FWIW, the dnf upgrade appears to be trivial (I did not rebase python3 3.7.0 patches, but it probably won’t change much):
http://git.openembedded.org/openembedded-core-contrib/commit/?h=timo/python37&id=94d4bba43097ec22f120f4327e5d13a52c1724fd NOTE: I used a hammer and overwrote Alex Kanavin’s patches, when really they just need to be refreshed. Not right, but I am being lazy. The above built on top of master on qemux86 without issue. IMPORTANT: Please realize that this will have to wait for the Yocto Project 2.7 release cycle (beginning at the end of October), since this update to Python 3.7 is a _MAJOR_ change. I would expect significant breakage, if only in meta-python and friends... Time permitting, I’ll rebase the Python 3.7 patches and build-n-test this. > On Sep 25, 2018, at 7:55 AM, Alejandro Hernandez > <[email protected]> wrote: > > Hello Jens, > > > It literally seems that you didn't even read the email, I am not asking > whether or not it builds correctly for you, it clearly says that the fact > that something builds correctly, doesn't necessarily means it runs properly, > and it also says thanks because it contains some of the manifest changes, so > I know for a fact that you ran the create_manifest task, but as it is very > clearly explained, if you run it with a full python3-native build you get a > different result, please fix that before sending another version of this > patch. > > > Alejandro > > > On 9/24/2018 1:13 PM, Jens Rehsack wrote: >> Hi Alejandro, >> >> on my system it builds without any problem. And I run the create_manifest >> task. >> >> Cheers, >> Jens >> Am Mi., 19. Sep. 2018 um 21:19 Uhr schrieb Alejandro Hernandez >> <[email protected]>: >>> Hello Jens, >>> >>> I appreciate the effort of submitting a v4, this version has (mostly >>> all) the required manifest changes, and at the same time it proves the >>> point I've been trying to make since the beginning: >>> >>> Again, the native build isn't complete and shows: >>> >>> Python build finished successfully! >>> The necessary bits to build these optional modules were not found: >>> _uuid >>> >>> >>> Which causes _uuid.*.so to be on the python3-misc package because it >>> wasn't on the native build and it couldn't be found when creating the >>> manifest (there is simply no reference to it on the manifest, so >>> python3-misc gets it): >>> >>> * python3-misc (dir) >>> * usr (dir) >>> * lib (dir) >>> * python3.7 (dir) >>> * lib-dynload(dir) >>> * _uuid.cpython-37m-i386-linux-gnu.so >>> >>> >>> This will eventually cause a runtime error if a user tries to install >>> python3-netclient, which is exactly the reason why the create_manifest >>> task exists: >>> >>> Traceback (most recent call last): >>> File "<stdin>", line 1, in <module> >>> ModuleNotFoundError: No module named '_uuid' >>> >>> >>> This can easily be prevented, as the note on the recipe says, we need to >>> ensure we have a complete python3-native build to create the manifest on >>> every new release. If you fix the native build with the instructions I >>> gave you and re-run the create_manifest task you will realize that the >>> python3-netclient package should be the one to get the _uuid.*.so >>> library, since it depends on it to work properly. >>> >>> +++ b/meta/recipes-devtools/python/python3/python3-manifest.json >>> @@ -743,6 +743,7 @@ >>> "${libdir}/python${PYTHON_MAJMIN}/hmac.py", >>> "${libdir}/python${PYTHON_MAJMIN}/http", >>> "${libdir}/python${PYTHON_MAJMIN}/http/__pycache__", >>> + "${libdir}/python${PYTHON_MAJMIN}/lib-dynload/_uuid.*.so", >>> >>> >>> And that is the reason why this upgrade still needs a one line patch to >>> setup.py to build _uuid on python3-native, I cannot make it any more >>> clearly. >>> >>> Please fix the native build before submitting a new version of this patch. >>> >>> >>> Alejandro >>> >>> >>> On 9/19/2018 2:24 AM, Jens Rehsack wrote: >>>> Update python3 to recent 3.7.0 release. >>>> >>>> Details about new features and bug-fixes can be taken from >>>> * https://docs.python.org/3/whatsnew/3.7.html >>>> * https://docs.python.org/3/whatsnew/3.6.html >>>> >>>> Remove patches when they were fixed upstream and rebase the >>>> remaining ones. If necessary, the patches are adopted to >>>> keep the idea when upstream code was changed. Also remove >>>> backports from 3.6 and 3.7 into 3.5.6 codebase for TLS >>>> and multiprocessing. >>>> >>>> Open TODO: track patches in a -STABLE rebased git branch for >>>> easier rebasing or upstream submitting. >>>> >>>> Enhancement requests for Yocto project >>>> * https://bugzilla.yoctoproject.org/show_bug.cgi?id=12375 >>>> * https://bugzilla.yoctoproject.org/show_bug.cgi?id=12901 >>>> are solved by this. >>>> >>>> Signed-off-by: Jens Rehsack <[email protected]> >>>> --- >>>> meta/classes/python3-dir.bbclass | 6 +- >>>> .../python/python3-native_3.5.6.bb | 100 ------ >>>> .../python/python3-native_3.7.0.bb | 73 ++++ >>>> meta/recipes-devtools/python/python3.inc | 65 +++- >>>> ...hell-version-of-python-config-that-w.patch | 21 +- >>>> ..._sysconfigdata.py-to-initialize-dist.patch | 66 ---- >>>> ...ontext-has-improved-default-settings.patch | 272 --------------- >>>> ...d-target-to-split-profile-generation.patch | 40 --- >>>> ...S-1.3-cipher-suites-and-OP_NO_TLSv1_.patch | 227 ------------ >>>> ...for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch | 173 --------- >>>> ....3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch | 110 ------ >>>> ...ALPN-changes-for-OpenSSL-1.1.0f-2305.patch | 68 ---- >>>> .../python3/03-fix-tkinter-detection.patch | 12 +- >>>> .../python3/030-fixup-include-dirs.patch | 9 - >>>> .../080-distutils-dont_adjust_files.patch | 4 +- >>>> .../python/python3/150-fix-setupterm.patch | 17 - >>>> ...GS-for-extensions-when-cross-compili.patch | 53 ++- >>>> .../python3/avoid-ncursesw-include-path.patch | 18 +- >>>> .../python3/avoid_warning_about_tkinter.patch | 18 +- >>>> .../python3/configure.ac-fix-LIBPL.patch | 21 +- >>>> .../python/python3/float-endian.patch | 9 +- >>>> ...ssing-libraries-to-Extension-for-mul.patch | 26 +- >>>> .../python/python3/python-3.3-multilib.patch | 241 +++++++------ >>>> .../python/python3/python3-manifest.json | 35 +- >>>> ...CROSSPYTHONPATH-for-PYTHON_FOR_BUILD.patch | 17 +- >>>> .../python/python3/regen-all.patch | 25 -- >>>> .../python/python3/signal.patch | 56 --- >>>> ...port_SOURCE_DATE_EPOCH_in_py_compile.patch | 36 +- >>>> .../python3/sysroot-include-headers.patch | 23 +- >>>> .../python3/uuid_when_cross_compiling.patch | 24 ++ >>>> meta/recipes-devtools/python/python3_3.5.6.bb | 328 ------------------ >>>> meta/recipes-devtools/python/python3_3.7.0.bb | 299 ++++++++++++++++ >>>> 32 files changed, 722 insertions(+), 1770 deletions(-) >>>> delete mode 100644 meta/recipes-devtools/python/python3-native_3.5.6.bb >>>> create mode 100644 meta/recipes-devtools/python/python3-native_3.7.0.bb >>>> delete mode 100644 >>>> meta/recipes-devtools/python/python3/0001-Issue-21272-Use-_sysconfigdata.py-to-initialize-dist.patch >>>> delete mode 100644 >>>> meta/recipes-devtools/python/python3/0001-Issue-28043-SSLContext-has-improved-default-settings.patch >>>> delete mode 100644 >>>> meta/recipes-devtools/python/python3/0002-Makefile-add-target-to-split-profile-generation.patch >>>> delete mode 100644 >>>> meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch >>>> delete mode 100644 >>>> meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch >>>> delete mode 100644 >>>> meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch >>>> delete mode 100644 >>>> meta/recipes-devtools/python/python3/0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch >>>> delete mode 100644 >>>> meta/recipes-devtools/python/python3/150-fix-setupterm.patch >>>> delete mode 100644 meta/recipes-devtools/python/python3/regen-all.patch >>>> delete mode 100644 meta/recipes-devtools/python/python3/signal.patch >>>> create mode 100644 >>>> meta/recipes-devtools/python/python3/uuid_when_cross_compiling.patch >>>> delete mode 100644 meta/recipes-devtools/python/python3_3.5.6.bb >>>> create mode 100644 meta/recipes-devtools/python/python3_3.7.0.bb >>>> >>>> diff --git a/meta/classes/python3-dir.bbclass >>>> b/meta/classes/python3-dir.bbclass >>>> index 06bb046d9c..ad7ea8dd9a 100644 >>>> --- a/meta/classes/python3-dir.bbclass >>>> +++ b/meta/classes/python3-dir.bbclass >>>> @@ -1,4 +1,8 @@ >>>> -PYTHON_BASEVERSION = "3.5" >>>> +PYTHON_BASEVERSION = "3.7" >>>> +# [d][m][u] >>>> +# d: py_debug >>>> +# m: my_malloc >>>> +# u: wide-char unicode >>>> PYTHON_ABI = "m" >>>> PYTHON_DIR = "python${PYTHON_BASEVERSION}" >>>> PYTHON_PN = "python3" >>>> diff --git a/meta/recipes-devtools/python/python3-native_3.5.6.bb >>>> b/meta/recipes-devtools/python/python3-native_3.5.6.bb >>>> deleted file mode 100644 >>>> index d5953cf4bb..0000000000 >>>> --- a/meta/recipes-devtools/python/python3-native_3.5.6.bb >>>> +++ /dev/null >>>> @@ -1,100 +0,0 @@ >>>> -require recipes-devtools/python/python3.inc >>>> - >>>> -DISTRO_SRC_URI ?