bpo-44888: Add ssl.OP_LEGACY_SERVER_CONNECT

[xtkoba]

Required for making OpenSSL 3.0.0 behave like 1.1.1.

https://bugs.python.org/issue44888

[the-knights-who-say-ni]

Hello, and thanks for your contribution!

I'm a bot set up to make sure that the project can legally accept this contribution by verifying everyone involved has signed the PSF contributor agreement (CLA).

Recognized GitHub username

We couldn't find a bugs.python.org (b.p.o) account corresponding to the following GitHub usernames:

@xtkoba

This might be simply due to a missing "GitHub Name" entry in one's b.p.o account settings. This is necessary for legal reasons before we can look at this contribution. Please follow the steps outlined in the CPython devguide to rectify this issue.

You can check yourself to see if the CLA has been received.

Thanks again for the contribution, we look forward to reviewing it!

[xtkoba]

See also openssl/openssl#16278

[ambv]

Please add a NEWS entry.

[tiran]

Please also add documentation update and a test case.

[bedevere-bot]

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

[xtkoba]

I have made the requested changes; please review again.

Note that the connection test would really require an "unpatched" server, which I didn't come up with how to prepare.

[bedevere-bot]

Thanks for making the requested changes!

@tiran: please review the changes made to this pull request.

[jerrychong25]

Hi @xtkoba , just checking is this ssl.OP_LEGACY_SERVER_CONNECT issue already fixed in Python OpenSSL 3.0.0 side?

Source of Issue: https://bugs.python.org/issue44888

I've tried with configure with ssl.OP_LEGACY_SERVER_CONNECT in OpenSSL 3.0.0, but can't found this option as per error messages below:

---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
/tmp/ipykernel_182/1739907879.py in <module>
     37 hostname = '[www.python.org](https://www.python.org/)'
     38 context = ssl.create_default_context()
---> 39 context.options &= ~ssl.OP_LEGACY_SERVER_CONNECT
     40 
     41 with socket.create_connection((hostname, 443)) as sock:

AttributeError: module 'ssl' has no attribute 'OP_LEGACY_SERVER_CONNECT'

Checked also in Python OpenSSL 3.0.0 documentation (Link: https://docs.python.org/3/library/ssl.html), also can't found this option.

In this situation, what is best workaround solution for making OpenSSL 3.0.0 behave like 1.1.1 due to unable configure ssl.OP_LEGACY_SERVER_CONNECT as of now?

Thanks.

CC: @tiran

[tiran]

The changeset has not been merged and the flag is not available. @xtkoba closed the PR.

[hjmallon]

Note to self/others, I was able to work around by manually setting the numeric value.

ctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
ctx.options |= 0x4