[Python-checkins] bpo-44389: Fix deprecation of OP_NO_TLSv1_3 (GH-26700)
tiran
webhook-mailer at python.org
Sun Jun 13 07:46:35 EDT 2021
https://github.com/python/cpython/commit/bf527277d4e4907e32d76ca7ba667ab3149fe258
commit: bf527277d4e4907e32d76ca7ba667ab3149fe258
branch: main
author: Christian Heimes <christian at python.org>
committer: tiran <christian at python.org>
date: 2021-06-13T13:46:07+02:00
summary:
bpo-44389: Fix deprecation of OP_NO_TLSv1_3 (GH-26700)
Signed-off-by: Christian Heimes <christian at python.org>
files:
A Misc/NEWS.d/next/Library/2021-06-12-22-58-20.bpo-44389.WTRnoC.rst
M Lib/test/test_ssl.py
M Modules/_ssl.c
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 31bc199e930a6..6cea0ee9f1da5 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -580,6 +580,54 @@ def test_timeout(self):
with test_wrap_socket(s) as ss:
self.assertEqual(timeout, ss.gettimeout())
+ def test_openssl111_deprecations(self):
+ options = [
+ ssl.OP_NO_TLSv1,
+ ssl.OP_NO_TLSv1_1,
+ ssl.OP_NO_TLSv1_2,
+ ssl.OP_NO_TLSv1_3
+ ]
+ protocols = [
+ ssl.PROTOCOL_TLSv1,
+ ssl.PROTOCOL_TLSv1_1,
+ ssl.PROTOCOL_TLSv1_2,
+ ssl.PROTOCOL_TLS
+ ]
+ versions = [
+ ssl.TLSVersion.SSLv3,
+ ssl.TLSVersion.TLSv1,
+ ssl.TLSVersion.TLSv1_1,
+ ]
+
+ for option in options:
+ with self.subTest(option=option):
+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+ with self.assertWarns(DeprecationWarning) as cm:
+ ctx.options |= option
+ self.assertEqual(
+ 'ssl.OP_NO_SSL*/ssl.SSL_NO_TLS* options are deprecated',
+ str(cm.warning)
+ )
+
+ for protocol in protocols:
+ with self.subTest(protocol=protocol):
+ with self.assertWarns(DeprecationWarning) as cm:
+ ssl.SSLContext(protocol)
+ self.assertEqual(
+ f'{protocol!r} is deprecated',
+ str(cm.warning)
+ )
+
+ for version in versions:
+ with self.subTest(version=version):
+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+ with self.assertWarns(DeprecationWarning) as cm:
+ ctx.minimum_version = version
+ self.assertEqual(
+ f'ssl.{version!r} is deprecated',
+ str(cm.warning)
+ )
+
@ignore_deprecation
def test_errors_sslwrap(self):
sock = socket.socket()
@@ -3067,7 +3115,7 @@ def test_dual_rsa_ecc(self):
client_context.load_verify_locations(SIGNING_CA)
# TODO: fix TLSv1.3 once SSLContext can restrict signature
# algorithms.
- client_context.options |= ssl.OP_NO_TLSv1_3
+ client_context.maximum_version = ssl.TLSVersion.TLSv1_2
# only ECDSA certs
client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
hostname = SIGNED_CERTFILE_ECC_HOSTNAME
@@ -3806,7 +3854,7 @@ def test_do_handshake_enotconn(self):
def test_no_shared_ciphers(self):
client_context, server_context, hostname = testing_context()
# OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
- client_context.options |= ssl.OP_NO_TLSv1_3
+ client_context.maximum_version = ssl.TLSVersion.TLSv1_2
# Force different suites on client and server
client_context.set_ciphers("AES128")
server_context.set_ciphers("AES256")
@@ -4021,10 +4069,10 @@ def test_dh_params(self):
# Check we can get a connection with ephemeral Diffie-Hellman
client_context, server_context, hostname = testing_context()
# test scenario needs TLS <= 1.2
- client_context.options |= ssl.OP_NO_TLSv1_3
+ client_context.maximum_version = ssl.TLSVersion.TLSv1_2
server_context.load_dh_params(DHFILE)
server_context.set_ciphers("kEDH")
- server_context.options |= ssl.OP_NO_TLSv1_3
+ server_context.maximum_version = ssl.TLSVersion.TLSv1_2
stats = server_params_test(client_context, server_context,
chatty=True, connectionchatty=True,
sni_name=hostname)
@@ -4270,7 +4318,7 @@ def test_sendfile(self):
def test_session(self):
client_context, server_context, hostname = testing_context()
# TODO: sessions aren't compatible with TLSv1.3 yet
- client_context.options |= ssl.OP_NO_TLSv1_3
+ client_context.maximum_version = ssl.TLSVersion.TLSv1_2
# first connection without session
stats = server_params_test(client_context, server_context,
@@ -4329,8 +4377,8 @@ def test_session_handling(self):
client_context2, _, _ = testing_context()
# TODO: session reuse does not work with TLSv1.3
- client_context.options |= ssl.OP_NO_TLSv1_3
- client_context2.options |= ssl.OP_NO_TLSv1_3
+ client_context.maximum_version = ssl.TLSVersion.TLSv1_2
+ client_context2.maximum_version = ssl.TLSVersion.TLSv1_2
server = ThreadedEchoServer(context=server_context, chatty=False)
with server:
@@ -4754,7 +4802,7 @@ def msg_cb(conn, direction, version, content_type, msg_type, data):
def test_msg_callback_tls12(self):
client_context, server_context, hostname = testing_context()
- client_context.options |= ssl.OP_NO_TLSv1_3
+ client_context.maximum_version = ssl.TLSVersion.TLSv1_2
msg = []
diff --git a/Misc/NEWS.d/next/Library/2021-06-12-22-58-20.bpo-44389.WTRnoC.rst b/Misc/NEWS.d/next/Library/2021-06-12-22-58-20.bpo-44389.WTRnoC.rst
new file mode 100644
index 0000000000000..e7e3b87489900
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2021-06-12-22-58-20.bpo-44389.WTRnoC.rst
@@ -0,0 +1 @@
+Fix deprecation of :data:`ssl.OP_NO_TLSv1_3`
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 1080fa6cffbd9..26f31f8f4c534 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -3587,7 +3587,7 @@ set_options(PySSLContext *self, PyObject *arg, void *c)
long new_opts, opts, set, clear;
long opt_no = (
SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
- SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2
+ SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3
);
if (!PyArg_Parse(arg, "l", &new_opts))
More information about the Python-checkins
mailing list