--- Modules/_ssl.c.orig 2014-03-09 09:40:26.000000000 +0100 +++ Modules/_ssl.c 2015-09-26 15:53:49.266985391 +0200 @@ -1746,8 +1746,10 @@ context_new(PyTypeObject *type, PyObject PySSL_BEGIN_ALLOW_THREADS if (proto_version == PY_SSL_VERSION_TLS1) ctx = SSL_CTX_new(TLSv1_method()); +#ifndef OPENSSL_NO_SSL3 else if (proto_version == PY_SSL_VERSION_SSL3) ctx = SSL_CTX_new(SSLv3_method()); +#endif #ifndef OPENSSL_NO_SSL2 else if (proto_version == PY_SSL_VERSION_SSL2) ctx = SSL_CTX_new(SSLv2_method()); @@ -2559,6 +2561,9 @@ Returns 1 if the OpenSSL PRNG has been s It is necessary to seed the PRNG with RAND_add() on some platforms before\n\ using the ssl() function."); +/* ### Fix build with LibreSSL (does not have RAND_egd) + ### PR195511, http://bugs.python.org/issue21356 */ +#ifndef OPENSSL_NO_EGD static PyObject * PySSL_RAND_egd(PyObject *self, PyObject *args) { @@ -2586,6 +2591,8 @@ PyDoc_STRVAR(PySSL_RAND_egd_doc, Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\ Returns number of bytes read. Raises SSLError if connection to EGD\n\ fails or if it does not provide enough data to seed PRNG."); +#endif /* OPENSSL_NO_EGD */ +/* ### End PR195511 */ #endif /* HAVE_OPENSSL_RAND */ @@ -2604,8 +2611,13 @@ static PyMethodDef PySSL_methods[] = { PySSL_RAND_bytes_doc}, {"RAND_pseudo_bytes", PySSL_RAND_pseudo_bytes, METH_VARARGS, PySSL_RAND_pseudo_bytes_doc}, +/* ### Fix build with LibreSSL (does not have RAND_egd) + ### PR195511, http://bugs.python.org/issue21356 */ +#ifndef OPENSSL_NO_EGD {"RAND_egd", PySSL_RAND_egd, METH_VARARGS, PySSL_RAND_egd_doc}, +#endif /* OPENSSL_NO_EGD */ +/* ### End PR195511 */ {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS, PySSL_RAND_status_doc}, #endif @@ -2842,8 +2854,10 @@ PyInit__ssl(void) PyModule_AddIntConstant(m, "PROTOCOL_SSLv2", PY_SSL_VERSION_SSL2); #endif +#ifndef OPENSSL_NO_SSL3 PyModule_AddIntConstant(m, "PROTOCOL_SSLv3", PY_SSL_VERSION_SSL3); +#endif PyModule_AddIntConstant(m, "PROTOCOL_SSLv23", PY_SSL_VERSION_SSL23); PyModule_AddIntConstant(m, "PROTOCOL_TLSv1", --- Lib/ssl.py.orig 2014-03-09 09:40:13.000000000 +0100 +++ Lib/ssl.py 2015-09-26 15:55:40.209981202 +0200 @@ -78,7 +78,15 @@ try: from _ssl import OP_SINGLE_ECDH_USE except ImportError: pass -from _ssl import RAND_status, RAND_egd, RAND_add, RAND_bytes, RAND_pseudo_bytes +### Fix build with LibreSSL (does not have RAND_egd) +### PR195511, http://bugs.python.org/issue21356 +from _ssl import RAND_status, RAND_add, RAND_bytes, RAND_pseudo_bytes +try: + from _ssl import RAND_egd +except ImportError: + # LibreSSL does not provide RAND_egd + pass +### End PR195511 from _ssl import ( SSL_ERROR_ZERO_RETURN, SSL_ERROR_WANT_READ, @@ -91,14 +99,13 @@ from _ssl import ( SSL_ERROR_INVALID_ERROR_CODE, ) from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN -from _ssl import (PROTOCOL_SSLv3, PROTOCOL_SSLv23, +from _ssl import (PROTOCOL_SSLv23, PROTOCOL_TLSv1) from _ssl import _OPENSSL_API_VERSION _PROTOCOL_NAMES = { PROTOCOL_TLSv1: "TLSv1", PROTOCOL_SSLv23: "SSLv23", - PROTOCOL_SSLv3: "SSLv3", } try: from _ssl import PROTOCOL_SSLv2 @@ -107,6 +114,13 @@ except ImportError: _SSLv2_IF_EXISTS = None else: _PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2" +try: + from _ssl import PROTOCOL_SSLv3 + _SSLv3_IF_EXISTS = PROTOCOL_SSLv3 +except ImportError: + _SSLv3_IF_EXISTS = None +else: + _PROTOCOL_NAMES[PROTOCOL_SSLv3] = "SSLv3" from socket import getnameinfo as _getnameinfo from socket import error as socket_error @@ -664,7 +678,7 @@ def PEM_cert_to_DER_cert(pem_cert_string d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)] return base64.decodebytes(d.encode('ASCII', 'strict')) -def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None): +def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None): """Retrieve the certificate from the server at the specified address, and return it as a PEM-encoded string. If 'ca_certs' is specified, validate the server cert against it. --- Lib/test/test_ssl.py.orig 2014-03-09 09:40:19.000000000 +0100 +++ Lib/test/test_ssl.py 2015-09-26 15:58:58.264964564 +0200 @@ -21,11 +21,12 @@ import functools ssl = support.import_module("ssl") PROTOCOLS = [ - ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1 ] if hasattr(ssl, 'PROTOCOL_SSLv2'): PROTOCOLS.append(ssl.PROTOCOL_SSLv2) +if hasattr(ssl, 'PROTOCOL_SSLv3'): + PROTOCOLS.append(ssl.PROTOCOL_SSLv3) HOST = support.HOST @@ -96,7 +97,8 @@ class BasicSocketTests(unittest.TestCase def test_constants(self): #ssl.PROTOCOL_SSLv2 ssl.PROTOCOL_SSLv23 - ssl.PROTOCOL_SSLv3 + if hasattr(ssl, 'PROTOCOL_SSLv3'): + ssl.PROTOCOL_SSLv3 ssl.PROTOCOL_TLSv1 ssl.CERT_NONE ssl.CERT_OPTIONAL @@ -130,8 +132,12 @@ class BasicSocketTests(unittest.TestCase self.assertRaises(ValueError, ssl.RAND_bytes, -5) self.assertRaises(ValueError, ssl.RAND_pseudo_bytes, -5) - self.assertRaises(TypeError, ssl.RAND_egd, 1) - self.assertRaises(TypeError, ssl.RAND_egd, 'foo', 1) +### Fix build with LibreSSL (does not have RAND_egd) +### PR195511, http://bugs.python.org/issue21356 + if hasattr(ssl, 'RAND_egd'): + self.assertRaises(TypeError, ssl.RAND_egd, 1) + self.assertRaises(TypeError, ssl.RAND_egd, 'foo', 1) +### End PR195511 ssl.RAND_add("this is a random string", 75.0) @unittest.skipUnless(os.name == 'posix', 'requires posix') @@ -512,7 +518,8 @@ class ContextTests(unittest.TestCase): if hasattr(ssl, 'PROTOCOL_SSLv2'): ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv2) ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) - ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv3) + if hasattr(ssl, 'PROTOCOL_SSLv3'): + ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv3) ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) self.assertRaises(TypeError, ssl.SSLContext) self.assertRaises(ValueError, ssl.SSLContext, -1)