Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at 2018-12-10 12:21:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python (Old) and /work/SRC/openSUSE:Factory/.python.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python" Mon Dec 10 12:21:19 2018 rev:134 rq:645305 version:2.7.15 Changes: -------- --- /work/SRC/openSUSE:Factory/python/python-base.changes 2018-10-02 19:41:29.802202938 +0200 +++ /work/SRC/openSUSE:Factory/.python.new.19453/python-base.changes 2018-12-10 12:21:27.466938809 +0100 @@ -1,0 +2,5 @@ +Fri Oct 26 10:48:44 UTC 2018 - Tomáš Chvátal <[email protected]> + +- Add patch openssl-111.patch to work with openssl-1.1.1 + +------------------------------------------------------------------- python-doc.changes: same change --- /work/SRC/openSUSE:Factory/python/python.changes 2018-10-02 19:41:33.906196841 +0200 +++ /work/SRC/openSUSE:Factory/.python.new.19453/python.changes 2018-12-10 12:21:28.874937406 +0100 @@ -1,0 +2,14 @@ +Mon Oct 29 13:21:20 UTC 2018 - Vítězslav Čížek <[email protected]> + +- Enable all the tests in %check +- Add more patches to successfully build with openssl 1.1.1 + (bsc#1113755) + * openssl-111-middlebox-compat.patch + * openssl-111-ssl_options.patch + +------------------------------------------------------------------- +Fri Oct 26 10:48:44 UTC 2018 - Tomáš Chvátal <[email protected]> + +- Add patch openssl-111.patch to work with openssl-1.1.1 + +------------------------------------------------------------------- New: ---- openssl-111-middlebox-compat.patch openssl-111-ssl_options.patch openssl-111.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.ymMtcP/_old 2018-12-10 12:21:30.138936148 +0100 +++ /var/tmp/diff_new_pack.ymMtcP/_new 2018-12-10 12:21:30.138936148 +0100 @@ -60,10 +60,15 @@ Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch +# https://github.com/python/cpython/pull/8771 +Patch42: openssl-111.patch # PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch [email protected] # Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch -Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch -# +Patch43: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch +# https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834) +Patch47: openssl-111-middlebox-compat.patch +# PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE +Patch48: openssl-111-ssl_options.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -172,6 +177,9 @@ %endif %patch41 -p1 %patch42 -p1 +%patch43 -p1 +%patch47 -p1 +%patch48 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.ymMtcP/_old 2018-12-10 12:21:30.170936116 +0100 +++ /var/tmp/diff_new_pack.ymMtcP/_new 2018-12-10 12:21:30.174936113 +0100 @@ -61,10 +61,15 @@ Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch +# https://github.com/python/cpython/pull/8771 +Patch42: openssl-111.patch # PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch [email protected] # Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch -Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch -# +Patch43: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch +# https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834) +Patch47: openssl-111-middlebox-compat.patch +# PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE +Patch48: openssl-111-ssl_options.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -119,6 +124,9 @@ %endif %patch41 -p1 %patch42 -p1 +%patch43 -p1 +%patch47 -p1 +%patch48 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.ymMtcP/_old 2018-12-10 12:21:30.230936057 +0100 +++ /var/tmp/diff_new_pack.ymMtcP/_new 2018-12-10 12:21:30.234936052 +0100 @@ -66,10 +66,15 @@ Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch +# https://github.com/python/cpython/pull/8771 +Patch42: openssl-111.patch # PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch [email protected] # Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch -Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch -# +Patch43: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch +# https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834) +Patch47: openssl-111-middlebox-compat.patch +# PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE +Patch48: openssl-111-ssl_options.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -225,6 +230,9 @@ %endif %patch41 -p1 %patch42 -p1 +%patch43 -p1 +%patch47 -p1 +%patch48 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ openssl-111-middlebox-compat.patch ++++++ >From 4fa35e8b1ebb2a8e88ba7c4c9cd2a17b35638ee6 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov <[email protected]> Date: Fri, 28 Sep 2018 16:34:16 +0100 Subject: [PATCH] bpo-34834: Fix test_ssl.test_options to account for OP_ENABLE_MIDDLEBOX_COMPAT. Signed-off-by: Dimitri John Ledkov <[email protected]> https://bugs.python.org/issue34834 --- Lib/test/test_ssl.py | 5 +++++ 1 file changed, 5 insertions(+) Index: Python-2.7.15/Lib/test/test_ssl.py =================================================================== --- Python-2.7.15.orig/Lib/test/test_ssl.py 2018-10-29 13:32:59.190865648 +0100 +++ Python-2.7.15/Lib/test/test_ssl.py 2018-10-29 13:41:01.857624490 +0100 @@ -777,8 +777,12 @@ class ContextTests(unittest.TestCase): default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) # SSLContext also enables these by default default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE | - ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE | - ssl.OP_ENABLE_MIDDLEBOX_COMPAT) + ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE) + if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1): + # define MIDDLEBOX constant, as python2.7 does not know about it + # but it is used by default. + OP_ENABLE_MIDDLEBOX_COMPAT = 1048576L + default |= OP_ENABLE_MIDDLEBOX_COMPAT self.assertEqual(default, ctx.options) ctx.options |= ssl.OP_NO_TLSv1 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) ++++++ openssl-111-ssl_options.patch ++++++ Index: Python-2.7.15/Lib/test/test_ssl.py =================================================================== --- Python-2.7.15.orig/Lib/test/test_ssl.py 2018-10-29 13:41:01.857624490 +0100 +++ Python-2.7.15/Lib/test/test_ssl.py 2018-10-29 14:04:59.674004321 +0100 @@ -776,7 +776,7 @@ class ContextTests(unittest.TestCase): # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) # SSLContext also enables these by default - default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE | + default |= (ssl.OP_NO_COMPRESSION | ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE) if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1): # define MIDDLEBOX constant, as python2.7 does not know about it ++++++ openssl-111.patch ++++++ >From 9e32244ea7d2621030f040b0f4e5af89480ecc0f Mon Sep 17 00:00:00 2001 From: Christian Heimes <[email protected]> Date: Wed, 15 Aug 2018 09:07:28 +0200 Subject: [PATCH] [2.7] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) (GH-8760) Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <[email protected]>. (cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71) Co-authored-by: Christian Heimes <[email protected]> --- Doc/library/ssl.rst | 8 ++-- Lib/test/test_ssl.py | 37 +++++++++++-------- .../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | 3 ++ 3 files changed, 27 insertions(+), 21 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst Index: Python-2.7.15/Doc/library/ssl.rst =================================================================== --- Python-2.7.15.orig/Doc/library/ssl.rst +++ Python-2.7.15/Doc/library/ssl.rst @@ -291,11 +291,6 @@ purposes. 3DES was dropped from the default cipher string. - .. versionchanged:: 2.7.15 - - TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, - and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string. - .. function:: _https_verify_certificates(enable=True) Specifies whether or not server certificates are verified when creating @@ -1176,6 +1171,9 @@ to speed up repeated connections from th when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will give the currently selected cipher. + OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites + cannot be disabled with :meth:`~SSLContext.set_ciphers`. + .. method:: SSLContext.set_alpn_protocols(protocols) Specify which protocols the socket should advertise during the SSL/TLS Index: Python-2.7.15/Lib/test/test_ssl.py =================================================================== --- Python-2.7.15.orig/Lib/test/test_ssl.py +++ Python-2.7.15/Lib/test/test_ssl.py @@ -775,8 +775,10 @@ class ContextTests(unittest.TestCase): ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) - if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0): - default |= ssl.OP_NO_COMPRESSION + # SSLContext also enables these by default + default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE | + ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE | + ssl.OP_ENABLE_MIDDLEBOX_COMPAT) self.assertEqual(default, ctx.options) ctx.options |= ssl.OP_NO_TLSv1 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) @@ -2765,19 +2767,24 @@ else: sock.do_handshake() self.assertEqual(cm.exception.errno, errno.ENOTCONN) - def test_default_ciphers(self): - context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) - try: - # Force a set of weak ciphers on our client context - context.set_ciphers("DES") - except ssl.SSLError: - self.skipTest("no DES cipher available") - with ThreadedEchoServer(CERTFILE, - ssl_version=ssl.PROTOCOL_SSLv23, - chatty=False) as server: - with closing(context.wrap_socket(socket.socket())) as s: - with self.assertRaises(ssl.SSLError): - s.connect((HOST, server.port)) + def test_no_shared_ciphers(self): + server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + server_context.load_cert_chain(SIGNED_CERTFILE) + client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + client_context.verify_mode = ssl.CERT_REQUIRED + client_context.check_hostname = True + + # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test + client_context.options |= ssl.OP_NO_TLSv1_3 + # Force different suites on client and master + client_context.set_ciphers("AES128") + server_context.set_ciphers("AES256") + with ThreadedEchoServer(context=server_context) as server: + s = client_context.wrap_socket( + socket.socket(), + server_hostname="localhost") + with self.assertRaises(ssl.SSLError): + s.connect((HOST, server.port)) self.assertIn("no shared cipher", str(server.conn_errors[0])) def test_version_basic(self): @@ -2805,12 +2812,12 @@ else: ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2 ) with ThreadedEchoServer(context=context) as server: - with context.wrap_socket(socket.socket()) as s: + with closing(context.wrap_socket(socket.socket())) as s: s.connect((HOST, server.port)) self.assertIn(s.cipher()[0], [ - 'TLS13-AES-256-GCM-SHA384', - 'TLS13-CHACHA20-POLY1305-SHA256', - 'TLS13-AES-128-GCM-SHA256', + 'TLS_AES_256_GCM_SHA384', + 'TLS_CHACHA20_POLY1305_SHA256', + 'TLS_AES_128_GCM_SHA256', ]) @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL") @@ -2819,6 +2826,7 @@ else: # should be enabled by default on SSL contexts. context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) context.load_cert_chain(CERTFILE) + context.options |= ssl.OP_NO_TLSv1_3 # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled # explicitly using the 'ECCdraft' cipher alias. Otherwise, # our default cipher list should prefer ECDH-based ciphers Index: Python-2.7.15/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst =================================================================== --- /dev/null +++ Python-2.7.15/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst @@ -0,0 +1,3 @@ +Change TLS 1.3 cipher suite settings for compatibility with OpenSSL +1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by +default.
