From 51ee52d595e30fa6a91609a4a79d500723a55488 Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Fri, 25 Jan 2019 18:09:05 -0800 Subject: [PATCH 01/18] try openssl-1.1.1a --- PCbuild/get_externals.bat | 4 ++-- PCbuild/python.props | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat index 175a0513e77c25..ab05265f7c37a3 100644 --- a/PCbuild/get_externals.bat +++ b/PCbuild/get_externals.bat @@ -49,7 +49,7 @@ echo.Fetching external libraries... set libraries= set libraries=%libraries% bzip2-1.0.6 -if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.0j +if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.1a set libraries=%libraries% sqlite-3.21.0.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.9.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.9.0 @@ -72,7 +72,7 @@ for %%e in (%libraries%) do ( echo.Fetching external binaries... set binaries= -if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.0j +if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.1a if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.9.0 if NOT "%IncludeSSLSrc%"=="false" set binaries=%binaries% nasm-2.11.06 diff --git a/PCbuild/python.props b/PCbuild/python.props index a9dc9db4863f0b..31917ddc8d7609 100644 --- a/PCbuild/python.props +++ b/PCbuild/python.props @@ -53,8 +53,8 @@ $(ExternalsDir)sqlite-3.21.0.0\ $(ExternalsDir)bzip2-1.0.6\ $(ExternalsDir)xz-5.2.2\ - $(ExternalsDir)openssl-1.1.0j\ - $(ExternalsDir)openssl-bin-1.1.0j\$(ArchName)\ + $(ExternalsDir)openssl-1.1.1a\ + $(ExternalsDir)openssl-bin-1.1.1a\$(ArchName)\ $(opensslOutDir)include $(ExternalsDir)\nasm-2.11.06\ $(ExternalsDir)\zlib-1.2.11\ From bc94e4fdc69636962ecb53ad9802588132664b81 Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Wed, 30 Jan 2019 13:07:42 -0800 Subject: [PATCH 02/18] don't get openssl binaries if getting openssl src --- PCbuild/prepare_ssl.bat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PCbuild/prepare_ssl.bat b/PCbuild/prepare_ssl.bat index bd4b548528c5c1..bc8b2c0870aa9e 100644 --- a/PCbuild/prepare_ssl.bat +++ b/PCbuild/prepare_ssl.bat @@ -42,7 +42,7 @@ if ERRORLEVEL 1 (echo Cannot locate MSBuild.exe on PATH or as MSBUILD variable & call "%PCBUILD%\find_python.bat" "%PYTHON%" if ERRORLEVEL 1 (echo Cannot locate python.exe on PATH or as PYTHON variable & exit /b 3) -call "%PCBUILD%\get_externals.bat" --openssl-src %ORG_SETTING% +call "%PCBUILD%\get_externals.bat" --openssl-src --no-openssl %ORG_SETTING% if "%PERL%" == "" where perl > "%TEMP%\perl.loc" 2> nul && set /P PERL= <"%TEMP%\perl.loc" & del "%TEMP%\perl.loc" if "%PERL%" == "" (echo Cannot locate perl.exe on PATH or as PERL variable & exit /b 4) From 13bacb80c37590672c9c7edf7024e4c094e2cd39 Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Thu, 31 Jan 2019 16:24:24 -0800 Subject: [PATCH 03/18] ignore errors caused by automatic session tickets --- Lib/test/test_ssl.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 55718220d88de6..146c6a5ba88943 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -2193,7 +2193,7 @@ def wrap_conn(self): self.sock, server_side=True) self.server.selected_npn_protocols.append(self.sslconn.selected_npn_protocol()) self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol()) - except (ConnectionResetError, BrokenPipeError) as e: + except (ConnectionResetError, BrokenPipeError, ConnectionAbortedError) as e: # We treat ConnectionResetError as though it were an # SSLError - OpenSSL on Ubuntu abruptly closes the # connection when asked to use an unsupported protocol. @@ -2201,6 +2201,9 @@ def wrap_conn(self): # BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL # tries to send session tickets after handshake. # https://github.com/openssl/openssl/issues/6342 + # + # ConnectionAbortedError is raised in TLS 1.3 mode, when OpenSSL + # tries to send session tickets after handshake when using WinSock. self.server.conn_errors.append(str(e)) if