Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 276577 Details for
Bug 371065
dev-lang/python:3.1: Add SNI support to ssl module
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
add SNI support dev-lang/python built in ssl module
09_all_support_ssl_sni.patch (text/plain), 9.33 KB, created by
Blu3
on 2011-06-10 20:49:13 UTC
(
hide
)
Description:
add SNI support dev-lang/python built in ssl module
Filename:
MIME Type:
Creator:
Blu3
Created:
2011-06-10 20:49:13 UTC
Size:
9.33 KB
patch
obsolete
>Original patch developed by grooverdan >Reference: http://bugs.python.org/issue5639 >Patch adapted to Python 3.1.3-r1 by david@blue-labs.org > >diff -ruN Python-3.1.3/Doc/library/ssl.rst Python-3.1.3.patched//Doc/library/ssl.rst >--- Python-3.1.3/Doc/library/ssl.rst 2010-10-06 03:55:35.000000000 -0400 >+++ Python-3.1.3.patched//Doc/library/ssl.rst 2011-06-10 16:04:15.241911484 -0400 >@@ -47,7 +47,7 @@ > is a subtype of :exc:`socket.error`, which in turn is a subtype of > :exc:`IOError`. > >-.. function:: wrap_socket(sock, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, ssl_version={see docs}, ca_certs=None, do_handshake_on_connect=True, suppress_ragged_eofs=True) >+.. function:: wrap_socket (sock, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, ssl_version={see docs}, ca_certs=None, server_hostname=None, do_handshake_on_connect=True, suppress_ragged_eofs=True) > > Takes an instance ``sock`` of :class:`socket.socket`, and returns an instance > of :class:`ssl.SSLSocket`, a subtype of :class:`socket.socket`, which wraps >@@ -119,6 +119,10 @@ > In some older versions of OpenSSL (for instance, 0.9.7l on OS X 10.4), an > SSLv2 client could not connect to an SSLv23 server. > >+ The parameter ``server_hostname`` specifies the hostname in the SSL client connection >+ (SSLv3 or TLSv1) allowing the server to run multiple certificates on a single host >+ (Server Name Indication extension defined in RFC 4366). >+ > The parameter ``do_handshake_on_connect`` specifies whether to do the SSL > handshake automatically after doing a :meth:`socket.connect`, or whether the > application program will call it explicitly, by invoking the >@@ -580,3 +584,6 @@ > > `RFC 3280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile <http://www.ietf.org/rfc/rfc3280>`_ > Housley et. al. >+ >+ `RFC 4366: Transport Layer Security (TLS) Extensions <http://www.ietf.org/rfc/rfc4366>`_ >+ Blake-Wilson et. al. >diff -ruN Python-3.1.3/Lib/ssl.py Python-3.1.3.patched//Lib/ssl.py >--- Python-3.1.3/Lib/ssl.py 2010-09-14 10:47:08.000000000 -0400 >+++ Python-3.1.3.patched//Lib/ssl.py 2011-06-10 16:04:15.241911484 -0400 >@@ -92,6 +92,7 @@ > def __init__(self, sock=None, keyfile=None, certfile=None, > server_side=False, cert_reqs=CERT_NONE, > ssl_version=PROTOCOL_SSLv23, ca_certs=None, >+ server_hostname=None, > do_handshake_on_connect=True, > family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None, > suppress_ragged_eofs=True): >@@ -128,7 +129,8 @@ > try: > self._sslobj = _ssl.sslwrap(self, server_side, > keyfile, certfile, >- cert_reqs, ssl_version, ca_certs) >+ cert_reqs, ssl_version, >+ ca_certs, server_hostname) > if do_handshake_on_connect: > timeout = self.gettimeout() > if timeout == 0.0: >@@ -145,6 +147,7 @@ > self.cert_reqs = cert_reqs > self.ssl_version = ssl_version > self.ca_certs = ca_certs >+ self.server_hostname = server_hostname > self.do_handshake_on_connect = do_handshake_on_connect > self.suppress_ragged_eofs = suppress_ragged_eofs > >@@ -332,7 +335,7 @@ > socket.connect(self, addr) > self._sslobj = _ssl.sslwrap(self, False, self.keyfile, self.certfile, > self.cert_reqs, self.ssl_version, >- self.ca_certs) >+ self.ca_certs, self.server_hostname) > try: > if self.do_handshake_on_connect: > self.do_handshake() >@@ -364,12 +367,14 @@ > def wrap_socket(sock, keyfile=None, certfile=None, > server_side=False, cert_reqs=CERT_NONE, > ssl_version=PROTOCOL_SSLv23, ca_certs=None, >+ server_hostname=None, > do_handshake_on_connect=True, > suppress_ragged_eofs=True): > > return