Bug#881415: stretch-pu: python2.7/2.7.13-2+deb9u1

[Adam D. Barratt]

Control: tags -1 + pending

On Sun, 2017-11-19 at 13:31 +0100, Kurt Roeckx wrote:
> On Sat, Nov 18, 2017 at 06:28:03PM +, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Sat, 2017-11-11 at 14:36 +0100, Kurt Roeckx wrote:
> > > I would like to upload python2.7 to fix a problem that it can't
> > > talk to SSL/TLS sites that use an ECDSA certificate different
> > > than
> > > P256, like a P384 certificate.
> > > 
> > 
> > Please go ahead.
> 
> Uploaded.

Flagged for acceptance.

Regards,

Adam

Bug#881415: stretch-pu: python2.7/2.7.13-2+deb9u1

[Kurt Roeckx]

On Sat, Nov 18, 2017 at 06:28:03PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sat, 2017-11-11 at 14:36 +0100, Kurt Roeckx wrote:
> > I would like to upload python2.7 to fix a problem that it can't
> > talk to SSL/TLS sites that use an ECDSA certificate different than
> > P256, like a P384 certificate.
> > 
> 
> Please go ahead.

Uploaded.


Kurt

Bug#881415: stretch-pu: python2.7/2.7.13-2+deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2017-11-11 at 14:36 +0100, Kurt Roeckx wrote:
> I would like to upload python2.7 to fix a problem that it can't
> talk to SSL/TLS sites that use an ECDSA certificate different than
> P256, like a P384 certificate.
> 

Please go ahead.

Regards,

Adam

Bug#881415: stretch-pu: python2.7/2.7.13-2+deb9u1

[Kurt Roeckx]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I would like to upload python2.7 to fix a problem that it can't
talk to SSL/TLS sites that use an ECDSA certificate different than
P256, like a P384 certificate.

Here is the debdiff:
diff -u python2.7-2.7.13/debian/changelog python2.7-2.7.13/debian/changelog
--- python2.7-2.7.13/debian/changelog
+++ python2.7-2.7.13/debian/changelog
@@ -1,3 +1,10 @@
+python2.7 (2.7.13-2+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload with maintainer's permission
+  * Support all groups in TLS communication (Closes: #868143)
+
+ -- Kurt Roeckx   Thu, 09 Nov 2017 21:58:19 +0100
+
 python2.7 (2.7.13-2) unstable; urgency=medium
 
   * Lower priority of interpreter packages to optional.
diff -u python2.7-2.7.13/debian/patches/series.in 
python2.7-2.7.13/debian/patches/series.in
--- python2.7-2.7.13/debian/patches/series.in
+++ python2.7-2.7.13/debian/patches/series.in
@@ -71,0 +72 @@
+Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff
only in patch2:
unchanged:
--- 
python2.7-2.7.13.orig/debian/patches/Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff
+++ python2.7-2.7.13/debian/patches/Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff
@@ -0,0 +1,28 @@
+From 97a145398ce7e36eb355f1fd75011ddbcb37d1b3 Mon Sep 17 00:00:00 2001
+From: Donald Stufft 
+Date: Thu, 2 Mar 2017 11:24:50 -0500
+Subject: [PATCH] bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+
+
+---
+ Modules/_ssl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: python2.7-2.7.13/Modules/_ssl.c
+===
+--- python2.7-2.7.13.orig/Modules/_ssl.c
 python2.7-2.7.13/Modules/_ssl.c
+@@ -2166,12 +2166,12 @@ context_new(PyTypeObject *type, PyObject
+ options |= SSL_OP_NO_SSLv3;
+ SSL_CTX_set_options(self->ctx, options);
+ 
+-#ifndef OPENSSL_NO_ECDH
++#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
+ /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
+prime256v1 by default.  This is Apache mod_ssl's initialization
+policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
+  */
+-#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1)
++#if defined(SSL_CTX_set_ecdh_auto)
+ SSL_CTX_set_ecdh_auto(self->ctx, 1);
+ #else
+ {