Do not send IP addresses in SNI TLS extension

00298-do-not-send-IP-in-SNI-TLS-extension.patch

@@ -0,0 +1,68 @@
+diff --git a/Misc/NEWS.d/next/Library/2017-12-20-09-25-10.bpo-32185.IL0cMt.rst b/Misc/NEWS.d/next/Library/2017-12-20-09-25-10.bpo-32185.IL0cMt.rst
+new file mode 100644
+index 000000000000..bfb2533b5dcf
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2017-12-20-09-25-10.bpo-32185.IL0cMt.rst
+@@ -0,0 +1,2 @@
++The SSL module no longer sends IP addresses in SNI TLS extension on
++platforms with OpenSSL 1.0.2+ or inet_pton.
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index f70af266731a..b191b3a8687a 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -52,6 +52,11 @@
+ #include <sys/poll.h>
+ #endif
+ 
++#ifndef MS_WINDOWS
++/* inet_pton */
++#include <arpa/inet.h>
++#endif
++
+ /* Don't warn about deprecated functions */
+ #ifdef __GNUC__
+ #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+@@ -575,8 +580,41 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
+     SSL_set_mode(self->ssl, mode);
+ 
+ #if HAVE_SNI
+-    if (server_hostname != NULL)
+-        SSL_set_tlsext_host_name(self->ssl, server_hostname);
++    if (server_hostname != NULL) {
++/* Don't send SNI for IP addresses. We cannot simply use inet_aton() and
++ * inet_pton() here. inet_aton() may be linked weakly and inet_pton() isn't
++ * available on all platforms. Use OpenSSL's IP address parser. It's
++ * available since 1.0.2 and LibreSSL since at least 2.3.0. */
++        int send_sni = 1;
++#if OPENSSL_VERSION_NUMBER >= 0x10200000L
++        ASN1_OCTET_STRING *ip = a2i_IPADDRESS(server_hostname);
++        if (ip == NULL) {
++            send_sni = 1;
++            ERR_clear_error();
++        } else {
++            send_sni = 0;
++            ASN1_OCTET_STRING_free(ip);
++        }
++#elif defined(HAVE_INET_PTON)
++#ifdef ENABLE_IPV6
++        char packed[Py_MAX(sizeof(struct in_addr), sizeof(struct in6_addr))];
++#else
++        char packed[sizeof(struct in_addr)];
++#endif /* ENABLE_IPV6 */
++        if (inet_pton(AF_INET, server_hostname, packed)) {
++            send_sni = 0;
++#ifdef ENABLE_IPV6
++        } else if(inet_pton(AF_INET6, server_hostname, packed)) {
++            send_sni = 0;
++#endif /* ENABLE_IPV6 */
++        } else {
++            send_sni = 1;
++        }
++#endif /* HAVE_INET_PTON */
++        if (send_sni) {
++            SSL_set_tlsext_host_name(self->ssl, server_hostname);
++        }
++    }
+ #endif
+ 
+     /* If the socket is in non-blocking mode or timeout mode, set the BIO

python2.spec

@@ -104,7 +104,7 @@ Summary: An interpreted, interactive, object-oriented programming language
 Name: %{python}
 # Remember to also rebase python-docs when changing this:
 Version: 2.7.14
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: Python
 Group: Development/Languages
 Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@@ -745,6 +745,12 @@ Patch285: 00285-fix-non-deterministic-read-in-test_pty.patch
 # Fixed upstream: https://bugs.python.org/issue32186
 Patch287: 00287-fix-thread-hanging-on-inaccessible-nfs-server.patch
 
+# 00298 #
+# The SSL module no longer sends IP addresses in SNI TLS extension on
+# platforms with OpenSSL 1.0.2+ or inet_pton.
+# Fixed upstream: https://bugs.python.org/issue32185
+Patch298: 00298-do-not-send-IP-in-SNI-TLS-extension.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python2" and "python3" in Fedora, EL, etc.,
@@ -1062,6 +1068,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c
 %patch284 -p1
 %patch285 -p1
 %patch287 -p1
+%patch298 -p1
 
 
 %if 0%{?_module_build}
@@ -1948,7 +1955,10 @@ rm -fr %{buildroot}
 # ======================================================
 
 %changelog
-* Thu Feb 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.7.14-17
+* Tue Mar 13 2018 Charalampos Stratakis <cstratak@redhat.com> - 2.7.14-6
+- Do not send IP addresses in SNI TLS extension
+
+* Thu Feb 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.7.14-5
 - Move test.support and test.script_helper to python2-libs
 Resolves: rhbz#1528899