Skip to content

bpo-34001: Change handling of SSL protocol bounds with LibreSSL #8055

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

bpo-34001: Change handling of SSL protocol bounds with LibreSSL #8055

wants to merge 5 commits into from

Conversation

alanhuang122
Copy link

@alanhuang122 alanhuang122 commented Jul 2, 2018
edited
Loading

There are two substantial changes made in this pull request:

  1. Under LibreSSL, bounds cannot be set such that minimum_version > maximum_version. 4254483 changes the behavior of set_min_max_proto_version on all builds to reflect that behavior, and introduces a new error message to indicate the issue.
  2. LibreSSL is more permissive than OpenSSL with regard to unknown protocol versions. Namely, LibreSSL allows the setting of unknown protocol versions, rounding to the nearest known protocol version (e.g., 42 -> 769 [TLSv1]), whereas OpenSSL does not. 8352fd3 implements a check to ensure that the result of a set operation is the expected value, and forbids/undoes the change otherwise.

https://bugs.python.org/issue34001

@alanhuang122 alanhuang122 force-pushed the bpo-34001 branch 2 times, most recently from c3547a9 to 21cd2f3 Compare July 3, 2018 00:25
Alan Huang added 2 commits July 2, 2018 19:42
bpo-34001: add checks for protocol boundary ranges
4254483 
Under LibreSSL, bounds cannot be set such that minimum_version >
maximum_version. This commit codifies that behavior, and
introduces a new error message to indicate the issue.
bpo-34001: add checks for LibreSSL
8352fd3 
LibreSSL behaves differently than OpenSSL when setting protocol
bounds. This commit fixes some failing tests and adds checks and
more detailed error messages.
@alanhuang122 alanhuang122 force-pushed the bpo-34001 branch 2 times, most recently from 6f890dc to 2df8050 Compare July 3, 2018 00:50
Alan Huang added 3 commits July 2, 2018 20:00
bpo-34001: fix tests
77d24d8 
This commit fixes tests by removing invalid range settings.
bpo-34001: add test for protocol boundary restrictions
2a09611 
This commit adds tests for the new {min,max}imum_version restrictions.
Attempting to set an invalid range should ValueError, and the value
should not be changed after the attempt.
bpo-34001: add blurb
f415a39
@zhangyangyu zhangyangyu requested a review from tiran July 3, 2018 06:55
@tiran
Copy link
Member

tiran commented Jul 3, 2018

Hi, thanks for your patch.

OpenSSL may validate min and max protocol version soon, too. There is currently a patch under development. I'd prefer to wait how the OpenSSL patch plays out.

@ghost
Copy link

ghost commented Oct 24, 2018
edited by ghost
Loading

Hi.

First, thank you for all the work done to get LibreSSL compatibility.

Python-3.7.1 with LibreSSL-2.8.2 and patches from #8055 and #8050
Compilation failed because of test_ssl failed.

A detailed list of all the patches that I use for my python-3.7.1 compilation with LibreSSL-2.8.2:
4254483
8352fd3
77d24d8
2a09611
f415a39
abc1b0a
3a421eb
d98c160

FAIL: test_min_max_version (test.test_ssl.ContextTests)

Traceback (most recent call last):
File "/tmp/makepkg/python/src/Python-3.7.1/Lib/test/test_ssl.py", line 1163, in test_min_max_version
ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
AssertionError: <TLSVersion.TLSv1_2: 771> != <TLSVersion.MAXIMUM_SUPPORTED: -1>

The complete compilation log:
python-3.7.1-2-libressl-2.8.2-1-WithPatches.txt

@csabella
Copy link
Contributor

@tiran, any updates after your last comment from July 2018? Thanks!

@tiran tiran removed their request for review April 17, 2021 21:04
@iritkatriel
Copy link
Member

https://bugs.python.org/issue34001 is closed. What is the status of this PR?

@encukou
Copy link
Member

encukou commented Mar 28, 2024

The issue was closed with a different PR.
If there is still a problem, please file a new issue. (And mention this PR, we can reopen it.)

@encukou encukou closed this Mar 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
awaiting review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@alanhuang122 @tiran @csabella @iritkatriel @encukou @the-knights-who-say-ni @ezio-melotti @bedevere-bot