From 54f08d83c4f30483fbce404e0a5b1990113c7c18 Mon Sep 17 00:00:00 2001
From: "Erlend E. Aasland" <erlend.aasland@innova.no>
Date: Sat, 12 Jun 2021 22:54:09 +0200
Subject: [PATCH] bpo-44389: Deprecate ssl.OP_NO_TLSv1_3 flag

---
 Lib/test/test_ssl.py | 8 +++++++-
 Modules/_ssl.c       | 2 +-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 31bc199e930a6c..8159988aafe647 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -340,9 +340,9 @@ def test_constants(self):
         ssl.OP_NO_SSLv2
         ssl.OP_NO_SSLv3
         ssl.OP_NO_TLSv1
-        ssl.OP_NO_TLSv1_3
         ssl.OP_NO_TLSv1_1
         ssl.OP_NO_TLSv1_2
+        ssl.OP_NO_TLSv1_3
         self.assertEqual(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv23)
 
     def test_ssl_types(self):
@@ -3062,6 +3062,7 @@ def test_ecc_cert(self):
                 cipher = s.cipher()[0].split('-')
                 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
 
+    @ignore_deprecation
     def test_dual_rsa_ecc(self):
         client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
         client_context.load_verify_locations(SIGNING_CA)
@@ -3803,6 +3804,7 @@ def test_do_handshake_enotconn(self):
                 sock.do_handshake()
             self.assertEqual(cm.exception.errno, errno.ENOTCONN)
 
+    @ignore_deprecation
     def test_no_shared_ciphers(self):
         client_context, server_context, hostname = testing_context()
         # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
@@ -4017,6 +4019,7 @@ def test_compression_disabled(self):
         self.assertIs(stats['compression'], None)
 
     @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
+    @ignore_deprecation
     def test_dh_params(self):
         # Check we can get a connection with ephemeral Diffie-Hellman
         client_context, server_context, hostname = testing_context()
@@ -4267,6 +4270,7 @@ def test_sendfile(self):
                     s.sendfile(file)
                     self.assertEqual(s.recv(1024), TEST_DATA)
 
+    @ignore_deprecation
     def test_session(self):
         client_context, server_context, hostname = testing_context()
         # TODO: sessions aren't compatible with TLSv1.3 yet
@@ -4324,6 +4328,7 @@ def test_session(self):
         self.assertEqual(sess_stat['accept'], 4)
         self.assertEqual(sess_stat['hits'], 2)
 
+    @ignore_deprecation
     def test_session_handling(self):
         client_context, server_context, hostname = testing_context()
         client_context2, _, _ = testing_context()
@@ -4752,6 +4757,7 @@ def msg_cb(conn, direction, version, content_type, msg_type, data):
         with self.assertRaises(TypeError):
             client_context._msg_callback = object()
 
+    @ignore_deprecation
     def test_msg_callback_tls12(self):
         client_context, server_context, hostname = testing_context()
         client_context.options |= ssl.OP_NO_TLSv1_3
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 1080fa6cffbd96..26f31f8f4c5341 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -3587,7 +3587,7 @@ set_options(PySSLContext *self, PyObject *arg, void *c)
     long new_opts, opts, set, clear;
     long opt_no = (
         SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
-        SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2
+        SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3
     );
 
     if (!PyArg_Parse(arg, "l", &new_opts))