-
-
Notifications
You must be signed in to change notification settings - Fork 30.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Python fails to compile/load _ssl module if OpenSSL is compiled with no-tls1-method #84637
Comments
I'm working on a project which uses OpenSSL 1.1.1g. For security and compliance reasons, it is built with SSL and TLS < 1.2 methods compiled out, using the following OpenSSL build options: no-ssl no-ssl3 no-tls1 no-tls1_1 no-ssl3-method no-tls1-method no-tls1_1-method When compiling Python v3.8.2 with CFLAGS="-DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_TLS1 -DOPENSSL_NO_TLS1_1" and --with-openssl=/path/to/custom/openssl, _ssl.c fails to compile with the following error: gcc -pthread -fPIC -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_TLS1 -DOPENSSL_NO_TLS1_1 -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_TLS1 -DOPENSSL_NO_TLS1_1 -std=c99 -Wextra -Wno-unused-result -Wno-unused-parameter -Wno-missing-field-initializers -Werror=implicit-function-declaration -I./Include/internal -I/home/mitch/openssl/include -I./Include -I. -I/usr/include/x86_64-linux-gnu -I/usr/local/include -I/home/mitch/cpython/Include -I/home/mitch/cpython -c /home/mitch/cpython/Modules/_ssl.c -o build/temp.linux-x86_64-3.8/home/mitch/cpython/Modules/_ssl.o This also affects older versions. With v3.5.6, the _ssl module compiles successfully (it may be getting the declaration of TLSv1_method from the system default OpenSSL header since the --with-openssl option doesn't exist in this version), but importing the module at runtime fails: root@10:/tmp/acmstest# python3
Python 3.5.6 (default, Mar 23 2020, 05:11:33)
[GCC 8.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.5/ssl.py", line 99, in <module>
import _ssl # if we can't import it, let the error propagate
ImportError: /usr/lib/python3.5/lib-dynload/_ssl.cpython-35m-aarch64-linux-gnu.so: undefined symbol: TLSv1_method |
I'd be happy to work on a patch for this. I think the simplest approach would be to change this block starting on line 3087: if (proto_version == PY_SSL_VERSION_TLS1)
ctx = SSL_CTX_new(TLSv1_method());
#if HAVE_TLSv1_2
else if (proto_version == PY_SSL_VERSION_TLS1_1)
ctx = SSL_CTX_new(TLSv1_1_method());
else if (proto_version == PY_SSL_VERSION_TLS1_2)
ctx = SSL_CTX_new(TLSv1_2_method());
#endif
#ifndef OPENSSL_NO_SSL3
else if (proto_version == PY_SSL_VERSION_SSL3)
ctx = SSL_CTX_new(SSLv3_method());
#endif
#ifndef OPENSSL_NO_SSL2
else if (proto_version == PY_SSL_VERSION_SSL2)
ctx = SSL_CTX_new(SSLv2_method());
#endif
else if (proto_version == PY_SSL_VERSION_TLS) /* SSLv23 */
ctx = SSL_CTX_new(TLS_method());
else if (proto_version == PY_SSL_VERSION_TLS_CLIENT)
ctx = SSL_CTX_new(TLS_client_method());
else if (proto_version == PY_SSL_VERSION_TLS_SERVER)
ctx = SSL_CTX_new(TLS_server_method());
else
proto_version = -1; into a switch and add additional #if !defined(OPENSSL_NO_XXX) macros to exclude version-specific methods. Please let me know if this sounds okay. |
Thanks for the bug report. I've created a PR to check for the correct flags in _ssl__SSLContext_impl(). I'll backport the fix to 3.8 and 3.7. 3.6 and older are in security-only mode. |
Thanks for the quick turnaround! |
Fixes have landed in 3.7 to 3.9. Thanks for the report! :) |
For the record, I’ve added a comment to the pull request about that ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 are now defined unconditionally. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: