_OP_LEGACY_SERVER_CONNECT);
#ifdef SSL_OP_SINGLE_ECDH_USE
PyModule_AddIntConstant(m, "OP_SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE);
#endif
Expand Down