granicus.if.org Git - python/commit

bpo-30622: Change NPN detection: (#2079)

* Change NPN detection:

Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will be defined -> True/False

Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True

* Refine NPN guard:

- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way

This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.

Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:

#if defined(OPENSSL_NO_NEXTPROTONEG) && \
!defined(OPENSSL_NPN_NEGOTIATED)
# define OPENSSL_NPN_UNSUPPORTED 0
# define OPENSSL_NPN_NEGOTIATED 1
# define OPENSSL_NPN_NO_OVERLAP 2
#endif

[1] https://github.com/openssl/openssl/commit/68b33cc5c7

author	Melvyn Sopacua <melvyn-sopacua@users.noreply.github.com>
	Mon, 4 Sep 2017 21:35:15 +0000 (23:35 +0200)
committer	Christian Heimes <christian@python.org>
	Mon, 4 Sep 2017 21:35:15 +0000 (23:35 +0200)
commit	b2d096bd2a5ff86e53c25d00ee5fa097b36bf1d8
tree	fd4406a8c07c523d5d5b13a8a5563c697b48f001	tree \| snapshot
parent	973b901212bd84d279904bab6654709f4ec32470	commit \| diff

Modules/_ssl.c		diff \| blob \| history
Modules/clinic/_ssl.c.h		diff \| blob \| history