Backport TLS 1.3 related fixes to fix FTBFS
Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1609291
This commit is contained in:
Miro Hrončok
parent
b9e8a46cca
commit
4aa9ebcc03
|
|
@ -0,0 +1,182 @@
|
|||
diff --git a/Lib/test/dh1024.pem b/Lib/test/dh1024.pem
|
||||
deleted file mode 100644
|
||||
index a391176..0000000
|
||||
--- a/Lib/test/dh1024.pem
|
||||
+++ /dev/null
|
||||
@@ -1,7 +0,0 @@
|
||||
------BEGIN DH PARAMETERS-----
|
||||
-MIGHAoGBAIbzw1s9CT8SV5yv6L7esdAdZYZjPi3qWFs61CYTFFQnf2s/d09NYaJt
|
||||
-rrvJhIzWavqnue71qXCf83/J3nz3FEwUU/L0mGyheVbsSHiI64wUo3u50wK5Igo0
|
||||
-RNs/LD0irs7m0icZ//hijafTU+JOBiuA8zMI+oZfU7BGuc9XrUprAgEC
|
||||
------END DH PARAMETERS-----
|
||||
-
|
||||
-Generated with: openssl dhparam -out dh1024.pem 1024
|
||||
diff --git a/Lib/test/ffdh3072.pem b/Lib/test/ffdh3072.pem
|
||||
new file mode 100644
|
||||
index 0000000..ad69bac
|
||||
--- /dev/null
|
||||
+++ b/Lib/test/ffdh3072.pem
|
||||
@@ -0,0 +1,41 @@
|
||||
+ DH Parameters: (3072 bit)
|
||||
+ prime:
|
||||
+ 00:ff:ff:ff:ff:ff:ff:ff:ff:ad:f8:54:58:a2:bb:
|
||||
+ 4a:9a:af:dc:56:20:27:3d:3c:f1:d8:b9:c5:83:ce:
|
||||
+ 2d:36:95:a9:e1:36:41:14:64:33:fb:cc:93:9d:ce:
|
||||
+ 24:9b:3e:f9:7d:2f:e3:63:63:0c:75:d8:f6:81:b2:
|
||||
+ 02:ae:c4:61:7a:d3:df:1e:d5:d5:fd:65:61:24:33:
|
||||
+ f5:1f:5f:06:6e:d0:85:63:65:55:3d:ed:1a:f3:b5:
|
||||
+ 57:13:5e:7f:57:c9:35:98:4f:0c:70:e0:e6:8b:77:
|
||||
+ e2:a6:89:da:f3:ef:e8:72:1d:f1:58:a1:36:ad:e7:
|
||||
+ 35:30:ac:ca:4f:48:3a:79:7a:bc:0a:b1:82:b3:24:
|
||||
+ fb:61:d1:08:a9:4b:b2:c8:e3:fb:b9:6a:da:b7:60:
|
||||
+ d7:f4:68:1d:4f:42:a3:de:39:4d:f4:ae:56:ed:e7:
|
||||
+ 63:72:bb:19:0b:07:a7:c8:ee:0a:6d:70:9e:02:fc:
|
||||
+ e1:cd:f7:e2:ec:c0:34:04:cd:28:34:2f:61:91:72:
|
||||
+ fe:9c:e9:85:83:ff:8e:4f:12:32:ee:f2:81:83:c3:
|
||||
+ fe:3b:1b:4c:6f:ad:73:3b:b5:fc:bc:2e:c2:20:05:
|
||||
+ c5:8e:f1:83:7d:16:83:b2:c6:f3:4a:26:c1:b2:ef:
|
||||
+ fa:88:6b:42:38:61:1f:cf:dc:de:35:5b:3b:65:19:
|
||||
+ 03:5b:bc:34:f4:de:f9:9c:02:38:61:b4:6f:c9:d6:
|
||||
+ e6:c9:07:7a:d9:1d:26:91:f7:f7:ee:59:8c:b0:fa:
|
||||
+ c1:86:d9:1c:ae:fe:13:09:85:13:92:70:b4:13:0c:
|
||||
+ 93:bc:43:79:44:f4:fd:44:52:e2:d7:4d:d3:64:f2:
|
||||
+ e2:1e:71:f5:4b:ff:5c:ae:82:ab:9c:9d:f6:9e:e8:
|
||||
+ 6d:2b:c5:22:36:3a:0d:ab:c5:21:97:9b:0d:ea:da:
|
||||
+ 1d:bf:9a:42:d5:c4:48:4e:0a:bc:d0:6b:fa:53:dd:
|
||||
+ ef:3c:1b:20:ee:3f:d5:9d:7c:25:e4:1d:2b:66:c6:
|
||||
+ 2e:37:ff:ff:ff:ff:ff:ff:ff:ff
|
||||
+ generator: 2 (0x2)
|
||||
+ recommended-private-length: 276 bits
|
||||
+-----BEGIN DH PARAMETERS-----
|
||||
+MIIBjAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
|
||||
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
|
||||
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
|
||||
+N///////////AgECAgIBFA==
|
||||
+-----END DH PARAMETERS-----
|
||||
diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py
|
||||
index f9488a9..da8ba32 100644
|
||||
--- a/Lib/test/test_ftplib.py
|
||||
+++ b/Lib/test/test_ftplib.py
|
||||
@@ -880,18 +880,23 @@ class TestTLS_FTPClass(TestCase):
|
||||
# clear text
|
||||
with self.client.transfercmd('list') as sock:
|
||||
self.assertNotIsInstance(sock, ssl.SSLSocket)
|
||||
+ self.assertEqual(sock.recv(1024), LIST_DATA.encode('ascii'))
|
||||
self.assertEqual(self.client.voidresp(), "226 transfer complete")
|
||||
|
||||
# secured, after PROT P
|
||||
self.client.prot_p()
|
||||
with self.client.transfercmd('list') as sock:
|
||||
self.assertIsInstance(sock, ssl.SSLSocket)
|
||||
+ # consume from SSL socket to finalize handshake and avoid
|
||||
+ # "SSLError [SSL] shutdown while in init"
|
||||
+ self.assertEqual(sock.recv(1024), LIST_DATA.encode('ascii'))
|
||||
self.assertEqual(self.client.voidresp(), "226 transfer complete")
|
||||
|
||||
# PROT C is issued, the connection must be in cleartext again
|
||||
self.client.prot_c()
|
||||
with self.client.transfercmd('list') as sock:
|
||||
self.assertNotIsInstance(sock, ssl.SSLSocket)
|
||||
+ self.assertEqual(sock.recv(1024), LIST_DATA.encode('ascii'))
|
||||
self.assertEqual(self.client.voidresp(), "226 transfer complete")
|
||||
|
||||
def test_login(self):
|
||||
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
|
||||
index 7bbaa9f..ea528b5 100644
|
||||
--- a/Lib/test/test_ssl.py
|
||||
+++ b/Lib/test/test_ssl.py
|
||||
@@ -55,7 +55,6 @@ CAPATH = data_file("capath")
|
||||
BYTES_CAPATH = os.fsencode(CAPATH)
|
||||
CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
|
||||
CAFILE_CACERT = data_file("capath", "5ed36f99.0")
|
||||
-WRONG_CERT = data_file("wrongcert.pem")
|
||||
|
||||
CERTFILE_INFO = {
|
||||
'issuer': ((('countryName', 'XY'),),
|
||||
@@ -118,7 +117,7 @@ BADKEY = data_file("badkey.pem")
|
||||
NOKIACERT = data_file("nokia.pem")
|
||||
NULLBYTECERT = data_file("nullbytecert.pem")
|
||||
|
||||
-DHFILE = data_file("dh1024.pem")
|
||||
+DHFILE = data_file("ffdh3072.pem")
|
||||
BYTES_DHFILE = os.fsencode(DHFILE)
|
||||
|
||||
# Not defined in all versions of OpenSSL
|
||||
@@ -2846,8 +2845,8 @@ class ThreadedTests(unittest.TestCase):
|
||||
connect to it with a wrong client certificate fails.