self.server.chatty: handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n") From 48e8b54256fa6e1c0f12a1766de653fe6625a18d Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Fri, 1 Feb 2019 16:17:43 -0800 Subject: [PATCH 04/18] SSL file operations should set the errno to ENOENT if the file doesn't exist --- Lib/test/test_asyncio/test_sslproto.py | 4 ++-- Lib/test/test_ssl.py | 24 ++++++++++++++---------- Modules/_ssl.c | 2 +- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/Lib/test/test_asyncio/test_sslproto.py b/Lib/test/test_asyncio/test_sslproto.py index 19b7a4366b2e82..b713845baeb21b 100644 --- a/Lib/test/test_asyncio/test_sslproto.py +++ b/Lib/test/test_asyncio/test_sslproto.py @@ -430,8 +430,8 @@ def test_start_tls_server_1(self): server_context = test_utils.simple_server_sslcontext() client_context = test_utils.simple_client_sslcontext() - if sys.platform.startswith('freebsd'): - # bpo-35031: Some FreeBSD buildbots fail to run this test + if sys.platform.startswith('freebsd') or sys.platform.startswith('win'): + # bpo-35031: Some FreeBSD and Windows buildbots fail to run this test # as the eof was not being received by the server if the payload # size is not big enough. This behaviour only appears if the # client is using TLS1.3. diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 146c6a5ba88943..cd8eac05ddf9b6 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -2235,7 +2235,7 @@ def wrap_conn(self): if support.verbose and self.server.chatty: sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n") cert_binary = self.sslconn.getpeercert(True) - if support.verbose and self.server.chatty: + if support.verbose and self.server.chatty and cert_binary != None: sys.stdout.write(" cert binary is " + str(len(cert_binary)) + " bytes\n") cipher = self.sslconn.cipher() if support.verbose and self.server.chatty: @@ -2344,15 +2344,19 @@ def run(self): ) self.close() self.running = False - except OSError: - if self.server.chatty: - handle_error("Test server failure:\n") - self.close() - self.running = False + except OSError as err: + if 'peer did not return a certificate' in err.args[1] and self.server.chatty: + # test_pha_required_nocert causes this error which results in a false(?) failure + sys.stdout.write(err.args[1]) + else: + if self.server.chatty: + handle_error("Test server failure:\n") + self.close() + self.running = False - # normally, we'd just stop here, but for the test - # harness, we want to stop the server - self.server.stop() + # normally, we'd just stop here, but for the test + # harness, we want to stop the server + self.server.stop() def __init__(self, certificate=None, ssl_version=None, certreqs=None, cacerts=None, @@ -4282,7 +4286,7 @@ def test_pha_required_nocert(self): server_context.verify_mode = ssl.CERT_REQUIRED client_context.post_handshake_auth = True - server = ThreadedEchoServer(context=server_context, chatty=False) + server = ThreadedEchoServer(context=server_context, chatty=True) with server: with client_context.wrap_socket(socket.socket(), server_hostname=hostname) as s: diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 0e720e268d937a..df8747c239aa72 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -669,7 +669,7 @@ fill_and_set_sslerror(PySSLSocket *sslsock, PyObject *type, int ssl_errno, if (msg == NULL) goto fail; - init_value = Py_BuildValue("iN", ssl_errno, msg); + init_value = Py_BuildValue("iN", ERR_GET_REASON(ssl_errno), msg); if (init_value == NULL) goto fail; From f0325ed90a4c98fbc3ff6a72c4e4e2bce9551416 Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Wed, 6 Feb 2019 17:16:11 -0800 Subject: [PATCH 05/18] update openssl CI versions --- .azure-pipelines/ci.yml | 4 ++-- .travis.yml | 2 +- PCbuild/readme.txt | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.azure-pipelines/ci.yml b/.azure-pipelines/ci.yml index 15a83dd0370e19..248e94e4a488a9 100644 --- a/.azure-pipelines/ci.yml +++ b/.azure-pipelines/ci.yml @@ -59,7 +59,7 @@ jobs: variables: testRunTitle: '$(build.sourceBranchName)-linux' testRunPlatform: linux - openssl_version: 1.1.0j + openssl_version: 1.1.1a steps: - template: ./posix-steps.yml @@ -116,7 +116,7 @@ jobs: variables: testRunTitle: '$(Build.SourceBranchName)-linux-coverage' testRunPlatform: linux-coverage - openssl_version: 1.1.0j + openssl_version: 1.1.1a steps: - template: ./posix-steps.yml diff --git a/.travis.yml b/.travis.yml index c6e009291a2d9a..fef6dedd57eadd 100644 --- a/.travis.yml +++ b/.travis.yml @@ -12,7 +12,7 @@ cache: env: global: - - OPENSSL=1.1.0i + - OPENSSL=1.1.1a - OPENSSL_DIR="$HOME/multissl/openssl/${OPENSSL}" - PATH="${OPENSSL_DIR}/bin:$PATH" # Use -O3 because we don't use debugger on Travis-CI diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt index c84732861191a8..bb60f38de03d98 100644 --- a/PCbuild/readme.txt +++ b/PCbuild/readme.txt @@ -165,7 +165,7 @@ _lzma Homepage: http://tukaani.org/xz/ _ssl - Python wrapper for version 1.1.0h of the OpenSSL secure sockets + Python wrapper for version 1.1.1a of the OpenSSL secure sockets library, which is downloaded from our binaries repository at https://github.com/python/cpython-bin-deps. From c3dd8fecc19428b52be6211a1c10519c3d9b95dd Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Wed, 6 Feb 2019 18:29:26 -0800 Subject: [PATCH 06/18] add ARM and ARM64 builds --- PCbuild/openssl.vcxproj | 61 ++++++++++++++++++++++------------------- PCbuild/prepare_ssl.bat | 4 +++ PCbuild/python.props | 1 + 3 files changed, 38 insertions(+), 28 deletions(-) diff --git a/PCbuild/openssl.vcxproj b/PCbuild/openssl.vcxproj index 1a36d08ec06cb3..64e2443e9f4fee 100644 --- a/PCbuild/openssl.vcxproj +++ b/PCbuild/openssl.vcxproj @@ -1,37 +1,21 @@  - - Debug - Win32 - Release Win32 - - PGInstrument - Win32 - - - PGInstrument - x64 - - - PGUpdate - Win32 - - - PGUpdate + + Release x64 - - Debug - x64 + + Release + ARM - + Release - x64 + ARM64 @@ -40,15 +24,36 @@ - - + + Makefile 32 - 64 x86 - amd64 VC-WIN32 - VC-WIN64A + true + + + + Makefile + 64 + amd64 + VC-WIN64A + true + + + + Makefile + ARM + ARM + VC-WIN32-ARM + true + + + + Makefile + ARM64 + ARM64 + VC-WIN64-ARM true diff --git a/PCbuild/prepare_ssl.bat b/PCbuild/prepare_ssl.bat index bc8b2c0870aa9e..88fd0225f5ea94 100644 --- a/PCbuild/prepare_ssl.bat +++ b/PCbuild/prepare_ssl.bat @@ -51,4 +51,8 @@ if "%PERL%" == "" (echo Cannot locate perl.exe on PATH or as PERL variable & exi if errorlevel 1 exit /b %MSBUILD% "%PCBUILD%\openssl.vcxproj" /p:Configuration=Release /p:Platform=x64 if errorlevel 1 exit /b +%MSBUILD% "%PCBUILD%\openssl.vcxproj" /p:Configuration=Release /p:Platform=ARM +if errorlevel 1 exit /b +%MSBUILD% "%PCBUILD%\openssl.vcxproj" /p:Configuration=Release /p:Platform=ARM64 +if errorlevel 1 exit /b diff --git a/PCbuild/python.props b/PCbuild/python.props index 31917ddc8d7609..e3130e95360c0b 100644 --- a/PCbuild/python.props +++ b/PCbuild/python.props @@ -26,6 +26,7 @@ --> amd64 arm32 + arm64 win32 From 23b4cc53f98d87d9bbf7149c41b3dded46a220de Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Fri, 8 Feb 2019 12:09:39 -0800 Subject: [PATCH 07/18] fix test_pha_required_nocert test for windows --- Lib/test/test_ssl.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index cd8eac05ddf9b6..bcd0bc92f73825 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -2345,9 +2345,12 @@ def run(self): self.close() self.running = False except OSError as err: - if 'peer did not return a certificate' in err.args[1] and self.server.chatty: + if 'peer did not return a certificate' in err.args[1]: # test_pha_required_nocert causes this error which results in a false(?) failure - sys.stdout.write(err.args[1]) + if self.server.chatty and support.verbose: + sys.stdout.write(err.args[1]) + # test_pha_required_nocert is expecting this exception + raise ssl.SSLError('tlsv13 