[arch-commits] Commit in python2/trunk (3 files)
Evangelos Foutras
foutrelis at archlinux.org
Sun Jul 2 22:41:05 UTC 2017
Date: Sunday, July 2, 2017 @ 22:41:05
Author: foutrelis
Revision: 299559
upgpkg: python2 2.7.13-3
Fix support for elliptic curves other than prime256v1.
Added:
python2/trunk/bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch
python2/trunk/bpo-30714-alpn-changes-for-openssl-1.1.0f.patch
Modified:
python2/trunk/PKGBUILD
-------------------------------------------------------+
PKGBUILD | 14 +++-
bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch | 28 ++++++++
bpo-30714-alpn-changes-for-openssl-1.1.0f.patch | 51 ++++++++++++++++
3 files changed, 91 insertions(+), 2 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2017-07-02 20:07:09 UTC (rev 299558)
+++ PKGBUILD 2017-07-02 22:41:05 UTC (rev 299559)
@@ -6,7 +6,7 @@
pkgname=python2
pkgver=2.7.13
-pkgrel=2
+pkgrel=3
_pybasever=2.7
pkgdesc="A high-level scripting language"
arch=('i686' 'x86_64')
@@ -20,9 +20,13 @@
'python2-pip')
conflicts=('python<3')
source=("https://www.python.org/ftp/python/${pkgver%rc?}/Python-${pkgver}.tar.xz"{,.asc}
+ bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch
+ bpo-30714-alpn-changes-for-openssl-1.1.0f.patch
descr_ref.patch)
sha1sums=('18a8f30a0356c751b8d0ea6f76e764cab13ee046'
'SKIP'
+ 'cb503cdbee806382db1ddad4de5ae1390ff6bb9f'
+ 'fb888fc23761976616da0b735c702c23f8707771'
'8cc6ac63e909063eb16bbdabc0f0eac7d24ff0c1')
validpgpkeys=('C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF') # Benjamin Peterson
@@ -55,9 +59,15 @@
# Workaround asdl_c.py/makeopcodetargets.py errors after we touched the shebangs
touch Include/Python-ast.h Python/Python-ast.c Python/opcode_targets.h
+ # https://bugs.python.org/issue29697
+ patch -Np1 -i ../bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch
+
+ # https://bugs.python.org/issue30714
+ patch -Np1 -i ../bpo-30714-alpn-changes-for-openssl-1.1.0f.patch
+
# FS#48761
# http://bugs.python.org/issue25750
- patch -p1 -i ../descr_ref.patch
+ patch -Np1 -i ../descr_ref.patch
}
build() {
Added: bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch
===================================================================
--- bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch (rev 0)
+++ bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch 2017-07-02 22:41:05 UTC (rev 299559)
@@ -0,0 +1,28 @@
+From f1a696efd6ca674579e25de29ec4053ff5a5ade1 Mon Sep 17 00:00:00 2001
+From: Donald Stufft <donald at stufft.io>
+Date: Thu, 2 Mar 2017 12:37:07 -0500
+Subject: [PATCH] bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-399)
+
+---
+ Modules/_ssl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index a92710077cc..4fff16f6f49 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -2166,12 +2166,12 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
+ options |= SSL_OP_NO_SSLv3;
+ SSL_CTX_set_options(self->ctx, options);
+
+-#ifndef OPENSSL_NO_ECDH
++#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
+ /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
+ prime256v1 by default. This is Apache mod_ssl's initialization
+ policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
+ */
+-#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1)
++#if defined(SSL_CTX_set_ecdh_auto)
+ SSL_CTX_set_ecdh_auto(self->ctx, 1);
+ #else
+ {
Added: bpo-30714-alpn-changes-for-openssl-1.1.0f.patch
===================================================================
--- bpo-30714-alpn-changes-for-openssl-1.1.0f.patch (rev 0)
+++ bpo-30714-alpn-changes-for-openssl-1.1.0f.patch 2017-07-02 22:41:05 UTC (rev 299559)
@@ -0,0 +1,51 @@
+From 0e396a20c3137244b1774bd14a0cb03921ff326d Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian at python.org>
+Date: Tue, 20 Jun 2017 18:28:38 +0200
+Subject: [PATCH] bpo-30714: ALPN changes for OpenSSL 1.1.0f
+
+OpenSSL 1.1.0 to 1.1.0e aborted the handshake when server and client
+could not agree on a protocol using ALPN. OpenSSL 1.1.0f changed that.
+The most recent version now behaves like OpenSSL 1.0.2 again. The ALPN
+callback can pretend to not been set.
+
+See https://github.com/openssl/openssl/pull/3158 for more details
+
+Signed-off-by: Christian Heimes <christian at python.org>
+---
+ Doc/library/ssl.rst | 5 +++--
+ Lib/test/test_ssl.py | 5 +++--
+ Misc/NEWS | 3 +++
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
+index 729a239a1ba..b51b9c6e396 100644
+--- a/Doc/library/ssl.rst
++++ b/Doc/library/ssl.rst
+@@ -1447,8 +1447,9 @@ to speed up repeated connections from the same clients.
+ This method will raise :exc:`NotImplementedError` if :data:`HAS_ALPN` is
+ False.
+
+- OpenSSL 1.1.0+ will abort the handshake and raise :exc:`SSLError` when
+- both sides support ALPN but cannot agree on a protocol.
++ OpenSSL 1.1.0 to 1.1.0e will abort the handshake and raise :exc:`SSLError`
++ when both sides support ALPN but cannot agree on a protocol. 1.1.0f+
++ behaves like 1.0.2.
+
+ .. versionadded:: 3.5
+
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index fdaf1c52046..3215031206c 100644
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -3267,8 +3267,9 @@ def test_alpn_protocols(self):
+ except ssl.SSLError as e:
+ stats = e
+
+- if expected is None and IS_OPENSSL_1_1:
+- # OpenSSL 1.1.0 raises handshake error
++ if (expected is None and IS_OPENSSL_1_1
++ and ssl.OPENSSL_VERSION_INFO < (1, 1, 0, 6)):
++ # OpenSSL 1.1.0 to 1.1.0e raises handshake error
+ self.assertIsInstance(stats, ssl.SSLError)
+ else:
+ msg = "failed trying %s (s) and %s (c).\n" \
More information about the arch-commits
mailing list