From 6afc2ff1f853da2b195af10118ede45305af0ace Mon Sep 17 00:00:00 2001 From: Robert Kuska Date: Thu, 11 Dec 2014 14:39:08 +0100 Subject: [PATCH] Update tests to reflect latest changes in OpenSSL SSLv23 method --- ...lter-tests-to-reflect-sslv3-disabled.patch | 49 +++++++++++++++++++ python3.spec | 11 ++++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 00199-alter-tests-to-reflect-sslv3-disabled.patch diff --git a/00199-alter-tests-to-reflect-sslv3-disabled.patch b/00199-alter-tests-to-reflect-sslv3-disabled.patch new file mode 100644 index 0000000..f35eff9 --- /dev/null +++ b/00199-alter-tests-to-reflect-sslv3-disabled.patch @@ -0,0 +1,49 @@ +diff -up Python-3.4.2/Lib/test/test_ssl.py.ssl Python-3.4.2/Lib/test/test_ssl.py +--- Python-3.4.2/Lib/test/test_ssl.py.ssl 2014-12-11 12:25:21.886928225 +0100 ++++ Python-3.4.2/Lib/test/test_ssl.py 2014-12-11 12:25:00.284746529 +0100 +@@ -674,10 +674,7 @@ class ContextTests(unittest.TestCase): + @skip_if_broken_ubuntu_ssl + def test_options(self): + ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) +- # OP_ALL | OP_NO_SSLv2 is the default value +- self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2, +- ctx.options) +- ctx.options |= ssl.OP_NO_SSLv3 ++ # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value + self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3, + ctx.options) + if can_clear_options(): +@@ -2149,21 +2146,18 @@ else: + sys.stdout.write( + " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n" + % str(x)) +- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True) ++ try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False) + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True) + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True) + +- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL) ++ try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL) + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL) + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL) + +- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED) ++ try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED) + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED) + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED) + +- # Server with specific SSL options +- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, +- server_options=ssl.OP_NO_SSLv3) + # Will choose TLSv1 + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, + server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) +@@ -2186,7 +2180,7 @@ else: + try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False) + if no_sslv2_implies_sslv3_hello(): + # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs +- try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, True, ++ try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False, + client_options=ssl.OP_NO_SSLv2) + + @skip_if_broken_ubuntu_ssl diff --git a/python3.spec b/python3.spec index bfe1482..916bc6c 100644 --- a/python3.spec +++ b/python3.spec @@ -140,7 +140,7 @@ Summary: Version 3 of the Python programming language aka Python 3000 Name: python3 Version: %{pybasever}.2 -Release: 1%{?dist} +Release: 2%{?dist} License: Python Group: Development/Languages @@ -699,6 +699,11 @@ Patch196: 00196-test-gdb-match-addr-before-builtin.patch # FIXED UPSTREAM # Patch197: 00197-fix-CVE-2014-4650.patch +# OpenSSL disabled SSLv3 in SSLv23 method +# This patch alters python tests to reflect this change +# Issue: http://bugs.python.org/issue22638 Upstream discussion about SSLv3 in Python +Patch199: 00199-alter-tests-to-reflect-sslv3-disabled.patch + # (New patches go here ^^^) # @@ -978,6 +983,7 @@ done # 00195: upstream as of Python 3.4.2 %patch196 -p1 # 00197: upstream as of Python 3.4.2 +%patch199 -p1 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # are many differences between 2.6 and the Python 3 library. @@ -1866,6 +1872,9 @@ rm -fr %{buildroot} # ====================================================== %changelog +* Thu Dec 11 2014 Robert Kuska - 3.4.2-2 +- OpenSSL disabled SSLv3 in SSLv23 method + * Thu Nov 13 2014 Matej Stuchlik - 3.4.2-1 - Update to 3.4.2 - Refreshed patches: 156 (gdb autoload)