bpo-31399: Let OpenSSL verify hostname and IP address (#3462)

bpo-31399: Let OpenSSL verify hostname and IP The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses. * Remove match_hostname calls * Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host() * Add documentation for OpenSSL 1.0.2 requirement * Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform. * Add hostname_checks_common_name Signed-off-by: Christian Heimes <christian@python.org>
author: Christian Heimes <christian@python.org> 2018-01-27 15:51:38 +0100
committer: GitHub <noreply@github.com> 2018-01-27 15:51:38 +0100
commit: 61d478c71c5341cdc54e6bfb4ace4252852fd972 (patch)
tree: 5ad17242b4c341df03664ee5cde87cdb80b0ee50 /setup.py
parent: 746cc75541f31278864a10b995e7d009bd2ff053 (diff)
download: cpython-git-61d478c71c5341cdc54e6bfb4ace4252852fd972.tar.gz
1 files changed, 20 insertions, 7 deletions
diff --git a/setup.py b/setup.py
index a6f4488cc9..ba0a7624cf 100644
--- a/setup.py
+++ b/setup.py
@@ -363,6 +363,16 @@ class PyBuildExt(build_ext):
             print_three_column(failed)
             print()
 
+        if any('_ssl' in l
+               for l in (missing, self.failed, self.failed_on_import)):
+            print()
+            print("Could not build the ssl module!")
+            print("Python requires an OpenSSL 1.0.2 or 1.1 compatible "
+                  "libssl with X509_VERIFY_PARAM_set1_host().")
+            print("LibreSSL 2.6.4 and earlier do not provide the necessary "
+                  "APIs, https://github.com/libressl-portable/portable/issues/381")
+            print()
+
     def build_extension(self, ext):
 
         if ext.name == '_ctypes':
@@ -2144,13 +2154,16 @@ class PyBuildExt(build_ext):
         if krb5_h:
             ssl_incs.extend(krb5_h)
 
-        ssl_ext = Extension(
-            '_ssl', ['_ssl.c'],
-            include_dirs=openssl_includes,
-            library_dirs=openssl_libdirs,
-            libraries=openssl_libs,
-            depends=['socketmodule.h']
-        )
+        if config_vars.get("HAVE_X509_VERIFY_PARAM_SET1_HOST"):
+            ssl_ext = Extension(
+                '_ssl', ['_ssl.c'],
+                include_dirs=openssl_includes,
+                library_dirs=openssl_libdirs,
+                libraries=openssl_libs,
+                depends=['socketmodule.h']
+            )
+        else:
+            ssl_ext = None
 
         hashlib_ext = Extension(
             '_hashlib', ['_hashopenssl.c'],
author	Christian Heimes <christian@python.org>	2018-01-27 15:51:38 +0100
committer	GitHub <noreply@github.com>	2018-01-27 15:51:38 +0100
commit	61d478c71c5341cdc54e6bfb4ace4252852fd972 (patch)
tree	5ad17242b4c341df03664ee5cde87cdb80b0ee50 /setup.py
parent	746cc75541f31278864a10b995e7d009bd2ff053 (diff)
download	cpython-git-61d478c71c5341cdc54e6bfb4ace4252852fd972.tar.gz