Skip to content

bpo-32378: LibreSSL NPN workaround #5253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
tiran wants to merge 1 commit into from
Closed

bpo-32378: LibreSSL NPN workaround #5253

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions Doc/library/ssl.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2381,6 +2381,23 @@ successful call of :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or
:func:`~ssl.RAND_pseudo_bytes` is sufficient.


.. ssl-libressl:

LibreSSL support
----------------

LibreSSL is a fork of OpenSSL 1.0.1. The ssl module has limited support for
LibreSSL. Some features are not available when the ssl module is compiled
with LibreSSL.

* LibreSSL >= 2.6.1 no longer supports NPN. The methods
:meth:`SSLContext.set_npn_protocols` and
:meth:`SSLSocket.selected_npn_protocol` are not available.
* :meth:`SSLContext.set_default_verify_paths` ignores the env vars
:envvar:`SSL_CERT_FILE` and :envvar:`SSL_CERT_PATH` although
:func:`get_default_verify_paths` still reports them.


.. seealso::

Class :class:`socket.socket`
Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Library/2018-01-21-00-01-19.bpo-32378.-TXPA3.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
The ssl module now contains a workaround for missing NPN support in LibreSSL
2.6.1. Upstream has removed NPN without setting OPENSSL_NO_NEXTPROTONEG.
12 changes: 12 additions & 0 deletions Modules/_ssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,18 @@ static void _PySSLFixErrno(void) {
# define OPENSSL_VERSION_1_1 1
#endif

/* LibreSSL quirks
*
* LibreSSL 2.6.1 no longer provides NPN support but does not set the
* designated OPENSSL_NO_NEXTPROTONEG feature flag. See upstream issue
* https://github.com/libressl-portable/portable/issues/368
*/
#if defined(LIBRESSL_VERSION_NUMBER) && !defined(TLSEXT_TYPE_next_proto_neg)
Copy link

@4a6f656c 4a6f656c Jan 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not really a LibreSSL quirk - due to various history, no one can set OPENSSL_NO_NEXTPROTONEG without breaking multiple open source projects (each in different ways). As such, I would strongly recommend conditioning on the availability of TLSEXT_TYPE_next_proto_neg, rather than trying to map this to OPENSSL_NO_NEXTPROTONEG.

If you wish to retain this approach, the comment above could at least be updated to explain why OPENSSL_NO_NEXTPROTONEG cannot be set via LibreSSL (or OpenSSL for that matter).

# ifndef OPENSSL_NO_NEXTPROTONEG
# define OPENSSL_NO_NEXTPROTONEG 1
# endif
#endif

/* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
http://www.openssl.org/news/changelog.html
*/
Expand Down