Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-89051: Add ssl.OP_LEGACY_SERVER_CONNECT #93927

Merged
merged 6 commits into from Dec 20, 2022
Merged

gh-89051: Add ssl.OP_LEGACY_SERVER_CONNECT #93927

merged 6 commits into from Dec 20, 2022
+26 −0

Conversation

graingert
Copy link
Contributor

@graingert graingert commented Jun 17, 2022
edited by bedevere-bot

@graingert graingert changed the title Add ssl.OP_LEGACY_SERVER_CONNECT gh-89051: Add ssl.OP_LEGACY_SERVER_CONNECT Jun 17, 2022
graingert
graingert commented Jun 17, 2022
View changes
Doc/library/ssl.rst Outdated Show resolved Hide resolved
@graingert graingert marked this pull request as ready for review Jun 17, 2022
@graingert graingert marked this pull request as draft Jun 17, 2022
@graingert graingert force-pushed the op-legacy-server-connect branch from be10f55 to 364d875 Compare Jun 17, 2022
@graingert graingert marked this pull request as ready for review Jun 17, 2022
graingert
graingert commented Jun 17, 2022
View changes
Lib/test/test_ssl.py
def test_legacy_server_connect(self):
client_context, server_context, hostname = testing_context()
client_context.options |= ssl.OP_LEGACY_SERVER_CONNECT
server_params_test(client_context, server_context,
Copy link
Contributor Author

@graingert graingert Jun 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a mechanism for creating a bad TLS server that doesn't support secure renegotiation indication?

@graingert graingert mentioned this pull request Jun 23, 2022
Closed
pquentin
pquentin approved these changes Jun 24, 2022
View changes
Copy link

@pquentin pquentin left a comment

Thanks! This will help with the transition to OpenSSL 3.0.

@graingert
Copy link
Contributor Author

graingert commented Jul 21, 2022

@tiran can I get a review on this please?

@tiran
Copy link
Member

tiran commented Aug 3, 2022

I guess you never found a why to create a server that does not support secure negotiations. Let's land this now anyway.

tiran
tiran approved these changes Aug 3, 2022
View changes
@graingert
Copy link
Contributor Author

graingert commented Aug 3, 2022

I guess you never found a why to create a server that does not support secure negotiations. Let's land this now anyway.

I had a look into doing it with tlslite-ng or using openssl's or even just hand writing TLS down a plain socket.socket but it would add hundreds or thousands of lines to the PR

I did raise a ticket with badssl chromium/badssl.com#507 if they implement it I'd be interested in integrating badssl.test as a docker container in the CPython CI.

@smontanaro
Copy link
Contributor

smontanaro commented Nov 22, 2022

(I'm working my way through some PRs which have been approved and are labeled "awaiting merge", hence my seemingly bolt from the blue comment. Why? Read here.)

This has been idle since early August. @graingert Is there reason to assume a buggy TLS implementation is in the works against which this can be tested? If not, perhaps it's time to merge and close?

@graingert
Copy link
Contributor Author

graingert commented Nov 22, 2022

Yeah I think this just needs a merge

@kokes kokes mentioned this pull request Nov 24, 2022
Open
@dmpe
Copy link

dmpe commented Dec 19, 2022

Hi, any indication on when this will be merged & released ?

@hugovk
Copy link
Member

hugovk commented Dec 20, 2022

Docs conflict resolved.

@bedevere-bot bedevere-bot mentioned this pull request Dec 20, 2022
Closed
hugovk
hugovk approved these changes Dec 20, 2022
View changes
Copy link
Member

@hugovk hugovk left a comment

Let's go for:

  • .. versionadded:: 3.10.10 in 3.10
  • .. versionadded:: 3.11.2 in 3.11
  • .. versionadded:: 3.12 in 3.12/main

@hugovk hugovk merged commit 79ccc03 into python:main Dec 20, 2022
16 checks passed
@hugovk
Copy link
Member

hugovk commented Dec 20, 2022

@dmpe Merged now, will be in 3.12.0 alpha 4, scheduled for 2023-01-09 and if the backports land soon, will be in 3.10.10 and 3.11.2, both scheduled for 2023-02-06.

@miss-islington
Copy link
Contributor

miss-islington commented Dec 20, 2022

Thanks @graingert for the PR, and @hugovk for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒🤖

@miss-islington
Copy link
Contributor

miss-islington commented Dec 20, 2022

Sorry, @graingert and @hugovk, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 79ccc03b62d819d83e592c6c8038545d9263a0d4 3.10

@miss-islington
Copy link
Contributor

miss-islington commented Dec 20, 2022

Thanks @graingert for the PR, and @hugovk for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒🤖

@miss-islington
Copy link
Contributor

miss-islington commented Dec 20, 2022

Sorry @graingert and @hugovk, I had trouble checking out the 3.11 backport branch.
Please retry by removing and re-adding the "needs backport to 3.11" label.
Alternatively, you can backport using cherry_picker on the command line.
cherry_picker 79ccc03b62d819d83e592c6c8038545d9263a0d4 3.11

@miss-islington
Copy link
Contributor

miss-islington commented Dec 20, 2022

Thanks @graingert for the PR, and @hugovk for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒🤖

@miss-islington
Copy link
Contributor

miss-islington commented Dec 20, 2022

Sorry, @graingert and @hugovk, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 79ccc03b62d819d83e592c6c8038545d9263a0d4 3.11

hugovk pushed a commit to hugovk/cpython that referenced this pull request Dec 20, 2022
@graingert @hugovk
pythongh-89051: Add ssl.OP_LEGACY_SERVER_CONNECT (python#93927)
dd21351 
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Fixes python#89051

(cherry picked from commit 79ccc03)
@bedevere-bot
Copy link

bedevere-bot commented Dec 20, 2022

GH-100359 is a backport of this pull request to the 3.11 branch.

@bedevere-bot
Copy link

bedevere-bot commented Dec 20, 2022

GH-100360 is a backport of this pull request to the 3.10 branch.

jonburdo pushed a commit to jonburdo/cpython that referenced this pull request Dec 20, 2022
@graingert @jonburdo
pythongh-89051: Add ssl.OP_LEGACY_SERVER_CONNECT (python#93927)
33ba6a5 
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Fixes python#89051
@hugovk
Copy link
Member

hugovk commented Dec 21, 2022

@dmpe Merged now, will be in 3.12.0 alpha 4, scheduled for 2023-01-09 and if the backports land soon, will be in 3.10.10 and 3.11.2, both scheduled for 2023-02-06.

I closed the backport PRs, as we don't normally backport new features to bugfix branches.

https://devguide.python.org/versions/

This will be in the next 3.12.0 alpha 4, due on 2023-01-09.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pquentin pquentin

@tiran tiran

@hugovk hugovk

Assignees

@hugovk hugovk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ssl.OP_LEGACY_SERVER_CONNECT missing
8 participants
@graingert @tiran @smontanaro @dmpe @hugovk @miss-islington @bedevere-bot @pquentin