= "file://sitecustomize.py" >>>> -DISTRO_SRC_URI_linuxstdbase = "" >>>> -SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ >>>> -file://12-distutils-prefix-is-inside-staging-area.patch \ >>>> -file://python-config.patch \ >>>> -file://030-fixup-include-dirs.patch \ >>>> -file://070-dont-clean-ipkg-install.patch \ >>>> -file://080-distutils-dont_adjust_files.patch \ >>>> -file://130-readline-setup.patch \ >>>> -file://150-fix-setupterm.patch \ >>>> -file://python-3.3-multilib.patch \ >>>> -file://03-fix-tkinter-detection.patch \ >>>> -file://avoid_warning_about_tkinter.patch \ >>>> -file://0001-h2py-Fix-issue-13032-where-it-fails-with-UnicodeDeco.patch \ >>>> -file://sysroot-include-headers.patch \ >>>> -file://unixccompiler.patch \ >>>> -${DISTRO_SRC_URI} \ >>>> -file://sysconfig.py-add-_PYTHON_PROJECT_SRC.patch \ >>>> -file://setup.py-check-cross_compiling-when-get-FLAGS.patch \ >>>> -file://0001-Do-not-use-the-shell-version-of-python-config-that-w.patch \ >>>> -file://support_SOURCE_DATE_EPOCH_in_py_compile.patch \ >>>> -file://regen-all.patch \ >>>> -file://0001-Issue-28043-SSLContext-has-improved-default-settings.patch \ >>>> -file://0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch \ >>>> -file://0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch \ >>>> -file://0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch \ >>>> -file://0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch \ >>>> -" >>>> - >>>> -EXTRANATIVEPATH += "bzip2-native" >>>> -DEPENDS = "openssl-native bzip2-replacement-native zlib-native >>>> readline-native sqlite3-native gdbm-native" >>>> - >>>> -inherit native >>>> - >>>> -EXTRA_OECONF_append = " --bindir=${bindir}/${PN} --without-ensurepip" >>>> - >>>> -EXTRA_OEMAKE = '\ >>>> - LIBC="" \ >>>> - STAGING_LIBDIR=${STAGING_LIBDIR_NATIVE} \ >>>> - STAGING_INCDIR=${STAGING_INCDIR_NATIVE} \ >>>> - LIB=${baselib} \ >>>> - ARCH=${TARGET_ARCH} \ >>>> -' >>>> - >>>> -do_configure_append() { >>>> - autoreconf --verbose --install --force --exclude=autopoint >>>> ../Python-${PV}/Modules/_ctypes/libffi >>>> - sed -i -e 's,#define HAVE_GETRANDOM 1,/\* #undef HAVE_GETRANDOM >>>> \*/,' ${B}/pyconfig.h >>>> -} >>>> - >>>> -# Regenerate all of the generated files >>>> -# This ensures that pgen and friends get created during the compile phase >>>> -# >>>> -do_compile_prepend() { >>>> - # Assuming https://bugs.python.org/issue33080 has been addressed in >>>> Makefile. >>>> - oe_runmake regen-all >>>> -} >>>> - >>>> -do_install() { >>>> - install -d ${D}${libdir}/pkgconfig >>>> - oe_runmake 'DESTDIR=${D}' install >>>> - if [ -e ${WORKDIR}/sitecustomize.py ]; then >>>> - install -m 0644 ${WORKDIR}/sitecustomize.py >>>> ${D}/${libdir}/python${PYTHON_MAJMIN} >>>> - fi >>>> - install -d ${D}${bindir}/${PN} >>>> - install -m 0755 Parser/pgen ${D}${bindir}/${PN} >>>> - >>>> - # Make sure we use /usr/bin/env python >>>> - for PYTHSCRIPT in `grep -rIl ${bindir}/${PN}/python >>>> ${D}${bindir}/${PN}`; do >>>> - sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' $PYTHSCRIPT >>>> - done >>>> - >>>> - # Add a symlink to the native Python so that scripts can just >>>> invoke >>>> - # "nativepython" and get the right one without needing absolute >>>> paths >>>> - # (these often end up too long for the #! parser in the kernel as >>>> the >>>> - # buffer is 128 bytes long). >>>> - ln -s python3-native/python3 ${D}${bindir}/nativepython3 >>>> -} >>>> - >>>> -python(){ >>>> - >>>> - # Read JSON manifest >>>> - import json >>>> - pythondir = d.getVar('THISDIR',True) >>>> - with open(pythondir+'/python3/python3-manifest.json') as >>>> manifest_file: >>>> - python_manifest=json.load(manifest_file) >>>> - >>>> - rprovides = d.getVar('RPROVIDES').split() >>>> - >>>> - # Hardcoded since it cant be python3-native-foo, should be >>>> python3-foo-native >>>> - pn = 'python3' >>>> - >>>> - for key in python_manifest: >>>> - pypackage = pn + '-' + key + '-native' >>>> - if pypackage not in rprovides: >>>> - rprovides.append(pypackage) >>>> - >>>> - d.setVar('RPROVIDES', ' '.join(rprovides)) >>>> -} >>>> diff --git a/meta/recipes-devtools/python/python3-native_3.7.0.bb >>>> b/meta/recipes-devtools/python/python3-native_3.7.0.bb >>>> new file mode 100644 >>>> index 0000000000..3ef9f0a5e3 >>>> --- /dev/null >>>> +++ b/meta/recipes-devtools/python/python3-native_3.7.0.bb >>>> @@ -0,0 +1,73 @@ >>>> +require recipes-devtools/python/python3.inc >>>> + >>>> +SRC_URI += "\ >>>> + file://12-distutils-prefix-is-inside-staging-area.patch \ >>>> + >>>> file://0001-Do-not-use-the-shell-version-of-python-config-that-w.patch \ >>>> +" >>>> + >>>> +EXTRANATIVEPATH += "bzip2-native" >>>> +DEPENDS = "openssl-native libffi-native bzip2-replacement-native >>>> zlib-native \ >>>> + util-linux-native readline-native sqlite3-native gdbm-native \ >>>> +" >>>> + >>>> +inherit native >>>> + >>>> +EXTRA_OECONF_append = " --bindir=${bindir}/${PN} --without-ensurepip" >>>> + >>>> +EXTRA_OEMAKE = '\ >>>> + LIBC="" \ >>>> + STAGING_LIBDIR=${STAGING_LIBDIR_NATIVE} \ >>>> + STAGING_INCDIR=${STAGING_INCDIR_NATIVE} \ >>>> + LIB=${baselib} \ >>>> + ARCH=${TARGET_ARCH} \ >>>> +' >>>> + >>>> +# Regenerate all of the generated files >>>> +# This ensures that pgen and friends get created during the compile phase >>>> +# >>>> +do_compile_prepend() { >>>> + # Assuming https://bugs.python.org/issue33080 has been addressed in >>>> Makefile. >>>> + oe_runmake regen-all >>>> +} >>>> + >>>> +do_install() { >>>> + install -d ${D}${libdir}/pkgconfig >>>> + oe_runmake 'DESTDIR=${D}' install >>>> + if [ -e ${WORKDIR}/sitecustomize.py ]; then >>>> + install -m 0644 ${WORKDIR}/sitecustomize.py >>>> ${D}/${libdir}/python${PYTHON_MAJMIN} >>>> + fi >>>> + install -d ${D}${bindir}/${PN} >>>> + install -m 0755 Parser/pgen ${D}${bindir}/${PN} >>>> + >>>> + # Make sure we use /usr/bin/env python >>>> + for PYTHSCRIPT in `grep -rIl ${bindir}/${PN}/python >>>> ${D}${bindir}/${PN}`; do >>>> + sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' $PYTHSCRIPT >>>> + done >>>> + >>>> + # Add a symlink to the native Python so that scripts can just >>>> invoke >>>> + # "nativepython" and get the right one without needing absolute >>>> paths >>>> + # (these often end up too long for the #! parser in the kernel as >>>> the >>>> + # buffer is 128 bytes long). >>>> + ln -s python3-native/python3 ${D}${bindir}/nativepython3 >>>> +} >>>> + >>>> +python(){ >>>> + >>>> + # Read JSON manifest >>>> + import json >>>> + pythondir = d.getVar('THISDIR',True) >>>> + with open(pythondir+'/python3/python3-manifest.json') as >>>> manifest_file: >>>> + python_manifest=json.load(manifest_file) >>>> + >>>> + rprovides = d.getVar('RPROVIDES').split() >>>> + >>>> + # Hardcoded since it cant be python3-native-foo, should be >>>> python3-foo-native >>>> + pn = 'python3' >>>> + >>>> + for key in python_manifest: >>>> + pypackage = pn + '-' + key + '-native' >>>> + if pypackage not in rprovides: >>>> + rprovides.append(pypackage) >>>> + >>>> + d.setVar('RPROVIDES', ' '.join(rprovides)) >>>> +} >>>> diff --git a/meta/recipes-devtools/python/python3.inc >>>> b/meta/recipes-devtools/python/python3.inc >>>> index f565b3f171..b0fc0144a4 100644 >>>> --- a/meta/recipes-devtools/python/python3.inc >>>> +++ b/meta/recipes-devtools/python/python3.inc >>>> @@ -3,41 +3,74 @@ HOMEPAGE = "http://www.python.org"; >>>> LICENSE = "PSFv2" >>>> SECTION = "devel/python" >>>> >>>> -# TODO Remove this when we upgrade >>>> -INC_PR = "r1" >>>> -PR = "${INC_PR}.0" >>>> +PYTHON_MAJMIN = "3.7" >>>> +DISTRO_SRC_URI ?