Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I would like to upload python2.7 to fix a problem that it can't
talk to SSL/TLS sites that use an ECDSA certificate different than
P256, like a P384 certificate.
Here is the debdiff:
diff -u python2.7-2.7.13/debian/changelog python2.7-2.7.13/debian/changelog
--- python2.7-2.7.13/debian/changelog
+++ python2.7-2.7.13/debian/changelog
@@ -1,3 +1,10 @@
+python2.7 (2.7.13-2+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload with maintainer's permission
+ * Support all groups in TLS communication (Closes: #868143)
+
+ -- Kurt Roeckx Thu, 09 Nov 2017 21:58:19 +0100
+
python2.7 (2.7.13-2) unstable; urgency=medium
* Lower priority of interpreter packages to optional.
diff -u python2.7-2.7.13/debian/patches/series.in
python2.7-2.7.13/debian/patches/series.in
--- python2.7-2.7.13/debian/patches/series.in
+++ python2.7-2.7.13/debian/patches/series.in
@@ -71,0 +72 @@
+Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff
only in patch2:
unchanged:
---
python2.7-2.7.13.orig/debian/patches/Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff
+++ python2.7-2.7.13/debian/patches/Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff
@@ -0,0 +1,28 @@
+From 97a145398ce7e36eb355f1fd75011ddbcb37d1b3 Mon Sep 17 00:00:00 2001
+From: Donald Stufft
+Date: Thu, 2 Mar 2017 11:24:50 -0500
+Subject: [PATCH] bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+
+
+---
+ Modules/_ssl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: python2.7-2.7.13/Modules/_ssl.c
+===
+--- python2.7-2.7.13.orig/Modules/_ssl.c
python2.7-2.7.13/Modules/_ssl.c
+@@ -2166,12 +2166,12 @@ context_new(PyTypeObject *type, PyObject
+ options |= SSL_OP_NO_SSLv3;
+ SSL_CTX_set_options(self->ctx, options);
+
+-#ifndef OPENSSL_NO_ECDH
++#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
+ /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
+prime256v1 by default. This is Apache mod_ssl's initialization
+policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
+ */
+-#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1)
++#if defined(SSL_CTX_set_ecdh_auto)
+ SSL_CTX_set_ecdh_auto(self->ctx, 1);
+ #else
+ {