[2.7] bpo-32947: Fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-8761) (GH-11876)

Backport of TLS 1.3 related fixes from 3.7. Misc fixes and workarounds for compatibility with OpenSSL 1.1.1 from git master and TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by default. Some test cases only apply to TLS 1.2. OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS 1.3. The feature is enabled by default for maximum compatibility with broken middle boxes. Users should be able to disable the hack and CPython's test suite needs it to verify default options Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826)
author: stratakis <cstratak@redhat.com> 2019-02-15 18:27:44 +0100
committer: Victor Stinner <vstinner@redhat.com> 2019-02-15 18:27:44 +0100
commit: 2149a9ad7a9d39d7d680ec0fb602042c91057484 (patch)
tree: b45e3f3f5c47752b44873be0b2782b88d4b5fa71 /Modules
parent: 28eb87f4f558952f259fada7be1ab5b31b8a91ef (diff)
download: cpython-git-2149a9ad7a9d39d7d680ec0fb602042c91057484.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 80078aa3cb..93b635cc4a 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -4411,6 +4411,10 @@ init_ssl(void)
     PyModule_AddIntConstant(m, "OP_NO_COMPRESSION",
                             SSL_OP_NO_COMPRESSION);
 #endif
+#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
+    PyModule_AddIntConstant(m, "OP_ENABLE_MIDDLEBOX_COMPAT",
+                            SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
+#endif
 
 #if HAVE_SNI
     r = Py_True;
author	stratakis <cstratak@redhat.com>	2019-02-15 18:27:44 +0100
committer	Victor Stinner <vstinner@redhat.com>	2019-02-15 18:27:44 +0100
commit	2149a9ad7a9d39d7d680ec0fb602042c91057484 (patch)
tree	b45e3f3f5c47752b44873be0b2782b88d4b5fa71 /Modules
parent	28eb87f4f558952f259fada7be1ab5b31b8a91ef (diff)
download	cpython-git-2149a9ad7a9d39d7d680ec0fb602042c91057484.tar.gz