= "file://sitecustomize.py" >>>> +DISTRO_SRC_URI_linuxstdbase = "" >>>> +SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ >>>> + file://python-config.patch \ >>>> + file://python-3.3-multilib.patch \ >>>> + file://03-fix-tkinter-detection.patch \ >>>> + file://avoid_warning_about_tkinter.patch \ >>>> + file://unixccompiler.patch \ >>>> + file://sysroot-include-headers.patch \ >>>> + file://sysconfig.py-add-_PYTHON_PROJECT_SRC.patch \ >>>> + file://setup.py-check-cross_compiling-when-get-FLAGS.patch \ >>>> + file://030-fixup-include-dirs.patch \ >>>> + file://070-dont-clean-ipkg-install.patch \ >>>> + file://080-distutils-dont_adjust_files.patch \ >>>> + file://130-readline-setup.patch \ >>>> + >>>> file://0001-h2py-Fix-issue-13032-where-it-fails-with-UnicodeDeco.patch \ >>>> + ${DISTRO_SRC_URI} \ >>>> + file://support_SOURCE_DATE_EPOCH_in_py_compile.patch \ >>>> + file://Use-correct-CFLAGS-for-extensions-when-cross-compili.patch \ >>>> +" >>>> >>>> -LIC_FILES_CHKSUM = "file://LICENSE;md5=b6ec515b22618f55fa07276b897bacea" >>>> +SRC_URI[md5sum] = "eb8c2a6b1447d50813c02714af4681f3" >>>> +SRC_URI[sha256sum] = >>>> "0382996d1ee6aafe59763426cf0139ffebe36984474d0ec4126dd1c40a8b3549" >>>> >>>> -# TODO consolidate patch set >>>> -SRC_URI[md5sum] = "f5a99f765e765336a3ebbb2a24ca2be3" >>>> -SRC_URI[sha256sum] = >>>> "f55cde04f521f273c7cba08912921cc5642cfc15ca7b22d5829f0aff4371155f" >>>> +LIC_FILES_CHKSUM = "file://LICENSE;md5=f257cc14f81685691652a3d3e1b5d754" >>>> >>>> # exclude pre-releases for both python 2.x and 3.x >>>> UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" >>>> >>>> -CVE_PRODUCT = "python" >>>> - >>>> -PYTHON_MAJMIN = "3.5" >>>> -PYTHON_BINABI = "${PYTHON_MAJMIN}m" >>>> - >>>> S = "${WORKDIR}/Python-${PV}" >>>> >>>> -inherit autotools bluetooth pkgconfig >>>> +CVE_PRODUCT = "python" >>>> + >>>> +inherit autotools bluetooth pkgconfig python3-dir >>>> >>>> EXTRA_OECONF = "\ >>>> - --with-threads \ >>>> --with-pymalloc \ >>>> --without-cxx-main \ >>>> - --with-signal-module \ >>>> --enable-shared \ >>>> --enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', >>>> 'no', d)} \ >>>> " >>>> >>>> PACKAGECONFIG[bluetooth] = ",ac_cv_header_bluetooth_bluetooth_h=no >>>> ac_cv_header_bluetooth_h=no,${BLUEZ}" >>>> >>>> +do_configure_prepend() { >>>> + libdirleaf="$(echo ${libdir} | sed -e 's:${prefix}/::')" >>>> + sed -i -e "s:SEDMELIBLEAF:${libdirleaf}:g" \ >>>> + ${S}/configure.ac >>>> +} >>>> + >>>> +do_install_prepend() { >>>> + MAKESETTINGS="$(egrep '^(ABIFLAGS|MULTIARCH)=' ${B}/Makefile | sed >>>> -E -e 's/[[:space:]]//g' -e 's/=/="/' -e 's/$/"/')" >>>> + eval ${MAKESETTINGS} >>>> + if test "${ABIFLAGS}" != "${PYTHON_ABI}"; then >>>> + die "do_install: configure determined ABIFLAGS '${ABIFLAGS}' != >>>> '${PYTHON_ABI}' from python3-dir.bbclass" >>>> + fi >>>> + if test "x${BUILD_OS}" = "x${TARGET_OS}"; then >>>> + # no cross-compile at all >>>> + >>>> _PYTHON_SYSCONFIGDATA_NAME=${PYTHON_ABI}_${TARGET_OS}_${MULTIARCH} >>>> + else >>>> + # at the very moment, it's the only available target >>>> + _PYTHON_SYSCONFIGDATA_NAME=${PYTHON_ABI}_linux_${MULTIARCH} >>>> + fi >>>> +} >>>> + >>>> do_install_append () { >>>> sed -i -e 's:${HOSTTOOLS_DIR}/install:install:g' \ >>>> -e 's:${HOSTTOOLS_DIR}/mkdir:mkdir:g' \ >>>> - ${D}/${libdir}/python${PYTHON_MAJMIN}/_sysconfigdata.py >>>> + >>>> ${D}/${libdir}/python${PYTHON_MAJMIN}/_sysconfigdata_${_PYTHON_SYSCONFIGDATA_NAME}.py >>>> } >>>> diff --git >>>> a/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch >>>> >>>> b/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch >>>> index 8ea3f03fe0..aac34533ef 100644 >>>> --- >>>> a/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch >>>> +++ >>>> b/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch >>>> @@ -14,25 +14,22 @@ Signed-off-by: Alexander Kanavin >>>> <[email protected]> >>>> 1 file changed, 3 insertions(+), 6 deletions(-) >>>> >>>> diff --git a/Makefile.pre.in b/Makefile.pre.in >>>> -index 236f005..5c4337f 100644 >>>> +index 31b4bcabb3..7da6d6941e 100644 >>>> --- a/Makefile.pre.in >>>> +++ b/Makefile.pre.in >>>> -@@ -1348,12 +1348,9 @@ python-config: $(srcdir)/Misc/python-config.in >>>> Misc/python-config.sh >>>> +@@ -1415,12 +1415,9 @@ python-config: $(srcdir)/Misc/python-config.in >>>> Misc/python-config.sh >>>> sed -e "s,@EXENAME@,$(BINDIR)/python$(LDVERSION)$(EXE)," < >>>> $(srcdir)/Misc/python-config.in >python-config.py >>>> - # Replace makefile compat. variable references with shell script >>>> compat. ones; $(VAR) -> ${VAR} >>>> + @ # Replace makefile compat. variable references with shell script >>>> compat. ones; $(VAR) -> ${VAR} >>>> LC_ALL=C sed -e 's,\$$(\([A-Za-z0-9_]*\)),\$$\{\1\},g' < >>>> Misc/python-config.sh >python-config >>>> -- # On Darwin, always use the python version of the script, the shell >>>> -- # version doesn't use the compiler customizations that are provided >>>> -- # in python (_osx_support.py). >>>> -- if test `uname -s` = Darwin; then \ >>>> +- @ # On Darwin, always use the python version of the script, the shell >>>> +- @ # version doesn't use the compiler customizations that are provided >>>> +- @ # in python (_osx_support.py). >>>> +- @if test `uname -s` = Darwin; then \ >>>> - cp python-config.py python-config; \ >>>> - fi >>>> -+ # In OpenEmbedded, always use the python version of the script, the >>>> shell >>>> -+ # version is broken in multiple ways, and doesn't return correct >>>> directories >>>> ++ @ # In OpenEmbedded, always use the python version of the script, >>>> the shell >>>> ++ @ # version is broken in multiple ways, and doesn't return correct >>>> directories >>>> + cp python-config.py python-config >>>> >>>> >>>> # Install the include files >>>> --- >>>> -2.11.0 >>>> - >>>> diff --git >>>> a/meta/recipes-devtools/python/python3/0001-Issue-21272-Use-_sysconfigdata.py-to-initialize-dist.patch >>>> >>>> b/meta/recipes-devtools/python/python3/0001-Issue-21272-Use-_sysconfigdata.py-to-initialize-dist.patch >>>> deleted file mode 100644 >>>> index d1c92e9eed..0000000000 >>>> --- >>>> a/meta/recipes-devtools/python/python3/0001-Issue-21272-Use-_sysconfigdata.py-to-initialize-dist.patch >>>> +++ /dev/null >>>> @@ -1,66 +0,0 @@ >>>> -From bcddbf40c7f1b80336268cdddacc17369fb0ccea Mon Sep 17 00:00:00 2001 >>>> -From: Libin Dang <[email protected]> >>>> -Date: Tue, 11 Apr 2017 14:12:15 +0800 >>>> -Subject: [PATCH] Issue #21272: Use _sysconfigdata.py to initialize >>>> - distutils.sysconfig >>>> - >>>> -Backport upstream commit >>>> -https://github.com/python/cpython/commit/409482251b06fe75c4ee56e85ffbb4b23d934159 >>>> - >>>> -Upstream-Status: Backport >>>> - >>>> -Signed-off-by: Li Zhou <[email protected]> >>>> ---- >>>> - Lib/distutils/sysconfig.py | 35 ++++------------------------------- >>>> - 1 file changed, 4 insertions(+), 31 deletions(-) >>>> - >>>> -diff --git a/Lib/distutils/sysconfig.py b/Lib/distutils/sysconfig.py >>>> -index 6d5cfd0..9925d24 100644 >>>> ---- a/Lib/distutils/sysconfig.py >>>> -+++ b/Lib/distutils/sysconfig.py >>>> -@@ -424,38 +424,11 @@ _config_vars = None >>>> - >>>> - def _init_posix(): >>>> - """Initialize the module as appropriate for POSIX systems.""" >>>> -- g = {} >>>> -- # load the installed Makefile: >>>> -- try: >>>> -- filename = get_makefile_filename() >>>> -- parse_makefile(filename, g) >>>> -- except OSError as msg: >>>> -- my_msg = "invalid Python installation: unable to open %s" % >>>> filename >>>> -- if hasattr(msg, "strerror"): >>>> -- my_msg = my_msg + " (%s)" % msg.strerror >>>> -- >>>> -- raise DistutilsPlatformError(my_msg) >>>> -- >>>> -- # load the installed pyconfig.h: >>>> -- try: >>>> -- filename = get_config_h_filename() >>>> -- with open(filename) as file: >>>> -- parse_config_h(file, g) >>>> -- except OSError as msg: >>>> -- my_msg = "invalid Python installation: unable to open %s" % >>>> filename >>>> -- if hasattr(msg, "strerror"): >>>> -- my_msg = my_msg + " (%s)" % msg.strerror >>>> -- >>>> -- raise DistutilsPlatformError(my_msg) >>>> -- >>>> -- # On AIX, there are wrong paths to the linker scripts in the Makefile >>>> -- # -- these paths are relative to the Python source, but when >>>> installed >>>> -- # the scripts are in another directory. >>>> -- if python_build: >>>> -- g['LDSHARED'] = g['BLDSHARED'] >>>> -- >>>> -+ # _sysconfigdata is generated at build time, see the sysconfig module >>>> -+ from _sysconfigdata import build_time_vars >>>> - global _config_vars >>>> -- _config_vars = g >>>> -+ _config_vars = {} >>>> -+ _config_vars.update(build_time_vars) >>>> - >>>> - >>>> - def _init_nt(): >>>> --- >>>> -1.8.3.1 >>>> - >>>> diff --git >>>> a/meta/recipes-devtools/python/python3/0001-Issue-28043-SSLContext-has-improved-default-settings.patch >>>> >>>> b/meta/recipes-devtools/python/python3/0001-Issue-28043-SSLContext-has-improved-default-settings.patch >>>> deleted file mode 100644 >>>> index 321b4afa12..0000000000 >>>> --- >>>> a/meta/recipes-devtools/python/python3/0001-Issue-28043-SSLContext-has-improved-default-settings.patch >>>> +++ /dev/null >>>> @@ -1,272 +0,0 @@ >>>> -From 758e7463c104f71b810c8588166747eeab6148d7 Mon Sep 17 00:00:00 2001 >>>> -From: Christian Heimes <[email protected]> >>>> -Date: Sat, 10 Sep 2016 22:43:48 +0200 >>>> -Subject: [PATCH 1/4] Issue 28043: SSLContext has improved default settings >>>> - >>>> -The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, >>>> OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for >>>> PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by >>>> default. The initial cipher suite list contains only HIGH ciphers, no NULL >>>> ciphers and MD5 ciphers (except for PROTOCOL_SSLv2). >>>> - >>>> -Upstream-Status: Backport >>>> -[https://github.com/python/cpython/commit/358cfd426ccc0fcd6a7940d306602138e76420ae] >>>> - >>>> -Signed-off-by: Anuj Mittal <[email protected]> >>>> ---- >>>> - Doc/library/ssl.rst | 9 ++++++- >>>> - Lib/ssl.py | 30 +++++---------------- >>>> - Lib/test/test_ssl.py | 62 +++++++++++++++++++++++--------------------- >>>> - Modules/_ssl.c | 31 ++++++++++++++++++++++ >>>> - 4 files changed, 78 insertions(+), 54 deletions(-) >>>> - >>>> -diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst >>>> -index a2f008346b..14f2d68217 100644 >>>> ---- a/Doc/library/ssl.rst >>>> -+++ b/Doc/library/ssl.rst >>>> -@@ -1151,7 +1151,14 @@ to speed up repeated connections from the same >>>> clients. >>>> - >>>> - .. versionchanged:: 3.5.3 >>>> - >>>> -- :data:`PROTOCOL_TLS` is the default value. >>>> -+ The context is created with secure default values. The options >>>> -+ :data:`OP_NO_COMPRESSION`, :data:`OP_CIPHER_SERVER_PREFERENCE`, >>>> -+ :data:`OP_SINGLE_DH_USE`, :data:`OP_SINGLE_ECDH_USE`, >>>> -+ :data:`OP_NO_SSLv2` (except for :data:`PROTOCOL_SSLv2`), >>>> -+ and :data:`OP_NO_SSLv3` (except for :data:`PROTOCOL_SSLv3`) are >>>> -+ set by default. The initial cipher suite list contains only >>>> ``HIGH`` >>>> -+ ciphers, no ``NULL`` ciphers and no ``MD5`` ciphers (except for >>>> -+ :data:`PROTOCOL_SSLv2`). >>>> - >>>> - >>>> - :class:`SSLContext` objects have the following methods and attributes: >>>> -diff --git a/Lib/ssl.py b/Lib/ssl.py >>>> -index e1913904f3..4d302a78fa 100644 >>>> ---- a/Lib/ssl.py >>>> -+++ b/Lib/ssl.py >>>> -@@ -446,32 +446,16 @@ def >>>> create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None, >>>> - if not isinstance(purpose, _ASN1Object): >>>> - raise TypeError(purpose) >>>> - >>>> -+ # SSLContext sets OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION, >>>> -+ # OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE and >>>> OP_SINGLE_ECDH_USE >>>> -+ # by default. >>>> - context = SSLContext(PROTOCOL_TLS) >>>> - >>>> -- # SSLv2 considered harmful. >>>> -- context.options |= OP_NO_SSLv2 >>>> -- >>>> -- # SSLv3 has problematic security and is only required for really old >>>> -- # clients such as IE6 on Windows XP >>>> -- context.options |= OP_NO_SSLv3 >>>> -- >>>> -- # disable compression to prevent CRIME attacks (OpenSSL 1.0+) >>>> -- context.options |= getattr(_ssl, "OP_NO_COMPRESSION", 0) >>>> -- >>>> - if purpose == Purpose.SERVER_AUTH: >>>> - # verify certs and host name in client mode >>>> - context.verify_mode = CERT_REQUIRED >>>> - context.check_hostname = True >>>> - elif purpose == Purpose.CLIENT_AUTH: >>>> -- # Prefer the server's ciphers by default so that we get stronger >>>> -- # encryption >>>> -- context.options |= getattr(_ssl, "OP_CIPHER_SERVER_PREFERENCE", >>>> 0) >>>> -- >>>> -- # Use single use keys in order to improve forward secrecy >>>> -- context.options |= getattr(_ssl, "OP_SINGLE_DH_USE", 0) >>>> -- context.options |= getattr(_ssl, "OP_SINGLE_ECDH_USE", 0) >>>> -- >>>> -- # disallow ciphers with known vulnerabilities >>>> - context.set_ciphers(_RESTRICTED_SERVER_CIPHERS) >>>> - >>>> - if cafile or capath or cadata: >>>> -@@ -497,12 +481,10 @@ def >>>> _create_unverified_context(protocol=PROTOCOL_TLS, *, cert_reqs=None, >>>> - if not isinstance(purpose, _ASN1Object): >>>> - raise TypeError(purpose) >>>> - >>>> -+ # SSLContext sets OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION, >>>> -+ # OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE and >>>> OP_SINGLE_ECDH_USE >>>> -+ # by default. >>>> - context = SSLContext(protocol) >>>> -- # SSLv2 considered harmful. >>>> -- context.options |= OP_NO_SSLv2 >>>> -- # SSLv3 has problematic security and is only required for really old >>>> -- # clients such as IE6 on Windows XP >>>> -- context.options |= OP_NO_SSLv3 >>>> - >>>> - if cert_reqs is not None: >>>> - context.verify_mode = cert_reqs >>>> -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py >>>> -index ffb7314f57..f91af7bd05 100644 >>>> ---- a/Lib/test/test_ssl.py >>>> -+++ b/Lib/test/test_ssl.py >>>> -@@ -73,6 +73,12 @@ NULLBYTECERT = data_file("nullbytecert.pem") >>>> - DHFILE = data_file("dh1024.pem") >>>> - BYTES_DHFILE = os.fsencode(DHFILE) >>>> - >>>> -+# Not defined in all versions of OpenSSL >>>> -+OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0) >>>> -+OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0) >>>> -+OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0) >>>> -+OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, >>>> "OP_CIPHER_SERVER_PREFERENCE", 0) >>>> -+ >>>> - >>>> - def handle_error(prefix): >>>> - exc_format = ' '.join(traceback.format_exception(*sys.exc_info())) >>>> -@@ -839,8 +845,9 @@ class ContextTests(unittest.TestCase): >>>> - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) >>>> - # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value >>>> - default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) >>>> -- if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0): >>>> -- default |= ssl.OP_NO_COMPRESSION >>>> -+ # SSLContext also enables these by default >>>> -+ default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE | >>>> -+ OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE) >>>> - self.assertEqual(default, ctx.options) >>>> - ctx.options |= ssl.OP_NO_TLSv1 >>>> - self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) >>>> -@@ -1205,16 +1212,29 @@ class ContextTests(unittest.TestCase): >>>> - stats["x509"] += 1 >>>> - self.assertEqual(ctx.cert_store_stats(), stats) >>>> - >>>> -+ def _assert_context_options(self, ctx): >>>> -+ self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2) >>>> -+ if OP_NO_COMPRESSION != 0: >>>> -+ self.assertEqual(ctx.options & OP_NO_COMPRESSION, >>>> -+ OP_NO_COMPRESSION) >>>> -+ if OP_SINGLE_DH_USE != 0: >>>> -+ self.assertEqual(ctx.options & OP_SINGLE_DH_USE, >>>> -+ OP_SINGLE_DH_USE) >>>> -+ if OP_SINGLE_ECDH_USE != 0: >>>> -+ self.assertEqual(ctx.options & OP_SINGLE_ECDH_USE, >>>> -+ OP_SINGLE_ECDH_USE) >>>> -+ if OP_CIPHER_SERVER_PREFERENCE != 0: >>>> -+ self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE, >>>> -+ OP_CIPHER_SERVER_PREFERENCE) >>>> -+ >>>> - def test_create_default_context(self): >>>> - ctx = ssl.create_default_context() >>>> -+ >>>> - self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23) >>>> - self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED) >>>> - self.assertTrue(ctx.check_hostname) >>>> -- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2) >>>> -- self.assertEqual( >>>> -- ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0), >>>> -- getattr(ssl, "OP_NO_COMPRESSION", 0), >>>> -- ) >>>> -+ self._assert_context_options(ctx) >>>> -+ >>>> - >>>> - with open(SIGNING_CA) as f: >>>> - cadata = f.read() >>>> -@@ -1222,40 +1242,24 @@ class ContextTests(unittest.TestCase): >>>> - cadata=cadata) >>>> - self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23) >>>> - self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED) >>>> -- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2) >>>> -- self.assertEqual( >>>> -- ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0), >>>> -- getattr(ssl, "OP_NO_COMPRESSION", 0), >>>> -- ) >>>> -+ self._assert_context_options(ctx) >>>> - >>>> - ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) >>>> - self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23) >>>> - self.assertEqual(ctx.verify_mode, ssl.CERT_NONE) >>>> -- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2) >>>> -- self.assertEqual( >>>> -- ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0), >>>> -- getattr(ssl, "OP_NO_COMPRESSION", 0), >>>> -- ) >>>> -- self.assertEqual( >>>> -- ctx.options & getattr(ssl, "OP_SINGLE_DH_USE", 0), >>>> -- getattr(ssl, "OP_SINGLE_DH_USE", 0), >>>> -- ) >>>> -- self.assertEqual( >>>> -- ctx.options & getattr(ssl, "OP_SINGLE_ECDH_USE", 0), >>>> -- getattr(ssl, "OP_SINGLE_ECDH_USE", 0), >>>> -- ) >>>> -+ self._assert_context_options(ctx) >>>> - >>>> - def test__create_stdlib_context(self): >>>> - ctx = ssl._create_stdlib_context() >>>> - self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23) >>>> - self.assertEqual(ctx.verify_mode, ssl.CERT_NONE) >>>> - self.assertFalse(ctx.check_hostname) >>>> -- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2) >>>> -+ self._assert_context_options(ctx) >>>> - >>>> - ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1) >>>> - self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1) >>>> - self.assertEqual(ctx.verify_mode, ssl.CERT_NONE) >>>> -- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2) >>>> -+ self._assert_context_options(ctx) >>>> - >>>> - ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1, >>>> - cert_reqs=ssl.CERT_REQUIRED, >>>> -@@ -1263,12 +1267,12 @@ class ContextTests(unittest.TestCase): >>>> - self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1) >>>> - self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED) >>>> - self.assertTrue(ctx.check_hostname) >>>> -- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2) >>>> -+ self._assert_context_options(ctx) >>>> - >>>> - ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH) >>>> - self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23) >>>> - self.assertEqual(ctx.verify_mode, ssl.CERT_NONE) >>>> -- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2) >>>> -+ self._assert_context_options(ctx) >>>> - >>>> - def test_check_hostname(self): >>>> - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) >>>> -diff --git a/Modules/_ssl.c b/Modules/_ssl.c >>>> -index 86482677ae..0d5c121d2c 100644 >>>> ---- a/Modules/_ssl.c >>>> -+++ b/Modules/_ssl.c >>>> -@@ -2330,6 +2330,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int >>>> proto_version) >>>> - PySSLContext *self; >>>> - long options; >>>> - SSL_CTX *ctx = NULL; >>>> -+ int result; >>>> - #if defined(SSL_MODE_RELEASE_BUFFERS) >>>> - unsigned long libver; >>>> - #endif >>>> -@@ -2393,8 +2394,38 @@ _ssl__SSLContext_impl(PyTypeObject *type, int >>>> proto_version) >>>> - options |= SSL_OP_NO_SSLv2; >>>> - if (proto_version != PY_SSL_VERSION_SSL3) >>>> - options |= SSL_OP_NO_SSLv3; >>>> -+ /* Minimal security flags for server and client side context. >>>> -+ * Client sockets ignore server-side parameters. */ >>>> -+#ifdef SSL_OP_NO_COMPRESSION >>>> -+ options |= SSL_OP_NO_COMPRESSION; >>>> -+#endif >>>> -+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE >>>> -+ options |= SSL_OP_CIPHER_SERVER_PREFERENCE; >>>> -+#endif >>>> -+#ifdef SSL_OP_SINGLE_DH_USE >>>> -+ options |= SSL_OP_SINGLE_DH_USE; >>>> -+#endif >>>> -+#ifdef SSL_OP_SINGLE_ECDH_USE >>>> -+ options |= SSL_OP_SINGLE_ECDH_USE; >>>> -+#endif >>>> - SSL_CTX_set_options(self->ctx, options); >>>> - >>>> -+ /* A bare minimum cipher list without completly broken cipher suites. >>>> -+ * It's far from perfect but gives users a better head start. */ >>>> -+ if (proto_version != PY_SSL_VERSION_SSL2) { >>>> -+ result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL:!MD5"); >>>> -+ } else { >>>> -+ /* SSLv2 needs MD5 */ >>>> -+ result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL"); >>>> -+ } >>>> -+ if (result == 0) { >>>> -+ Py_DECREF(self); >>>> -+ ERR_clear_error(); >>>> -+ PyErr_SetString(PySSLErrorObject, >>>> -+ "No cipher can be selected."); >>>> -+ return NULL; >>>> -+ } >>>> -+ >>>> - #if defined(SSL_MODE_RELEASE_BUFFERS) >>>> - /* Set SSL_MODE_RELEASE_BUFFERS. This potentially greatly reduces >>>> memory >>>> - usage for no cost at all. However, don't do this for OpenSSL >>>> versions >>>> --- >>>> -2.17.1 >>>> - >>>> diff --git >>>> a/meta/recipes-devtools/python/python3/0002-Makefile-add-target-to-split-profile-generation.patch >>>> >>>> b/meta/recipes-devtools/python/python3/0002-Makefile-add-target-to-split-profile-generation.patch >>>> deleted file mode 100644 >>>> index 2b4ba316e4..0000000000 >>>> --- >>>> a/meta/recipes-devtools/python/python3/0002-Makefile-add-target-to-split-profile-generation.patch >>>> +++ /dev/null >>>> @@ -1,40 +0,0 @@ >>>> -From 98586d6dc598e40b8b821b0dde57599e188a7ca4 Mon Sep 17 00:00:00 2001 >>>> -From: Anuj Mittal <[email protected]> >>>> -Date: Tue, 7 Aug 2018 16:43:17 +0800 >>>> -Subject: [PATCH 2/2] Makefile: add target to split profile generation >>>> - >>>> -We don't want to have profile task invoked from here and want to use >>>> -qemu-user instead. Split the profile-opt task so qemu can be invoked >>>> -once binaries have been built with instrumentation and then we can go >>>> -ahead and build again using the profile data generated. >>>> - >>>> -Upstream-Status: Inappropriate [OE-specific] >>>> - >>>> -Signed-off-by: Anuj Mittal <[email protected]> >>>> ---- >>>> - Makefile.pre.in | 6 ++---- >>>> - 1 file changed, 2 insertions(+), 4 deletions(-) >>>> - >>>> -diff --git a/Makefile.pre.in b/Makefile.pre.in >>>> -index 84bc3ff..017a2c4 100644 >>>> ---- a/Makefile.pre.in >>>> -+++ b/Makefile.pre.in >>>> -@@ -469,13 +469,12 @@ profile-opt: >>>> - $(MAKE) profile-removal >>>> - $(MAKE) build_all_generate_profile >>>> - $(MAKE) profile-removal >>>> -- @echo "Running code to generate profile data (this can take a >>>> while):" >>>> -- $(MAKE) run_profile_task >>>> -- $(MAKE) build_all_merge_profile >>>> -+ >>>> -+clean_and_use_profile: >>>> - @echo "Rebuilding with profile