alert certificate required') else: if self.server.chatty: handle_error("Test server failure:\n") @@ -4286,7 +4289,7 @@ def test_pha_required_nocert(self): server_context.verify_mode = ssl.CERT_REQUIRED client_context.post_handshake_auth = True - server = ThreadedEchoServer(context=server_context, chatty=True) + server = ThreadedEchoServer(context=server_context, chatty=False) with server: with client_context.wrap_socket(socket.socket(), server_hostname=hostname) as s: From bda97d9417c92db54255e784c1a009fe62895e87 Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Mon, 11 Feb 2019 11:06:58 -0800 Subject: [PATCH 08/18] change openssl build type from VC-WIN64A to VC-WIN64A-masm --- Misc/ACKS | 1 + .../next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst | 1 + PCbuild/openssl.props | 3 ++- PCbuild/openssl.vcxproj | 2 +- 4 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst diff --git a/Misc/ACKS b/Misc/ACKS index c9fa08bd614138..958f5bce7a2654 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -1098,6 +1098,7 @@ Zubin Mithra Florian Mladitsch Doug Moen Juliette Monsel +Paul Monson The Dragon De Monsyne Bastien Montagne Skip Montanaro diff --git a/Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst b/Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst new file mode 100644 index 00000000000000..f2f2b1ff489d9c --- /dev/null +++ b/Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst @@ -0,0 +1 @@ +Update to OpenSSL 1.1.1a diff --git a/PCbuild/openssl.props b/PCbuild/openssl.props index 8c78cd4ab10860..3ddbcb33e0ae93 100644 --- a/PCbuild/openssl.props +++ b/PCbuild/openssl.props @@ -11,7 +11,8 @@ <_DLLSuffix>-1_1 - <_DLLSuffix Condition="$(Platform) == 'x64'">$(_DLLSuffix)-x64 + <_DLLSuffix Condition="$(Platform) == 'ARM'">$(_DLLSuffix)-arm + <_DLLSuffix Condition="$(Platform) == 'ARM'">$(_DLLSuffix)-arm64 <_SSLDLL Include="$(opensslOutDir)\libcrypto$(_DLLSuffix).dll" /> diff --git a/PCbuild/openssl.vcxproj b/PCbuild/openssl.vcxproj index 64e2443e9f4fee..0da6f6749584f1 100644 --- a/PCbuild/openssl.vcxproj +++ b/PCbuild/openssl.vcxproj @@ -37,7 +37,7 @@ Makefile 64 amd64 - VC-WIN64A + VC-WIN64A-masm true From c7069e266887b17f36430e710eb3463fea8c71e8 Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Mon, 11 Feb 2019 14:42:58 -0800 Subject: [PATCH 09/18] update tests and news --- Lib/test/test_ssl.py | 31 +++++++++++++------ .../2019-02-08-13-58-03.bpo-35926.uIEgyE.rst | 2 +- 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index bcd0bc92f73825..39ed4af204f3c8 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -1822,9 +1822,13 @@ def test_connect(self): with test_wrap_socket(socket.socket(socket.AF_INET), cert_reqs=ssl.CERT_REQUIRED, ca_certs=SIGNING_CA) as s: - s.connect(self.server_addr) - self.assertTrue(s.getpeercert()) - self.assertFalse(s.server_side) + try: + s.connect(self.server_addr) + self.assertTrue(s.getpeercert()) + self.assertFalse(s.server_side) + except ConnectionResetError as e: + # sometimes windows throws ConnectionResetError during the handshake + sys.stdout.write(repr(e)) def test_connect_fail(self): # This should fail because we have no verification certs. Connection @@ -1881,13 +1885,18 @@ def test_connect_with_context(self): with ctx.wrap_socket(socket.socket(socket.AF_INET), server_hostname="dummy") as s: s.connect(self.server_addr) + self.assertEqual({}, s.getpeercert()) ctx.verify_mode = ssl.CERT_REQUIRED # This should succeed because we specify the root cert ctx.load_verify_locations(SIGNING_CA) with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s: - s.connect(self.server_addr) - cert = s.getpeercert() - self.assertTrue(cert) + try: + s.connect(self.server_addr) + cert = s.getpeercert() + self.assertTrue(cert) + except (ConnectionResetError, ConnectionRefusedError) as e: + # sometimes windows throws ConnectionResetError during the handshake + sys.stdout.write(repr(e)) def