poky/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch - openbmc/openbmc - Gitiles

 From a333351592f097220fc862911b34d3a300f0985e Mon Sep 17 00:00:00 2001
 From: Christian Heimes <christian@python.org>
 Date: Wed, 15 Aug 2018 09:07:28 +0200
 Subject: [PATCH 1/4] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
  (GH-8760)

 Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
 default.

 Also update multissltests to test with latest OpenSSL.

 Signed-off-by: Christian Heimes <christian@python.org>.
 (cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71)

 Co-authored-by: Christian Heimes <christian@python.org>

 Upstream-Status: Accepted [https://github.com/python/cpython/pull/8771]

 Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 ---
  Doc/library/ssl.rst                           |  8 ++--
  Lib/test/test_ssl.py                          | 37 +++++++++++--------
  .../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst  |  3 ++
  3 files changed, 27 insertions(+), 21 deletions(-)
  create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst

 diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
 index 0421031772..7c7c85b833 100644
 --- a/Doc/library/ssl.rst
 +++ b/Doc/library/ssl.rst
 @@ -294,11 +294,6 @@ purposes.

       3DES was dropped from the default cipher string.

 -   .. versionchanged:: 2.7.15
 -
 -     TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
 -     and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string.
 -
  .. function:: _https_verify_certificates(enable=True)

     Specifies whether or not server certificates are verified when creating
 @@ -1179,6 +1174,9 @@ to speed up repeated connections from the same clients.
        when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
        give the currently selected cipher.

 +      OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites
 +      cannot be disabled with :meth:`~SSLContext.set_ciphers`.
 +
  .. method:: SSLContext.set_alpn_protocols(protocols)

     Specify which protocols the socket should advertise during the SSL/TLS
 diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
 index dc14e22ad1..f51572e319 100644
 --- a/Lib/test/test_ssl.py
 +++ b/Lib/test/test_ssl.py
 @@ -2772,19 +2772,24 @@ else:
                      sock.do_handshake()
                  self.assertEqual(cm.exception.errno, errno.ENOTCONN)

 -        def test_default_ciphers(self):
 -            context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
 -            try:
 -                # Force a set of weak ciphers on our client context
 -                context.set_ciphers("DES")
 -            except ssl.SSLError:
 -                self.skipTest("no DES cipher available")
 -            with ThreadedEchoServer(CERTFILE,
 -                                    ssl_version=ssl.PROTOCOL_SSLv23,
 -                                    chatty=False) as server:
 -                with closing(context.wrap_socket(socket.socket())) as s:
 -                    with self.assertRaises(ssl.SSLError):
 -                        s.connect((HOST, server.port))
 +        def test_no_shared_ciphers(self):
 +            server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
 +            server_context.load_cert_chain(SIGNED_CERTFILE)
 +            client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
 +            client_context.verify_mode = ssl.CERT_REQUIRED
 +            client_context.check_hostname = True
 +
 +            # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
 +            client_context.options |= ssl.OP_NO_TLSv1_3
 +            # Force different suites on client and master
 +            client_context.set_ciphers("AES128")
 +            server_context.set_ciphers("AES256")
 +            with ThreadedEchoServer(context=server_context) as server:
 +                s = client_context.wrap_socket(
 +                        socket.socket(),
 +                        server_hostname="localhost")
 +                with self.assertRaises(ssl.SSLError):
 +                    s.connect((HOST, server.port))
              self.assertIn("no shared cipher", str(server.conn_errors[0]))

          def test_version_basic(self):
 @@ -2815,9 +2820,9 @@ else:
                  with context.wrap_socket(socket.socket()) as s:
                      s.connect((HOST, server.port))
                      self.assertIn(s.cipher()[0], [
 -                        'TLS13-AES-256-GCM-SHA384',
 -                        'TLS13-CHACHA20-POLY1305-SHA256',
 -                        'TLS13-AES-128-GCM-SHA256',
 +                        'TLS_AES_256_GCM_SHA384',
 +                        'TLS_CHACHA20_POLY1305_SHA256',
 +                        'TLS_AES_128_GCM_SHA256',
                      ])

          @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
 diff --git a/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
 new file mode 100644
 index 0000000000..bd719a47e8
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
 @@ -0,0 +1,3 @@
 +Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
 +1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
 +default.
 --
 2.17.1
	From a333351592f097220fc862911b34d3a300f0985e Mon Sep 17 00:00:00 2001
	From: Christian Heimes <christian@python.org>
	Date: Wed, 15 Aug 2018 09:07:28 +0200
	Subject: [PATCH 1/4] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
	(GH-8760)

	Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
	1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
	default.