guided optimizations:" >>>> - $(MAKE) clean >>>> - $(MAKE) build_all_use_profile >>>> - $(MAKE) profile-removal >>>> - >>>> - build_all_generate_profile: >>>> - $(MAKE) @DEF_MAKE_RULE@ CFLAGS_NODIST="$(CFLAGS) $(EXTRA_CFLAGS) >>>> $(PGO_PROF_GEN_FLAG) @LTOFLAGS@" LDFLAGS="$(LDFLAGS) $(PGO_PROF_GEN_FLAG) >>>> @LTOFLAGS@" LIBS="$(LIBS)" >>>> --- >>>> -2.17.1 >>>> - >>>> diff --git >>>> a/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch >>>> >>>> b/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch >>>> deleted file mode 100644 >>>> index d48cad7586..0000000000 >>>> --- >>>> a/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch >>>> +++ /dev/null >>>> @@ -1,227 +0,0 @@ >>>> -From e950ea68dab006944af194c9910b8f2341d1437d Mon Sep 17 00:00:00 2001 >>>> -From: Christian Heimes <[email protected]> >>>> -Date: Thu, 7 Sep 2017 20:23:52 -0700 >>>> -Subject: [PATCH] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 >>>> - (GH-1363) (#3444) >>>> - >>>> -* bpo-29136: Add TLS 1.3 support >>>> - >>>> -TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3 >>>> -cipher suites don't overlap with cipher suites from TLS 1.2 and earlier. >>>> -Since Python sets its own set of permitted ciphers, TLS 1.3 handshake >>>> -will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common >>>> -AES-GCM and ChaCha20 suites. >>>> - >>>> -Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) >>>> with >>>> -OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3 >>>> -now. >>>> - >>>> -Signed-off-by: Christian Heimes <[email protected]>. >>>> -(cherry picked from commit cb5b68abdeb1b1d56c581d5b4d647018703d61e3) >>>> - >>>> -Upstream-Status: Backport >>>> -[https://github.com/python/cpython/commit/cb5b68abdeb1b1d56c581d5b4d647018703d61e3] >>>> - >>>> -Signed-off-by: Anuj Mittal <[email protected]> >>>> ---- >>>> - Doc/library/ssl.rst | 21 ++++++++++++++ >>>> - Lib/ssl.py | 7 +++++ >>>> - Lib/test/test_ssl.py | 29 ++++++++++++++++++- >>>> - .../2017-09-04-16-39-49.bpo-29136.vSn1oR.rst | 1 + >>>> - Modules/_ssl.c | 13 +++++++++ >>>> - 5 files changed, 70 insertions(+), 1 deletion(-) >>>> - create mode 100644 >>>> Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst >>>> - >>>> -diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst >>>> -index 14f2d68217..29c5e94cf6 100644 >>>> ---- a/Doc/library/ssl.rst >>>> -+++ b/Doc/library/ssl.rst >>>> -@@ -285,6 +285,11 @@ purposes. >>>> - >>>> - 3DES was dropped from the default cipher string. >>>> - >>>> -+ .. versionchanged:: 3.7 >>>> -+ >>>> -+ TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, >>>> TLS_AES_256_GCM_SHA384, >>>> -+ and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher >>>> string. >>>> -+ >>>> - >>>> - Random generation >>>> - ^^^^^^^^^^^^^^^^^ >>>> -@@ -719,6 +724,16 @@ Constants >>>> - >>>> - .. versionadded:: 3.4 >>>> - >>>> -+.. data:: OP_NO_TLSv1_3 >>>> -+ >>>> -+ Prevents a TLSv1.3 connection. This option is only applicable in >>>> conjunction >>>> -+ with :const:`PROTOCOL_TLS`. It prevents the peers from choosing >>>> TLSv1.3 as >>>> -+ the protocol version. TLS 1.3 is available with OpenSSL 1.1.1 or >>>> later. >>>> -+ When Python has been compiled against an older version of OpenSSL, the >>>> -+ flag defaults to *0*. >>>> -+ >>>> -+ .. versionadded:: 3.7 >>>> -+ >>>> - .. data:: OP_CIPHER_SERVER_PREFERENCE >>>> - >>>> - Use the server's cipher ordering preference, rather than the client's. >>>> -@@ -783,6 +798,12 @@ Constants >>>> - >>>> - .. versionadded:: 3.3 >>>> - >>>> -+.. data:: HAS_TLSv1_3 >>>> -+ >>>> -+ Whether the OpenSSL library has built-in support for the TLS 1.3 >>>> protocol. >>>> -+ >>>> -+ .. versionadded:: 3.7 >>>> -+ >>>> - .. data:: CHANNEL_BINDING_TYPES >>>> - >>>> - List of supported TLS channel binding types. Strings in this list >>>> -diff --git a/Lib/ssl.py b/Lib/ssl.py >>>> -index 4d302a78fa..f233e72e1f 100644 >>>> ---- a/Lib/ssl.py >>>> -+++ b/Lib/ssl.py >>>> -@@ -122,6 +122,7 @@ _import_symbols('OP_') >>>> - _import_symbols('ALERT_DESCRIPTION_') >>>> - _import_symbols('SSL_ERROR_') >>>> - _import_symbols('VERIFY_') >>>> -+from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_TLSv1_3 >>>> - >>>> - from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN >>>> - >>>> -@@ -162,6 +163,7 @@ else: >>>> - # (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL') >>>> - # Enable a better set of ciphers by default >>>> - # This list has been explicitly chosen to: >>>> -+# * TLS 1.3 ChaCha20 and AES-GCM cipher suites >>>> - # * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE) >>>> - # * Prefer ECDHE over DHE for better performance >>>> - # * Prefer AEAD over CBC for better performance and security >>>> -@@ -173,6 +175,8 @@ else: >>>> - # * Disable NULL authentication, NULL encryption, 3DES and MD5 MACs >>>> - # for security reasons >>>> - _DEFAULT_CIPHERS = ( >>>> -+ 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:' >>>> -+ 'TLS13-AES-128-GCM-SHA256:' >>>> - >>>> 'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:' >>>> - 'ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:' >>>> - '!aNULL:!eNULL:!MD5:!3DES' >>>> -@@ -180,6 +184,7 @@ _DEFAULT_CIPHERS = ( >>>> - >>>> - # Restricted and more secure ciphers for the server side >>>> - # This list has been explicitly chosen to: >>>> -+# * TLS 1.3 ChaCha20 and AES-GCM cipher suites >>>> - # * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE) >>>> - # * Prefer ECDHE over DHE for better performance >>>> - # * Prefer AEAD over CBC for better performance and security >>>> -@@ -190,6 +195,8 @@ _DEFAULT_CIPHERS = ( >>>> - # * Disable NULL authentication, NULL encryption, MD5 MACs, DSS, RC4, >>>> and >>>> - # 3DES for security reasons >>>> - _RESTRICTED_SERVER_CIPHERS = ( >>>> -+ 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:' >>>> -+ 'TLS13-AES-128-GCM-SHA256:' >>>> - >>>> 'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:' >>>> - 'ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:' >>>> - '!aNULL:!eNULL:!MD5:!DSS:!RC4:!3DES' >>>> -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py >>>> -index f91af7bd05..1acc12ec2d 100644 >>>> ---- a/Lib/test/test_ssl.py >>>> -+++ b/Lib/test/test_ssl.py >>>> -@@ -150,6 +150,13 @@ class BasicSocketTests(unittest.TestCase): >>>> - ssl.OP_NO_COMPRESSION >>>> - self.assertIn(ssl.HAS_SNI, {True, False}) >>>> - self.assertIn(ssl.HAS_ECDH, {True, False}) >>>> -+ ssl.OP_NO_SSLv2 >>>> -+ ssl.OP_NO_SSLv3 >>>> -+ ssl.OP_NO_TLSv1 >>>> -+ ssl.OP_NO_TLSv1_3 >>>> -+ if ssl.OPENSSL_VERSION_INFO >= (1, 0, 1): >>>> -+ ssl.OP_NO_TLSv1_1 >>>> -+ ssl.OP_NO_TLSv1_2 >>>> - >>>> - def test_str_for_enums(self): >>>> - # Make sure that the PROTOCOL_* constants have enum-like string >>>> -@@ -3028,12 +3035,33 @@ else: >>>> - self.assertEqual(s.version(), 'TLSv1') >>>> - self.assertIs(s.version(), None) >>>> - >>>> -+ @unittest.skipUnless(ssl.HAS_TLSv1_3, >>>> -+ "test requires TLSv1.3 enabled OpenSSL") >>>> -+ def test_tls1_3(self): >>>> -+ context = ssl.SSLContext(ssl.PROTOCOL_TLS) >>>> -+ context.load_cert_chain(CERTFILE) >>>> -+ # disable all but TLS 1.3 >>>> -+ context.options |= ( >>>> -+ ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2 >>>> -+ ) >>>> -+ with ThreadedEchoServer(context=context) as server: >>>> -+ with context.wrap_socket(socket.socket()) as s: >>>> -+ s.connect((HOST, server.port)) >>>> -+ self.assertIn(s.cipher()[0], [ >>>> -+ 'TLS13-AES-256-GCM-SHA384', >>>> -+ 'TLS13-CHACHA20-POLY1305-SHA256', >>>> -+ 'TLS13-AES-128-GCM-SHA256', >>>> -+ ]) >>>> -+ >>>> - @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled >>>> OpenSSL") >>>> - def test_default_ecdh_curve(self): >>>> - # Issue #21015: elliptic curve-based Diffie Hellman key >>>> exchange >>>> - # should be enabled by default on SSL contexts. >>>> - context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) >>>> - context.load_cert_chain(CERTFILE) >>>> -+ # TLSv1.3 defaults to PFS key agreement