test_connect_with_context_fail(self): # This should fail because we have no verification certs. Connection @@ -1919,9 +1928,13 @@ def test_connect_capath(self): ctx.verify_mode = ssl.CERT_REQUIRED ctx.load_verify_locations(capath=BYTES_CAPATH) with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s: - s.connect(self.server_addr) - cert = s.getpeercert() - self.assertTrue(cert) + try: + s.connect(self.server_addr) + cert = s.getpeercert() + self.assertTrue(cert) + except ConnectionResetError as e: + # sometimes windows throws ConnectionResetError during the handshake + sys.stdout.write(repr(e)) def test_connect_cadata(self): with open(SIGNING_CA) as f: diff --git a/Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst b/Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst index f2f2b1ff489d9c..1d2cdca4d9db66 100644 --- a/Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst +++ b/Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst @@ -1 +1 @@ -Update to OpenSSL 1.1.1a +Update to OpenSSL 1.1.1a for Windows From 5460005e2d9d597048dec9012b3af417ac0a1d6e Mon Sep 17 00:00:00 2001 From: Mariatta Date: Mon, 11 Feb 2019 18:05:02 -0800 Subject: [PATCH 10/18] Update Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst Co-Authored-By: paulmon --- .../next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst b/Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst index 1d2cdca4d9db66..3b4390c4f96119 100644 --- a/Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst +++ b/Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst @@ -1 +1 @@ -Update to OpenSSL 1.1.1a for Windows +Update to OpenSSL 1.1.1a for Windows. From a17557c329aa065c485c8283697dde9a70309030 Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Wed, 27 Feb 2019 17:21:05 -0800 Subject: [PATCH 11/18] fix ARM64 typo --- PCbuild/openssl.props | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PCbuild/openssl.props b/PCbuild/openssl.props index 3ddbcb33e0ae93..a7e16793c7f283 100644 --- a/PCbuild/openssl.props +++ b/PCbuild/openssl.props @@ -12,7 +12,7 @@ <_DLLSuffix>-1_1 <_DLLSuffix Condition="$(Platform) == 'ARM'">$(_DLLSuffix)-arm - <_DLLSuffix Condition="$(Platform) == 'ARM'">$(_DLLSuffix)-arm64 + <_DLLSuffix Condition="$(Platform) == 'ARM64'">$(_DLLSuffix)-arm64 <_SSLDLL Include="$(opensslOutDir)\libcrypto$(_DLLSuffix).dll" /> From 0cda7da956d5749a51283ebe9162c66ba4b5769a Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Fri, 1 Mar 2019 18:15:09 -0800 Subject: [PATCH 12/18] update to openssl 1.1.1b --- .azure-pipelines/ci.yml | 4 ++-- .travis.yml | 2 +- Lib/test/test_ssl.py | 2 +- .../next/Windows/2019-03-01-16-43-45.bpo-35926.mLszHo.rst | 1 + PCbuild/get_externals.bat | 4 ++-- PCbuild/python.props | 4 ++-- PCbuild/readme.txt | 2 +- 7 files changed, 10 insertions(+), 9 deletions(-) create mode 100644 Misc/NEWS.d/next/Windows/2019-03-01-16-43-45.bpo-35926.mLszHo.rst diff --git a/.azure-pipelines/ci.yml b/.azure-pipelines/ci.yml index 248e94e4a488a9..1576599379c489 100644 --- a/.azure-pipelines/ci.yml +++ b/.azure-pipelines/ci.yml @@ -59,7 +59,7 @@ jobs: variables: testRunTitle: '$(build.sourceBranchName)-linux' testRunPlatform: linux - openssl_version: 1.1.1a + openssl_version: 1.1.1b steps: - template: ./posix-steps.yml @@ -116,7 +116,7 @@ jobs: variables: testRunTitle: '$(Build.SourceBranchName)-linux-coverage' testRunPlatform: linux-coverage - openssl_version: 1.1.1a + openssl_version: 1.1.1b steps: - template: ./posix-steps.yml diff --git a/.travis.yml b/.travis.yml index fef6dedd57eadd..516fc98a4d7416 100644 --- a/.travis.yml +++ b/.travis.yml @@ -12,7 +12,7 @@ cache: env: global: - - OPENSSL=1.1.1a + - OPENSSL=1.1.1b - OPENSSL_DIR="$HOME/multissl/openssl/${OPENSSL}" - PATH="${OPENSSL_DIR}/bin:$PATH" # Use -O3 because we don't use debugger on Travis-CI diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 39ed4af204f3c8..59d4016faa87ae 