|
||||
"""
|
||||
client_context, server_context, hostname = testing_context()
|
||||
- # load client cert
|
||||
- client_context.load_cert_chain(WRONG_CERT)
|
||||
+ # load client cert that is not signed by trusted CA
|
||||
+ client_context.load_cert_chain(CERTFILE)
|
||||
# require TLS client authentication
|
||||
server_context.verify_mode = ssl.CERT_REQUIRED
|
||||
# TLS 1.3 has different handshake
|
||||
@@ -2879,7 +2878,8 @@ class ThreadedTests(unittest.TestCase):
|
||||
@unittest.skipUnless(ssl.HAS_TLSv1_3, "Test needs TLS 1.3")
|
||||
def test_wrong_cert_tls13(self):
|
||||
client_context, server_context, hostname = testing_context()
|
||||
- client_context.load_cert_chain(WRONG_CERT)
|
||||
+ # load client cert that is not signed by trusted CA
|
||||
+ client_context.load_cert_chain(CERTFILE)
|
||||
server_context.verify_mode = ssl.CERT_REQUIRED
|
||||
server_context.minimum_version = ssl.TLSVersion.TLSv1_3
|
||||
client_context.minimum_version = ssl.TLSVersion.TLSv1_3
|
||||
diff --git a/Lib/test/wrongcert.pem b/Lib/test/wrongcert.pem
|
||||
deleted file mode 100644
|
||||
index 5f92f9b..0000000
|
||||
--- a/Lib/test/wrongcert.pem
|
||||
+++ /dev/null
|
||||
@@ -1,32 +0,0 @@
|
||||
------BEGIN RSA PRIVATE KEY-----
|
||||
-MIICXAIBAAKBgQC89ZNxjTgWgq7Z1g0tJ65w+k7lNAj5IgjLb155UkUrz0XsHDnH
|
||||
-FlbsVUg2Xtk6+bo2UEYIzN7cIm5ImpmyW/2z0J1IDVDlvR2xJ659xrE0v5c2cB6T
|
||||
-f9lnNTwpSoeK24Nd7Jwq4j9vk95fLrdqsBq0/KVlsCXeixS/CaqqduXfvwIDAQAB
|
||||
-AoGAQFko4uyCgzfxr4Ezb4Mp5pN3Npqny5+Jey3r8EjSAX9Ogn+CNYgoBcdtFgbq
|
||||
-1yif/0sK7ohGBJU9FUCAwrqNBI9ZHB6rcy7dx+gULOmRBGckln1o5S1+smVdmOsW
|
||||
-7zUVLBVByKuNWqTYFlzfVd6s4iiXtAE2iHn3GCyYdlICwrECQQDhMQVxHd3EFbzg
|
||||
-SFmJBTARlZ2GKA3c1g/h9/XbkEPQ9/RwI3vnjJ2RaSnjlfoLl8TOcf0uOGbOEyFe
|
||||
-19RvCLXjAkEA1s+UE5ziF+YVkW3WolDCQ2kQ5WG9+ccfNebfh6b67B7Ln5iG0Sbg
|
||||
-ky9cjsO3jbMJQtlzAQnH1850oRD5Gi51dQJAIbHCDLDZU9Ok1TI+I2BhVuA6F666
|
||||
-lEZ7TeZaJSYq34OaUYUdrwG9OdqwZ9sy9LUav4ESzu2lhEQchCJrKMn23QJAReqs
|
||||
-ZLHUeTjfXkVk7dHhWPWSlUZ6AhmIlA/AQ7Payg2/8wM/JkZEJEPvGVykms9iPUrv
|
||||
-frADRr+hAGe43IewnQJBAJWKZllPgKuEBPwoEldHNS8nRu61D7HzxEzQ2xnfj+Nk
|
||||
-2fgf1MAzzTRsikfGENhVsVWeqOcijWb6g5gsyCmlRpc=
|
||||
------END RSA PRIVATE KEY-----
|
||||
------BEGIN CERTIFICATE-----
|
||||
-MIICsDCCAhmgAwIBAgIJAOqYOYFJfEEoMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
|
||||
-BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
|
||||
-aWRnaXRzIFB0eSBMdGQwHhcNMDgwNjI2MTgxNTUyWhcNMDkwNjI2MTgxNTUyWjBF
|
||||
-MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
|
||||
-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
|
||||
-gQC89ZNxjTgWgq7Z1g0tJ65w+k7lNAj5IgjLb155UkUrz0XsHDnHFlbsVUg2Xtk6
|
||||
-+bo2UEYIzN7cIm5ImpmyW/2z0J1IDVDlvR2xJ659xrE0v5c2cB6Tf9lnNTwpSoeK
|
||||
-24Nd7Jwq4j9vk95fLrdqsBq0/KVlsCXeixS/CaqqduXfvwIDAQABo4GnMIGkMB0G
|
||||
-A1UdDgQWBBTctMtI3EO9OjLI0x9Zo2ifkwIiNjB1BgNVHSMEbjBsgBTctMtI3EO9
|
||||
-OjLI0x9Zo2ifkwIiNqFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
|
||||
-U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAOqYOYFJ
|
||||
-fEEoMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAQwa7jya/DfhaDn7E
