From 892d66e422d5367673163d62ba40cd70a37d5cf7 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Mon, 29 Jan 2018 14:10:18 +0100
Subject: bpo-31429: Define TLS cipher suite on build time (#3532)

Until now Python used a hard coded white list of default TLS cipher
suites. The old approach has multiple downsides. OpenSSL's default
selection was completely overruled. Python did neither benefit from new
cipher suites (ChaCha20, TLS 1.3 suites) nor blacklisted cipher suites.
For example we used to re-enable 3DES.

Python now defaults to OpenSSL DEFAULT cipher suite selection and black
lists all unwanted ciphers. Downstream vendors can override the default
cipher list with --with-ssl-default-suites.

Signed-off-by: Christian Heimes <christian@python.org>
---
 configure | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

(limited to 'configure')

diff --git a/configure b/configure
index f94d16bf0b..caa86677ea 100755
--- a/configure
+++ b/configure
@@ -840,6 +840,7 @@ enable_big_digits
 with_computed_gotos
 with_ensurepip
 with_openssl
+with_ssl_default_suites
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1538,6 +1539,11 @@ Optional Packages:
   --with(out)-ensurepip=[=upgrade]
                           "install" or "upgrade" using bundled pip
   --with-openssl=DIR      root of the OpenSSL directory
+  --with-ssl-default-suites=[python|openssl|STRING]
+                          Override default cipher suites string, python: use
+                          Python's preferred selection (default), openssl:
+                          leave OpenSSL's defaults untouched, STRING: use a
+                          custom string, PROTOCOL_SSLv2 ignores the setting
 
 Some influential environment variables:
   MACHDEP     name for machine-dependent library files
@@ -16931,6 +16937,48 @@ $as_echo "#define HAVE_X509_VERIFY_PARAM_SET1_HOST 1" >>confdefs.h
     LIBS="$save_LIBS"
 fi
 
+# ssl module default cipher suite string
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for --with-ssl-default-suites" >&5
+$as_echo_n "checking for --with-ssl-default-suites... " >&6; }
+
+# Check whether --with-ssl-default-suites was given.
+if test "${with_ssl_default_suites+set}" = set; then :
+  withval=$with_ssl_default_suites;
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $withval" >&5
+$as_echo "$withval" >&6; }
+case "$withval" in
+    python)
+        $as_echo "#define PY_SSL_DEFAULT_CIPHERS 1" >>confdefs.h
+
+        ;;
+    openssl)
+        $as_echo "#define PY_SSL_DEFAULT_CIPHERS 2" >>confdefs.h
+
+        ;;
+    *)
+        $as_echo "#define PY_SSL_DEFAULT_CIPHERS 0" >>confdefs.h
+
+        cat >>confdefs.h <<_ACEOF
+#define PY_SSL_DEFAULT_CIPHER_STRING "$withval"
+_ACEOF
+
+        ;;
+esac
+
+else
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: python" >&5
+$as_echo "python" >&6; }
+$as_echo "#define PY_SSL_DEFAULT_CIPHERS 1" >>confdefs.h
+
+
+fi
+
+
+
 # generate output files
 ac_config_files="$ac_config_files Makefile.pre Misc/python.pc Misc/python-config.sh"
 
-- 
cgit v1.2.1