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -1826,7 +1826,7 @@ def test_connect(self): s.connect(self.server_addr) self.assertTrue(s.getpeercert()) self.assertFalse(s.server_side) - except ConnectionResetError as e: + except (ConnectionResetError, ConnectionAbortedError) as e: # sometimes windows throws ConnectionResetError during the handshake sys.stdout.write(repr(e)) diff --git a/Misc/NEWS.d/next/Windows/2019-03-01-16-43-45.bpo-35926.mLszHo.rst b/Misc/NEWS.d/next/Windows/2019-03-01-16-43-45.bpo-35926.mLszHo.rst new file mode 100644 index 00000000000000..03249c6a168a0a --- /dev/null +++ b/Misc/NEWS.d/next/Windows/2019-03-01-16-43-45.bpo-35926.mLszHo.rst @@ -0,0 +1 @@ +Update to OpenSSL 1.1.1b for Windows. diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat index ab05265f7c37a3..a8a69c6cded602 100644 --- a/PCbuild/get_externals.bat +++ b/PCbuild/get_externals.bat @@ -49,7 +49,7 @@ echo.Fetching external libraries... set libraries= set libraries=%libraries% bzip2-1.0.6 -if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.1a +if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.1b set libraries=%libraries% sqlite-3.21.0.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.9.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.9.0 @@ -72,7 +72,7 @@ for %%e in (%libraries%) do ( echo.Fetching external binaries... set binaries= -if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.1a +if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.1b if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.9.0 if NOT "%IncludeSSLSrc%"=="false" set binaries=%binaries% nasm-2.11.06 diff --git a/PCbuild/python.props b/PCbuild/python.props index e3130e95360c0b..67180f365f396d 100644 --- a/PCbuild/python.props +++ b/PCbuild/python.props @@ -54,8 +54,8 @@ $(ExternalsDir)sqlite-3.21.0.0\ $(ExternalsDir)bzip2-1.0.6\ $(ExternalsDir)xz-5.2.2\ - $(ExternalsDir)openssl-1.1.1a\ - $(ExternalsDir)openssl-bin-1.1.1a\$(ArchName)\ + $(ExternalsDir)openssl-1.1.1b\ + $(ExternalsDir)openssl-bin-1.1.1b\$(ArchName)\ $(opensslOutDir)include $(ExternalsDir)\nasm-2.11.06\ $(ExternalsDir)\zlib-1.2.11\ diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt index bb60f38de03d98..cf4aa4c917544d 100644 --- a/PCbuild/readme.txt +++ b/PCbuild/readme.txt @@ -165,7 +165,7 @@ _lzma Homepage: http://tukaani.org/xz/ _ssl - Python wrapper for version 1.1.1a of the OpenSSL secure sockets + Python wrapper for version 1.1.1b of the OpenSSL secure sockets library, which is downloaded from our binaries repository at https://github.com/python/cpython-bin-deps. From bade87e74a8fdfa59b478657d34ed6bed0fd6b04 Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Mon, 11 Mar 2019 10:10:06 -0700 Subject: [PATCH 13/18] removed outdated blurb --- .../next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst | 1 - 1 file changed, 1 deletion(-) delete mode 100644 Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst diff --git a/Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst b/Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst deleted file mode 100644 index 3b4390c4f96119..00000000000000 --- a/Misc/NEWS.d/next/Security/2019-02-08-13-58-03.bpo-35926.uIEgyE.rst +++ /dev/null @@ -1 +0,0 @@ -Update to OpenSSL 1.1.1a for Windows. From 016a4857b51401afba3b9a8ba5684a619794dfd8 Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Tue, 26 Mar 2019 10:06:29 -0700 Subject: [PATCH 14/18] update tests to work with openssl fixes investigated test_pha_required_nocert failure --- Lib/test/test_ssl.py | 65 ++++++++++++++++++++------------------------ 1 file changed, 29 insertions(+), 36 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 59d4016faa87ae..1b10742ba7b455 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -1822,13 +1822,9 @@ def test_connect(self): with test_wrap_socket(socket.socket(socket.AF_INET), cert_reqs=ssl.CERT_REQUIRED, ca_certs=SIGNING_CA) as s: - try: - s.connect(self.server_addr) - self.assertTrue(s.getpeercert()) - self.assertFalse(s.server_side) - except (ConnectionResetError, ConnectionAbortedError) as e: - # sometimes windows throws ConnectionResetError during the handshake - sys.stdout.write(repr(e)) + s.connect(self.server_addr) + self.assertTrue(s.getpeercert()) + self.assertFalse(s.server_side) def test_connect_fail(self): # This should fail because we have no verification certs. Connection @@ -1885,18 +1881,13 @@ def test_connect_with_context(self): with ctx.wrap_socket(socket.socket(socket.AF_INET), server_hostname="dummy") as s: s.connect(self.server_addr) - self.assertEqual({}, s.getpeercert()) ctx.verify_mode = ssl.CERT_REQUIRED # This should succeed because we specify the root cert ctx.load_verify_locations(SIGNING_CA) with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s: - try: - s.connect(self.server_addr) - cert = s.getpeercert() - self.assertTrue(cert) - except (ConnectionResetError, ConnectionRefusedError) as e: - # sometimes windows throws ConnectionResetError during the handshake - sys.stdout.write(repr(e)) + s.connect(self.server_addr) + cert = s.getpeercert() + self.assertTrue(cert) def test_connect_with_context_fail(self): # This should fail because we have no verification certs. Connection @@ -1928,13 +1919,9 @@ def test_connect_capath(self): ctx.verify_mode = ssl.CERT_REQUIRED ctx.load_verify_locations(capath=BYTES_CAPATH) with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s: - try: - s.connect(self.server_addr) - cert = s.getpeercert() - self.assertTrue(cert) - except ConnectionResetError as e: - # sometimes windows throws ConnectionResetError during the handshake - sys.stdout.write(repr(e)) + s.connect(self.server_addr) + cert = s.getpeercert() + self.assertTrue(cert) def test_connect_cadata(self): with open(SIGNING_CA) as f: @@ -2248,7 +2235,7 @@ def wrap_conn(self): if support.verbose and self.server.chatty: sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n") cert_binary = self.sslconn.getpeercert(True) - if support.verbose and self.server.chatty and cert_binary != None: + if support.verbose and self.server.chatty: sys.stdout.write(" cert binary is " + str(len(cert_binary)) + " bytes\n") cipher = self.sslconn.cipher() if support.verbose and self.server.chatty: @@ -2347,8 +2334,9 @@ def run(self): sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n" % (msg, ctype, msg.lower(), ctype)) self.write(msg.lower()) - except ConnectionResetError: - # XXX: OpenSSL 1.1.1 sometimes raises ConnectionResetError + except (ConnectionResetError, ConnectionAbortedError): + # XXX: OpenSSL 1.1.1 sometimes raises ConnectionResetError + # or ConnectionAbortedError (on Windows) # when connection is not shut down gracefully. if self.server.chatty and support.verbose: sys.stdout.write( @@ -2357,22 +2345,27 @@ def run(self): ) self.close() self.running = False - except OSError as err: - if 'peer did not return a certificate' in err.args[1]: - # test_pha_required_nocert causes this error which results in a false(?) failure + except ssl.SSLError as err: + # On Windows sometimes test_pha_required_nocert receives the + # PEER_DID_NOT_RETURN_A_CERTIFICATE exception + # before the 'tlsv13 alert certificate required' exception. + # If the server is stopped when PEER_DID_NOT_RETURN_A_CERTIFICATE + # is received test_pha_required_nocert fails with ConnectionResetError + # because the underlying socket is closed + if 'PEER_DID_NOT_RETURN_A_CERTIFICATE' == err.reason: if self.server.chatty and support.verbose: sys.stdout.write(err.args[1]) # test_pha_required_nocert is expecting this exception raise ssl.SSLError('tlsv13 alert certificate required') - else: - if self.server.chatty: - handle_error("Test server failure:\n") - self.close() - self.running = False + except OSError: + if self.server.chatty: + handle_error("Test server failure:\n") + self.close() + self.running = False - # normally, we'd just stop here, but for the test - # harness, we want to stop the server - self.server.stop() + # normally, we'd just stop here, but for the test + # harness, we want to stop the server + self.server.stop() def __init__(self, certificate=None, ssl_version=None, certreqs=None, cacerts=None, From 8e447a7fbe4a72132a34842112b6aca22a083fee Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Thu, 28 Mar 2019 11:46:34 -0700 Subject: [PATCH 15/18] fix trailing whitespace --- Lib/test/test_ssl.