and no longer has >>>> KEA in >>>> -+ # cipher name. >>>> -+ context.options |= ssl.OP_NO_TLSv1_3 >>>> - # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled >>>> - # explicitly using the 'ECCdraft' cipher alias. Otherwise, >>>> - # our default cipher list should prefer ECDH-based ciphers >>>> -@@ -3394,7 +3422,6 @@ else: >>>> - s.sendfile(file) >>>> - self.assertEqual(s.recv(1024), TEST_DATA) >>>> - >>>> -- >>>> - def test_main(verbose=False): >>>> - if support.verbose: >>>> - import warnings >>>> -diff --git >>>> a/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst >>>> b/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst >>>> -new file mode 100644 >>>> -index 0000000000..e76997ef83 >>>> ---- /dev/null >>>> -+++ b/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst >>>> -@@ -0,0 +1 @@ >>>> -+Add TLS 1.3 cipher suites and OP_NO_TLSv1_3. >>>> -diff --git a/Modules/_ssl.c b/Modules/_ssl.c >>>> -index 0d5c121d2c..c71d89607c 100644 >>>> ---- a/Modules/_ssl.c >>>> -+++ b/Modules/_ssl.c >>>> -@@ -4842,6 +4842,11 @@ PyInit__ssl(void) >>>> - #if HAVE_TLSv1_2 >>>> - PyModule_AddIntConstant(m, "OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1); >>>> - PyModule_AddIntConstant(m, "OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2); >>>> -+#endif >>>> -+#ifdef SSL_OP_NO_TLSv1_3 >>>> -+ PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", SSL_OP_NO_TLSv1_3); >>>> -+#else >>>> -+ PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", 0); >>>> - #endif >>>> - PyModule_AddIntConstant(m, "OP_CIPHER_SERVER_PREFERENCE", >>>> - SSL_OP_CIPHER_SERVER_PREFERENCE); >>>> -@@ -4890,6 +4895,14 @@ PyInit__ssl(void) >>>> - Py_INCREF(r); >>>> - PyModule_AddObject(m, "HAS_ALPN", r); >>>> - >>>> -+#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) >>>> -+ r = Py_True; >>>> -+#else >>>> -+ r = Py_False; >>>> -+#endif >>>> -+ Py_INCREF(r); >>>> -+ PyModule_AddObject(m, "HAS_TLSv1_3", r); >>>> -+ >>>> - /* Mappings for error codes */ >>>> - err_codes_to_names = PyDict_New(); >>>> - err_names_to_codes = PyDict_New(); >>>> --- >>>> -2.17.1 >>>> - >>>> diff --git >>>> a/meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch >>>> >>>> b/meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch >>>> deleted file mode 100644 >>>> index 56d591d1b5..0000000000 >>>> --- >>>> a/meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch >>>> +++ /dev/null >>>> @@ -1,173 +0,0 @@ >>>> -From 170a614904febd14ff6cfd7a75c9bccc114b3948 Mon Sep 17 00:00:00 2001 >>>> -From: Christian Heimes <[email protected]> >>>> -Date: Tue, 14 Aug 2018 16:56:32 +0200 >>>> -Subject: [PATCH] bpo-32947: Fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-8761) >>>> - >>>> -Backport of TLS 1.3 related fixes from 3.7. >>>> - >>>> -Misc fixes and workarounds for compatibility with OpenSSL 1.1.1 from git >>>> -master and TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 >>>> by >>>> -default. Some test cases only apply to TLS 1.2. >>>> - >>>> -OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS >>>> -1.3. The feature is enabled by default for maximum compatibility with >>>> -broken middle boxes. Users should be able to disable the hack and >>>> CPython's test suite needs >>>> -it to verify default options >>>> - >>>> -Signed-off-by: Christian Heimes <[email protected]> >>>> - >>>> -Upstream-Status: Backport >>>> -[https://github.com/python/cpython/commit/2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826] >>>> - >>>> -Signed-off-by: Anuj Mittal <[email protected]> >>>> ---- >>>> - Doc/library/ssl.rst | 9 ++++++ >>>> - Lib/test/test_asyncio/test_events.py | 6 +++- >>>> - Lib/test/test_ssl.py | 29 +++++++++++++++---- >>>> - .../2018-08-14-08-57-01.bpo-32947.mqStVW.rst | 2 ++ >>>> - Modules/_ssl.c | 4 +++ >>>> - 5 files changed, 44 insertions(+), 6 deletions(-) >>>> - create mode 100644 >>>> Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst >>>> - >>>> -diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst >>>> -index 29c5e94cf6..f63a3deec5 100644 >>>> ---- a/Doc/library/ssl.rst >>>> -+++ b/Doc/library/ssl.rst >>>> -@@ -757,6 +757,15 @@ Constants >>>> - >>>> - .. versionadded:: 3.3 >>>> - >>>> -+.. data:: OP_ENABLE_MIDDLEBOX_COMPAT >>>> -+ >>>> -+ Send dummy Change Cipher Spec (CCS) messages in TLS 1.3 handshake to >>>> make >>>> -+ a TLS 1.3 connection look more like a TLS 1.2 connection. >>>> -+ >>>> -+ This option is only available with OpenSSL 1.1.1 and later. >>>> -+ >>>> -+ .. versionadded:: 3.6.7 >>>> -+ >>>> - .. data:: OP_NO_COMPRESSION >>>> - >>>> - Disable compression on the SSL channel. This is useful if the >>>> application >>>> -diff --git a/Lib/test/test_asyncio/test_events.py >>>> b/Lib/test/test_asyncio/test_events.py >>>> -index 492a84a231..6f208474b9 100644 >>>> ---- a/Lib/test/test_asyncio/test_events.py >>>> -+++ b/Lib/test/test_asyncio/test_events.py >>>> -@@ -1169,7 +1169,11 @@ class EventLoopTestsMixin: >>>> - self.loop.run_until_complete(f_c) >>>> - >>>> - # close connection >>>> -- proto.transport.close() >>>> -+ # transport may be None with TLS 1.3, because connection is >>>> -+ # interrupted, server is unable to send session tickets, and >>>> -+ # transport is closed. >>>> -+ if proto.transport is not None: >>>> -+ proto.transport.close() >>>> - server.close() >>>> - >>>> - def test_legacy_create_server_ssl_match_failed(self): >>>> -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py >>>> -index 1acc12ec2d..a2e1d32a62 100644 >>>> ---- a/Lib/test/test_ssl.py >>>> -+++ b/Lib/test/test_ssl.py >>>> -@@ -78,6 +78,7 @@ OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0) >>>> - OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0) >>>> - OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0) >>>> - OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, >>>> "OP_CIPHER_SERVER_PREFERENCE", 0) >>>> -+OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", >>>> 0) >>>> - >>>> - >>>> - def handle_error(prefix): >>>> -@@ -155,8 +156,8 @@ class BasicSocketTests(unittest.TestCase): >>>> - ssl.OP_NO_TLSv1 >>>> - ssl.OP_NO_TLSv1_3 >>>> - if ssl.OPENSSL_VERSION_INFO >= (1, 0, 1): >>>> -- ssl.OP_NO_TLSv1_1 >>>> -- ssl.OP_NO_TLSv1_2 >>>> -+ ssl.OP_NO_TLSv1_1 >>>> -+ ssl.OP_NO_TLSv1_2 >>>> - >>>> - def test_str_for_enums(self): >>>> - # Make sure that the PROTOCOL_* constants have enum-like string >>>> -@@ -854,7 +855,8 @@ class ContextTests(unittest.TestCase): >>>> - default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) >>>> - # SSLContext also enables these by default >>>> - default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE | >>>> -- OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE) >>>> -+ OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE | >>>> -+ OP_ENABLE_MIDDLEBOX_COMPAT) >>>> - self.assertEqual(default, ctx.options) >>>> - ctx.options |= ssl.OP_NO_TLSv1 >>>> - self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) >>>> -@@ -1860,11 +1862,26 @@ else: >>>> - self.sock, server_side=True) >>>> - >>>> self.server.selected_npn_protocols.append(self.sslconn.selected_npn_protocol()) >>>> - >>>> self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol()) >>>> -- except (ssl.SSLError, ConnectionResetError) as e: >>>> -+ except (ConnectionResetError, BrokenPipeError) as e: >>>> - # We treat ConnectionResetError as though it were an >>>> - # SSLError - OpenSSL on Ubuntu abruptly closes the >>>> - # connection when asked to use an unsupported >>>> protocol. >>>> - # >>>> -+ # BrokenPipeError is raised in TLS 1.3 mode, when >>>> OpenSSL >>>> -+ # tries to send session tickets after handshake. >>>> -+ # https://github.com/openssl/openssl/issues/6342 >>>> -+ self.server.conn_errors.append(str(e)) >>>> -+ if self.server.chatty: >>>> -+ handle_error( >>>> -+ "\n server: bad connection attempt from " + >>>> repr( >>>> -+ self.addr) + ":\n") >>>> -+ self.running = False >>>> -+ self.close() >>>> -+ return False >>>> -+ except (ssl.SSLError, OSError) as e: >>>> -+ # OSError may occur with wrong protocols, e.g. both >>>> -+ # sides use PROTOCOL_TLS_SERVER. >>>> -+ # >>>> - # XXX Various errors can have happened here, for >>>> example >>>> - # a mismatching protocol version, an invalid >>>> certificate, >>>> - # or a low-level bug. This should be made more >>>> discriminating. >>>> -@@ -2974,7 +2991,7 @@ else: >>>> - # Block on the accept and wait on the connection to >>>> close. >>>> - evt.set() >>>> - remote, peer = server.accept() >>>> -- remote.recv(1) >>>> -+ remote.send(remote.recv(4)) >>>> - >>>> - t = threading.Thread(target=serve) >>>> - t.start() >>>> -@@ -2982,6 +2999,8 @@ else: >>>> - evt.wait() >>>> - client = context.wrap_socket(socket.socket()) >>>> - client.connect((host, port)) >>>> -+ client.send(b'data') >>>> -+ client.recv() >>>> - client_addr = client.getsockname() >>>> - client.close() >>>> - t.join() >>>> -diff --git >>>> a/Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst >>>> b/Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst >>>> -new file mode 100644 >>>> -index 0000000000..28de360c36 >>>> ---- /dev/null >>>> -+++ b/Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst >>>> -@@ -0,0 +1,2 @@ >>>> -+Add OP_ENABLE_MIDDLEBOX_COMPAT and test workaround for TLSv1.3 for future >>>> -+compatibility with OpenSSL 1.1.1. >>>> -diff --git a/Modules/_ssl.c b/Modules/_ssl.c >>>> -index c71d89607c..eb123a87ba 100644 >>>> ---- a/Modules/_ssl.c >>>> -+++ b/Modules/_ssl.c >>>> -@@ -4858,6 +4858,10 @@ PyInit__ssl(void) >>>> - PyModule_AddIntConstant(m, "OP_NO_COMPRESSION", >>>> - SSL_OP_NO_COMPRESSION); >>>> - #endif >>>> -+#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT >>>> -+ PyModule_AddIntConstant(m, "OP_ENABLE_MIDDLEBOX_COMPAT", >>>> -+ SSL_OP_ENABLE_MIDDLEBOX_COMPAT); >>>> -+#endif >>>> - >>>> - #if HAVE_SNI >>>> - r = Py_True; >>>> --- >>>> -2.17.1 >>>> - >>>> diff --git >>>> a/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch >>>> >>>> b/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch >>>> deleted file mode 100644 >>>> index b97d5501e1..0000000000 >>>> --- >>>> a/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch >>>> +++ /dev/null >>>> @@ -1,110 +0,0 @@ >>>> -From 0c9354362bfa5f90fbea8ff8237a1f1f5dba686f Mon Sep 17 00:00:00 2001 >>>> -From: Christian Heimes <[email protected]> >>>> -Date: Wed, 12 Sep 2018 15:20:31 +0800 >>>> -Subject: [PATCH] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) >>>> - >>>> -Change TLS 1.3 cipher suite settings for compatibility with OpenSSL >>>> -1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by >>>> -default. >>>> - >>>> -Also update multissltests and Travis config to test with latest OpenSSL. >>>> - >>>> -Signed-off-by: Christian Heimes <[email protected]> >>>> -(cherry picked from commit e8eb6cb7920ded66abc5d284319a8539bdc2bae3) >>>> - >>>> -Co-authored-by: Christian Heimes <[email protected] >>>> - >>>> -Upstream-Status: Backport >>>> -[https://github.com/python/cpython/commit/3e630c541b35c96bfe5619165255e559f577ee71] >>>> - >>>> -Tweaked patch to not take changes for multissltests and Travis config. >>>> - >>>> -Signed-off-by: Anuj Mittal <[email protected]> >>>> ---- >>>> - Lib/test/test_ssl.py | 51 ++++++++++++++++++++++---------------------- >>>> - 1 file changed, 26 insertions(+), 25 deletions(-) >>>> - >>>> -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py >>>> -index a2e1d32a62..c484ead5ff 100644 >>>> ---- a/Lib/test/test_ssl.py >>>> -+++ b/Lib/test/test_ssl.py >>>> -@@ -3024,17 +3024,21 @@ else: >>>> - sock.do_handshake() >>>> - self.assertEqual(cm.exception.errno, errno.ENOTCONN) >>>> - >>>> -- def test_default_ciphers(self): >>>> -- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) >>>> -- try: >>>> -- # Force a set of weak ciphers on our client context >>>> -- context.set_ciphers("DES") >>>> -- except ssl.SSLError: >>>> -- self.skipTest("no DES cipher available") >>>> -- with ThreadedEchoServer(CERTFILE, >>>> -- ssl_version=ssl.PROTOCOL_SSLv23, >>>> -- chatty=False) as server: >>>> -- with context.wrap_socket(socket.socket()) as s: >>>> -+ def test_no_shared_ciphers(self): >>>> -+ server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) >>>> -+ server_context.load_cert_chain(SIGNED_CERTFILE) >>>> -+ client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) >>>> -+ client_context.verify_mode = ssl.CERT_REQUIRED >>>> -+ client_context.check_hostname = True >>>> -+ >>>> -+ client_context.set_ciphers("AES128") >>>> -+ server_context.set_ciphers("AES256") >>>> -+ # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for >>>> test >>>> -+ client_context.options |= ssl.OP_NO_TLSv1_3 >>>> -+ with ThreadedEchoServer(context=server_context) as server: >>>> -+ with client_context.wrap_socket( >>>> -+ socket.socket(), >>>> -+ server_hostname="localhost") as s: >>>> - with self.assertRaises(OSError): >>>> - s.connect((HOST, server.port)) >>>> - self.assertIn("no shared cipher", str(server.conn_errors[0])) >>>> -@@ -3067,9 +3071,9 @@ else: >>>> - with context.wrap_socket(socket.socket()) as s: >>>> - s.connect((HOST, server.port)) >>>> - self.assertIn(s.cipher()[0], [ >>>> -- 'TLS13-AES-256-GCM-SHA384', >>>> -- 'TLS13-CHACHA20-POLY1305-SHA256', >>>> -- 'TLS13-AES-128-GCM-SHA256', >>>> -+ 'TLS_AES_256_GCM_SHA384', >>>> -+ 'TLS_CHACHA20_POLY1305_SHA256', >>>> -+ 'TLS_AES_128_GCM_SHA256', >>>> - ]) >>>> - >>>> - @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled >>>> OpenSSL") >>>> -@@ -3391,22 +3395,19 @@ else: >>>> - client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) >>>> - client_context.verify_mode = ssl.CERT_REQUIRED >>>> - client_context.load_verify_locations(SIGNING_CA) >>>> -- if ssl.OPENSSL_VERSION_INFO >= (1, 0, 2): >>>> -- client_context.set_ciphers("AES128:AES256") >>>> -- server_context.set_ciphers("AES256") >>>> -- alg1 = "AES256" >>>> -- alg2 = "AES-256" >>>> -- else: >>>> -- client_context.set_ciphers("AES:3DES") >>>> -- server_context.set_ciphers("3DES") >>>> -- alg1 = "3DES" >>>> -- alg2 = "DES-CBC3" >>>> -+ client_context.set_ciphers("AES128:AES256") >>>> -+ server_context.set_ciphers("AES256") >>>> -+ expected_algs = [ >>>> -+ "AES256", "AES-256", >>>> -+ # TLS 1.3 ciphers are always enabled >>>> -+ "TLS_CHACHA20", "TLS_AES", >>>> -+ ] >>>> - >>>> - stats = server_params_test(client_context, server_context) >>>> - ciphers = stats['server_shared_ciphers'][0] >>>> - self.assertGreater(len(ciphers), 0) >>>> - for name, tls_version, bits in ciphers: >>>> -- if not alg1 in name.split("-") and alg2 not in name: >>>> -+ if not any (alg in name for alg in expected_algs): >>>> - self.fail(name) >>>> - >>>> - def test_read_write_after_close_raises_valuerror(self): >>>> --- >>>> -2.17.1 >>>> - >>>> diff --git >>>> a/meta/recipes-devtools/python/python3/0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch >>>> >>>> b/meta/recipes-devtools/python/python3/0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch >>>> deleted file mode 100644 >>>> index d609847204..0000000000 >>>> --- >>>> a/meta/recipes-devtools/python/python3/0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch >>>> +++ /dev/null >>>> @@ -1,68 +0,0 @@ >>>> -From 7b40cb7293cb14e5c7c8ed123efaf9acb33edae2 Mon Sep 17 00:00:00 2001 >>>> -From: Christian Heimes <[email protected]> >>>> -Date: Tue, 15 Aug 2017 10:33:43 +0200 >>>> -Subject: [PATCH] bpo-30714: ALPN changes for OpenSSL 1.1.0f (#2305) >>>> - >>>> -OpenSSL 1.1.0 to 1.1.0e aborted the handshake when server and client >>>> -could not agree on a protocol using ALPN. OpenSSL 1.1.0f changed that. >>>> -The most recent version now behaves like OpenSSL 1.0.2 again. The ALPN >>>> -callback can pretend to not been set. >>>> - >>>> -See https://github.com/openssl/openss > -- > _______________________________________________ > Openembedded-core mailing list > [email protected] > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
