[Python-checkins] [3.7] bpo-32257: Add ssl.OP_NO_RENEGOTIATION (GH-5904) (#6877)

Christian Heimes webhook-mailer at python.org
Wed May 16 10:26:22 EDT 2018 

https://github.com/python/cpython/commit/e2db6ad1d96ca3e8bd29178f7093785c5d550bb7
commit: e2db6ad1d96ca3e8bd29178f7093785c5d550bb7
branch: 3.7
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: Christian Heimes <christian at python.org>
date: 2018-05-16T10:26:19-04:00
summary:

[3.7] bpo-32257: Add ssl.OP_NO_RENEGOTIATION (GH-5904) (#6877)

The ssl module now contains OP_NO_RENEGOTIATION constant, available with
OpenSSL 1.1.0h or 1.1.1.

Note, OpenSSL 1.1.0h hasn't been released yet.

Signed-off-by: Christian Heimes <christian at python.org>
(cherry picked from commit 67c48016638aac9a15afe6fd6754d53d2bdd6b76)

Co-authored-by: Christian Heimes <christian at python.org>

files:
A Misc/NEWS.d/next/Library/2018-02-26-09-08-07.bpo-32257.6ElnUt.rst
M Doc/library/ssl.rst
M Modules/_ssl.c

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index f96549427afc..dcb26664feae 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -803,6 +803,15 @@ Constants
       The option is deprecated since OpenSSL 1.1.0. It was added to 2.7.15,
       3.6.3 and 3.7.0 for backwards compatibility with OpenSSL 1.0.2.
 
+.. data:: OP_NO_RENEGOTIATION
+
+   Disable all renegotiation in TLSv1.2 and earlier. Do not send
+   HelloRequest messages, and ignore renegotiation requests via ClientHello.
+
+   This option is only available with OpenSSL 1.1.0h and later.
+
+   .. versionadded:: 3.7
+
 .. data:: OP_CIPHER_SERVER_PREFERENCE
 
    Use the server's cipher ordering preference, rather than the client's.
diff --git a/Misc/NEWS.d/next/Library/2018-02-26-09-08-07.bpo-32257.6ElnUt.rst b/Misc/NEWS.d/next/Library/2018-02-26-09-08-07.bpo-32257.6ElnUt.rst
new file mode 100644
index 000000000000..e74c39b68100
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2018-02-26-09-08-07.bpo-32257.6ElnUt.rst
@@ -0,0 +1,2 @@
+The ssl module now contains OP_NO_RENEGOTIATION constant, available with
+OpenSSL 1.1.0h or 1.1.1.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 7670833bf5f5..bf379f01a1d2 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -5845,6 +5845,10 @@ PyInit__ssl(void)
     PyModule_AddIntConstant(m, "OP_ENABLE_MIDDLEBOX_COMPAT",
                             SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
 #endif
+#ifdef SSL_OP_NO_RENEGOTIATION
+    PyModule_AddIntConstant(m, "OP_NO_RENEGOTIATION",
+                            SSL_OP_NO_RENEGOTIATION);
+#endif
 
 #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
     PyModule_AddIntConstant(m, "HOSTFLAG_ALWAYS_CHECK_SUBJECT",

More information about the Python-checkins mailing list