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 1b10742ba7b455..94055fc29ca3b8 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -2335,7 +2335,7 @@ def run(self): % (msg, ctype, msg.lower(), ctype)) self.write(msg.lower()) except (ConnectionResetError, ConnectionAbortedError): - # XXX: OpenSSL 1.1.1 sometimes raises ConnectionResetError + # XXX: OpenSSL 1.1.1 sometimes raises ConnectionResetError # or ConnectionAbortedError (on Windows) # when connection is not shut down gracefully. if self.server.chatty and support.verbose: @@ -2346,11 +2346,11 @@ def run(self): self.close() self.running = False except ssl.SSLError as err: - # On Windows sometimes test_pha_required_nocert receives the - # PEER_DID_NOT_RETURN_A_CERTIFICATE exception + # On Windows sometimes test_pha_required_nocert receives the + # PEER_DID_NOT_RETURN_A_CERTIFICATE exception # before the 'tlsv13 alert certificate required' exception. # If the server is stopped when PEER_DID_NOT_RETURN_A_CERTIFICATE - # is received test_pha_required_nocert fails with ConnectionResetError + # is received test_pha_required_nocert fails with ConnectionResetError # because the underlying socket is closed if 'PEER_DID_NOT_RETURN_A_CERTIFICATE' == err.reason: if self.server.chatty and support.verbose: From 12c5be243050d6ee06950cd2b5363a88eb3d773d Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Mon, 29 Apr 2019 19:06:30 -0700 Subject: [PATCH 16/18] remove one more exception handler --- Lib/test/test_ssl.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 8d39d1ae845ddf..875c7895ac5375 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -2329,9 +2329,8 @@ def run(self): sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n" % (msg, ctype, msg.lower(), ctype)) self.write(msg.lower()) - except (ConnectionResetError, ConnectionAbortedError): + except (ConnectionResetError): # XXX: OpenSSL 1.1.1 sometimes raises ConnectionResetError - # or ConnectionAbortedError (on Windows) # when connection is not shut down gracefully. if self.server.chatty and support.verbose: sys.stdout.write( From a117d82d4f163ac089b9737a9745a7071e1095aa Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Tue, 30 Apr 2019 17:12:00 -0700 Subject: [PATCH 17/18] ConnectionAbortedError is still happening --- Lib/test/test_ssl.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 875c7895ac5375..56f4b70d3a6646 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -2329,7 +2329,7 @@ def run(self): sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n" % (msg, ctype, msg.lower(), ctype)) self.write(msg.lower()) - except (ConnectionResetError): + except (ConnectionResetError, ConnectionAbortedError): # XXX: OpenSSL 1.1.1 sometimes raises ConnectionResetError # when connection is not shut down gracefully. if self.server.chatty and support.verbose: From f892ad7809351b70e3a214bc4bd695ad92fcb937 Mon Sep 17 00:00:00 2001 From: Paul Monson Date: Wed, 15 May 2019 15:16:24 -0700 Subject: [PATCH 18/18] Update .travis.yml Co-Authored-By: Steve Dower --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 99d186ef18eeff..6d57ebb1d2fb96 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,7 +11,7 @@ cache: env: global: - - OPENSSL=1.1.1b + - OPENSSL=1.1.0i - OPENSSL_DIR="$HOME/multissl/openssl/${OPENSSL}" - PATH="${OPENSSL_DIR}/bin:$PATH" # Use -O3 because we don't use debugger on Travis-CI