SSLSocket(sock=sock, keyfile=keyfile, certfile=certfile, > server_side=server_side, cert_reqs=cert_reqs, > ssl_version=ssl_version, ca_certs=ca_certs, >+ server_hostname=server_hostname, > do_handshake_on_connect=do_handshake_on_connect, > suppress_ragged_eofs=suppress_ragged_eofs) > >diff -ruN Python-3.1.3/Lib/test/test_ssl.py Python-3.1.3.patched//Lib/test/test_ssl.py >--- Python-3.1.3/Lib/test/test_ssl.py 2010-11-26 03:59:40.000000000 -0500 >+++ Python-3.1.3.patched//Lib/test/test_ssl.py 2011-06-10 16:04:15.241911484 -0400 >@@ -644,7 +644,8 @@ > > def server_params_test(certfile, protocol, certreqs, cacertsfile, > client_certfile, client_protocol=None, indata=b"FOO\n", >- chatty=True, connectionchatty=False): >+ chatty=True, connectionchatty=False, >+ server_hostname=None): > """ > Launch a server, connect a client to it and try various reads > and writes. >@@ -667,7 +668,8 @@ > certfile=client_certfile, > ca_certs=cacertsfile, > cert_reqs=certreqs, >- ssl_version=client_protocol) >+ ssl_version=client_protocol, >+ server_hostname=server_hostname) > s.connect((HOST, server.port)) > arg = indata > if connectionchatty: >@@ -741,6 +743,24 @@ > CERTFILE, CERTFILE, ssl.PROTOCOL_TLSv1, > chatty=True, connectionchatty=True) > >+ def testSNI_TLS (self): >+ >+ if support.verbose: >+ sys.stdout.write("\n") >+ serverParamsTest(CERTFILE, ssl.PROTOCOL_TLSv1, ssl.CERT_NONE, >+ CERTFILE, CERTFILE, ssl.PROTOCOL_TLSv1, >+ chatty=True,connectionchatty=True, >+ server_hostname='arbitary.host.name') >+ >+ def testSNI_SSL2 (self): >+ >+ if support.verbose: >+ sys.stdout.write("\n") >+ serverParamsTest(CERTFILE, ssl.PROTOCOL_SSLv2, ssl.CERT_NONE, >+ CERTFILE, CERTFILE, ssl.PROTOCOL_SSLv2, >+ chatty=True,connectionchatty=True, >+ server_hostname='arbitary.host.name') >+ > def test_getpeercert(self): > if support.verbose: > sys.stdout.write("\n") >diff -ruN Python-3.1.3/Modules/_ssl.c Python-3.1.3.patched//Modules/_ssl.c >--- Python-3.1.3/Modules/_ssl.c 2010-10-13 18:20:48.000000000 -0400 >+++ Python-3.1.3.patched//Modules/_ssl.c 2011-06-10 16:04:15.241911484 -0400 >@@ -269,7 +269,7 @@ > enum py_ssl_server_or_client socket_type, > enum py_ssl_cert_requirements certreq, > enum py_ssl_version proto_version, >- char *cacerts_file) >+ char *cacerts_file, char *server_hostname) > { > PySSLObject *self; > char *errstr = NULL; >@@ -374,6 +374,14 @@ > > PySSL_BEGIN_ALLOW_THREADS > self->ssl = SSL_new(self->ctx); /* New ssl struct */ >+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) >+ /* If SNI isn't supported, we just don't call it and fail silently, >+ * as there's not much else we can do. >+ */ >+ if ((socket_type == PY_SSL_CLIENT) && >+ (proto_version != PY_SSL_VERSION_SSL2) && server_hostname) >+ SSL_set_tlsext_host_name(self->ssl, server_hostname); >+#endif > PySSL_END_ALLOW_THREADS > SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */ > #ifdef SSL_MODE_AUTO_RETRY >@@ -415,32 +423,34 @@ > char *key_file = NULL; > char *cert_file = NULL; > char *cacerts_file = NULL; >+ char *server_hostname = NULL; > >- if (!PyArg_ParseTuple(args, "O!i|zziiz:sslwrap", >+ if (!PyArg_ParseTuple(args, "O!i|zziizz:sslwrap", > PySocketModule.Sock_Type, > &Sock, > &server_side, > &key_file, &cert_file, > &verification_mode, &protocol, >- &cacerts_file)) >+ &cacerts_file, &server_hostname)) > return NULL; > > /* > fprintf(stderr, > "server_side is %d, keyfile %p, certfile %p, verify_mode %d, " >- "protocol %d, certs %p\n", >+ "protocol %d, certs %p, server_hostname %p\n", > server_side, key_file, cert_file, verification_mode, >- protocol, cacerts_file); >+ protocol, cacerts_file, server_hostname); > */ > > return (PyObject *) newPySSLObject(Sock, key_file, cert_file, > server_side, verification_mode, >- protocol, cacerts_file); >+ protocol, cacerts_file, >+ server_hostname); > } > > PyDoc_STRVAR(ssl_doc, > "sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n" >-" cacertsfile]) -> sslobject"); >+" cacertsfile, server_hostname]) -> sslobject"); > > /* SSL object methods */ >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 371065
: 276577