|
||||
-usPkpgIX8WCL2B1SqnRTXEZfBPPVq/cUmFGyEVRVATySRuMwi8PXbVcOhXXuocA+
|
||||
-43W+iIsD9pXapCZhhOerCq18TC1dWK98vLUsoK8PMjB6e5H/O8bqojv0EeC+fyCw
|
||||
-eSHj5jpC8iZKjCHBn+mAi4cQ514=
|
||||
------END CERTIFICATE-----
|
||||
diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
|
||||
index 20d4eeac12..a0c683bbcf 100644
|
||||
--- a/Lib/test/test_poplib.py
|
||||
+++ b/Lib/test/test_poplib.py
|
||||
@@ -178,7 +178,8 @@ class DummyPOP3Handler(asynchat.async_chat):
|
||||
return self.handle_close()
|
||||
# TODO: SSLError does not expose alert information
|
||||
elif ("SSLV3_ALERT_BAD_CERTIFICATE" in err.args[1] or
|
||||
- "SSLV3_ALERT_CERTIFICATE_UNKNOWN" in err.args[1]):
|
||||
+ "SSLV3_ALERT_CERTIFICATE_UNKNOWN" in err.args[1] or
|
||||
+ "bad record type" in err.args[1]):
|
||||
return self.handle_close()
|
||||
raise
|
||||
except OSError as err:
|
||||
22
python3.spec
22
python3.spec
|
|
@ -14,7 +14,7 @@ URL: https://www.python.org/
|
|||
# WARNING When rebasing to a new Python version,
|
||||
# remember to update the python3-docs package as well
|
||||
Version: %{pybasever}.0
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
License: Python
|
||||
|
||||
|
||||
|
|
@ -311,6 +311,15 @@ Patch291: 00291-setup-Link-ctypes-against-dl-explicitly.patch
|
|||
# and: https://bugs.python.org/issue34008
|
||||
Patch307: 00307-allow-to-call-Py_Main-after-Py_Initialize.patch
|
||||
|
||||
# 00308 #
|
||||
# TLS 1.3 related fixes from upstream:
|
||||
# https://github.com/python/cpython/pull/8762
|
||||
# https://github.com/python/cpython/pull/8787
|
||||
# And a workaround before openssl is 1.1.1-pre9:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1609291#c12
|
||||
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1609291
|
||||
Patch308: 00308-tls-1.3.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||
|
|
@ -633,6 +642,7 @@ rm Lib/ensurepip/_bundled/*.whl
|
|||
%patch274 -p1
|
||||
%patch291 -p1
|
||||
%patch307 -p1
|
||||
%patch308 -p1
|
||||
|
||||
|
||||
# Remove files that should be generated by the build
|
||||
|
|
@ -1009,6 +1019,12 @@ CheckPython() {
|
|||
ConfName=$1
|
||||
ConfDir=$(pwd)/build/$ConfName
|
||||
|
||||
# Fedora sets TLSv1 as explicit minimum version.
|
||||
# Python's test suite assumes that the minimum protocol version is set to
|
||||
# a magic marker. We workaround the test problem by setting:
|
||||
export OPENSSL_CONF=/non-existing-file
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1618753
|
||||
|
||||
echo STARTING: CHECKING OF PYTHON FOR CONFIGURATION: $ConfName
|
||||
|
||||
# Note that we're running the tests using the version of the code in the
|
||||
|
|
@ -1512,6 +1528,10 @@ CheckPython optimized
|
|||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Fri Aug 17 2018 Miro Hrončok <mhroncok@redhat.com> - 3.7.0-7
|
||||
- Backport TLS 1.3 related fixes to fix FTBFS
|
||||
Resolves: rhbz#1609291
|
||||
|
||||
* Wed Aug 15 2018 Miro Hrončok <mhroncok@redhat.com> - 3.7.0-6
|
||||
- Use RPM built wheels of pip and setuptools in ensurepip instead of our rewheel patch
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue