Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[2.7] bpo-30622: Change NPN detection: (GH-2079) #3316

Merged
merged 1 commit into from Sep 4, 2017

Conversation

Projects
None yet
6 participants
@tiran
Copy link
Member

tiran commented Sep 4, 2017

  • Change NPN detection:

Version breakdown, support disabled (pre-patch/post-patch):

  • pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
  • 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
    False/False
  • 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
    OPENSSL_NO_NEXTPROTONEG will be defined -> True/False

Version breakdown support enabled (pre-patch/post-patch):

  • pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
  • 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
    OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
  • 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
    OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
  • Refine NPN guard:
  • If NPN is disabled, but ALPN is available we need our callback
  • Make clinic's ssl behave the same way

This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.

Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:

GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
	!defined(OPENSSL_NPN_NEGOTIATED)
GH-	define OPENSSL_NPN_UNSUPPORTED 0
GH-	define OPENSSL_NPN_NEGOTIATED 1
GH-	define OPENSSL_NPN_NO_OVERLAP 2
GH-endif

[1] openssl/openssl@68b33cc.
(cherry picked from commit b2d096b)

https://bugs.python.org/issue30622

[2.7] bpo-30622: Change NPN detection: (GH-2079)
* Change NPN detection:

Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will be defined -> True/False

Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True

* Refine NPN guard:

- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way

This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.

Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:

	GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
		!defined(OPENSSL_NPN_NEGOTIATED)
	GH-	define OPENSSL_NPN_UNSUPPORTED 0
	GH-	define OPENSSL_NPN_NEGOTIATED 1
	GH-	define OPENSSL_NPN_NO_OVERLAP 2
	GH-endif

[1] openssl/openssl@68b33cc.
(cherry picked from commit b2d096b)

@tiran tiran added the skip news label Sep 4, 2017

@tiran tiran merged commit 72ed233 into python:2.7 Sep 4, 2017

4 checks passed

bedevere/issue-number Issue number 30622 found
Details
bedevere/news "skip news" label found
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@tiran tiran deleted the tiran:backport-b2d096b-2.7 branch Sep 4, 2017

@Mariatta Mariatta removed the awaiting merge label Oct 8, 2017

@Sp1l

This comment has been minimized.

Copy link
Contributor

Sp1l commented Jan 26, 2018

This patch is incomplete.

2033 #ifdef OPENSSL_NPN_NEGOTIATED
2034     {"selected_npn_protocol", (PyCFunction)PySSL_selected_npn_protocol, METH_NOARGS},
2035 #endif

leads to a build-error when OpenSSL 1.1.0g is built without NPN support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.