	Also update multissltests to test with latest OpenSSL.

	Signed-off-by: Christian Heimes <christian@python.org>.
	(cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71)

	Co-authored-by: Christian Heimes <christian@python.org>

	Upstream-Status: Accepted [https://github.com/python/cpython/pull/8771]

	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
	---
	Doc/library/ssl.rst \| 8 ++--
	Lib/test/test_ssl.py \| 37 +++++++++++--------
	.../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst \| 3 ++
	3 files changed, 27 insertions(+), 21 deletions(-)
	create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst

	diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
	index 0421031772..7c7c85b833 100644
	--- a/Doc/library/ssl.rst
	+++ b/Doc/library/ssl.rst
	@@ -294,11 +294,6 @@ purposes.

	3DES was dropped from the default cipher string.

	- .. versionchanged:: 2.7.15
	-
	- TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
	- and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string.
	-
	.. function:: _https_verify_certificates(enable=True)

	Specifies whether or not server certificates are verified when creating
	@@ -1179,6 +1174,9 @@ to speed up repeated connections from the same clients.
	when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
	give the currently selected cipher.

	+ OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites
	+ cannot be disabled with :meth:`~SSLContext.set_ciphers`.
	+
	.. method:: SSLContext.set_alpn_protocols(protocols)

	Specify which protocols the socket should advertise during the SSL/TLS
	diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
	index dc14e22ad1..f51572e319 100644
	--- a/Lib/test/test_ssl.py
	+++ b/Lib/test/test_ssl.py
	@@ -2772,19 +2772,24 @@ else:
	sock.do_handshake()
	self.assertEqual(cm.exception.errno, errno.ENOTCONN)

	- def test_default_ciphers(self):
	- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
	- try:
	- # Force a set of weak ciphers on our client context
	- context.set_ciphers("DES")
	- except ssl.SSLError:
	- self.skipTest("no DES cipher available")
	- with ThreadedEchoServer(CERTFILE,
	- ssl_version=ssl.PROTOCOL_SSLv23,
	- chatty=False) as server:
	- with closing(context.wrap_socket(socket.socket())) as s:
	- with self.assertRaises(ssl.SSLError):
	- s.connect((HOST, server.port))
	+ def test_no_shared_ciphers(self):
	+ server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
	+ server_context.load_cert_chain(SIGNED_CERTFILE)
	+ client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
	+ client_context.verify_mode = ssl.CERT_REQUIRED
	+ client_context.check_hostname = True
	+
	+ # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
	+ client_context.options \|= ssl.OP_NO_TLSv1_3
	+ # Force different suites on client and master
	+ client_context.set_ciphers("AES128")
	+ server_context.set_ciphers("AES256")
	+ with ThreadedEchoServer(context=server_context) as server:
	+ s = client_context.wrap_socket(
	+ socket.socket(),
	+ server_hostname="localhost")
	+ with self.assertRaises(ssl.SSLError):
	+ s.connect((HOST, server.port))
	self.assertIn("no shared cipher", str(server.conn_errors[0]))

	def test_version_basic(self):
	@@ -2815,9 +2820,9 @@ else:
	with context.wrap_socket(socket.socket()) as s:
	s.connect((HOST, server.port))
	self.assertIn(s.cipher()[0], [
	- 'TLS13-AES-256-GCM-SHA384',
	- 'TLS13-CHACHA20-POLY1305-SHA256',
	- 'TLS13-AES-128-GCM-SHA256',
	+ 'TLS_AES_256_GCM_SHA384',
	+ 'TLS_CHACHA20_POLY1305_SHA256',
	+ 'TLS_AES_128_GCM_SHA256',
	])

	@unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
	diff --git a/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
	new file mode 100644
	index 0000000000..bd719a47e8
	--- /dev/null
	+++ b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
	@@ -0,0 +1,3 @@
	+Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
	+1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
	+default.
	--
	2.17.1