classification
Title: Python fails to compile/load _ssl module if OpenSSL is compiled with no-tls1-method
Type: compile error Stage: resolved
Components: SSL Versions: Python 3.9, Python 3.8, Python 3.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Mitch Lindgren, christian.heimes, miss-islington, mjacob
Priority: normal Keywords: patch

Created on 2020-04-30 22:41 by Mitch Lindgren, last changed 2020-06-01 01:29 by mjacob. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 19862 merged christian.heimes, 2020-05-02 15:24
PR 20126 merged miss-islington, 2020-05-16 01:33
PR 20127 merged miss-islington, 2020-05-16 08:18
Messages (9)
msg367793 - (view) Author: Mitch Lindgren (Mitch Lindgren) Date: 2020-04-30 22:41
I'm working on a project which uses OpenSSL 1.1.1g. For security and compliance reasons, it is built with SSL and TLS < 1.2 methods compiled out, using the following OpenSSL build options:

no-ssl no-ssl3 no-tls1 no-tls1_1 no-ssl3-method no-tls1-method no-tls1_1-method

When compiling Python v3.8.2 with CFLAGS="-DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_TLS1 -DOPENSSL_NO_TLS1_1" and --with-openssl=/path/to/custom/openssl, _ssl.c fails to compile with the following error:

gcc -pthread -fPIC -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_TLS1 -DOPENSSL_NO_TLS1_1 -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_TLS1 -DOPENSSL_NO_TLS1_1 -std=c99 -Wextra -Wno-unused-result -Wno-unused-parameter -Wno-missing-field-initializers -Werror=implicit-function-declaration -I./Include/internal -I/home/mitch/openssl/include -I./Include -I. -I/usr/include/x86_64-linux-gnu -I/usr/local/include -I/home/mitch/cpython/Include -I/home/mitch/cpython -c /home/mitch/cpython/Modules/_ssl.c -o build/temp.linux-x86_64-3.8/home/mitch/cpython/Modules/_ssl.o
/home/mitch/cpython/Modules/_ssl.c: In function ‘_ssl__SSLContext_impl’:
/home/mitch/cpython/Modules/_ssl.c:3088:27: error: implicit declaration of function ‘TLSv1_method’; did you mean ‘DTLSv1_method’? [-Werror=implicit-function-declaration]
         ctx = SSL_CTX_new(TLSv1_method());
                           ^~~~~~~~~~~~
                           DTLSv1_method
/home/mitch/cpython/Modules/_ssl.c:3088:27: warning: passing argument 1 of ‘SSL_CTX_new’ makes pointer from integer without a cast [-Wint-conversion]
In file included from /home/mitch/cpython/Modules/_ssl.c:62:0:
/home/mitch/openssl/include/openssl/ssl.h:1503:17: note: expected ‘const SSL_METHOD * {aka const struct ssl_method_st *}’ but argument is of type ‘int’
 __owur SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
                 ^~~~~~~~~~~
/home/mitch/cpython/Modules/_ssl.c:3091:27: error: implicit declaration of function ‘TLSv1_1_method’; did you mean ‘TLSv1_2_method’? [-Werror=implicit-function-declaration]
         ctx = SSL_CTX_new(TLSv1_1_method());
                           ^~~~~~~~~~~~~~
                           TLSv1_2_method
/home/mitch/cpython/Modules/_ssl.c:3091:27: warning: passing argument 1 of ‘SSL_CTX_new’ makes pointer from integer without a cast [-Wint-conversion]
In file included from /home/mitch/cpython/Modules/_ssl.c:62:0:
/home/mitch/openssl/include/openssl/ssl.h:1503:17: note: expected ‘const SSL_METHOD * {aka const struct ssl_method_st *}’ but argument is of type ‘int’
 __owur SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
                 ^~~~~~~~~~~
cc1: some warnings being treated as errors

This also affects older versions. With v3.5.6, the _ssl module compiles successfully (it may be getting the declaration of TLSv1_method from the system default OpenSSL header since the --with-openssl option doesn't exist in this version), but importing the module at runtime fails:

root@10:/tmp/acmstest# python3
Python 3.5.6 (default, Mar 23 2020, 05:11:33)
[GCC 8.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.5/ssl.py", line 99, in <module>
    import _ssl             # if we can't import it, let the error propagate
ImportError: /usr/lib/python3.5/lib-dynload/_ssl.cpython-35m-aarch64-linux-gnu.so: undefined symbol: TLSv1_method
msg367797 - (view) Author: Mitch Lindgren (Mitch Lindgren) Date: 2020-04-30 22:44
I'd be happy to work on a patch for this. I think the simplest approach would be to change this block starting on line 3087:

    if (proto_version == PY_SSL_VERSION_TLS1)
        ctx = SSL_CTX_new(TLSv1_method());
#if HAVE_TLSv1_2
    else if (proto_version == PY_SSL_VERSION_TLS1_1)
        ctx = SSL_CTX_new(TLSv1_1_method());
    else if (proto_version == PY_SSL_VERSION_TLS1_2)
        ctx = SSL_CTX_new(TLSv1_2_method());
#endif
#ifndef OPENSSL_NO_SSL3
    else if (proto_version == PY_SSL_VERSION_SSL3)
        ctx = SSL_CTX_new(SSLv3_method());
#endif
#ifndef OPENSSL_NO_SSL2
    else if (proto_version == PY_SSL_VERSION_SSL2)
        ctx = SSL_CTX_new(SSLv2_method());
#endif
    else if (proto_version == PY_SSL_VERSION_TLS) /* SSLv23 */
        ctx = SSL_CTX_new(TLS_method());
    else if (proto_version == PY_SSL_VERSION_TLS_CLIENT)
        ctx = SSL_CTX_new(TLS_client_method());
    else if (proto_version == PY_SSL_VERSION_TLS_SERVER)
        ctx = SSL_CTX_new(TLS_server_method());
    else
        proto_version = -1;

into a switch and add additional #if !defined(OPENSSL_NO_XXX) macros to exclude version-specific methods. Please let me know if this sounds okay.
msg367934 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-05-02 15:27
Thanks for the bug report. I've created a PR to check for the correct flags in _ssl__SSLContext_impl(). I'll backport the fix to 3.8 and 3.7. 3.6 and older are in security-only mode.
msg367952 - (view) Author: Mitch Lindgren (Mitch Lindgren) Date: 2020-05-03 03:00
Thanks for the quick turnaround!
msg368997 - (view) Author: miss-islington (miss-islington) Date: 2020-05-16 01:33
New changeset 6e8cda91d92da72800d891b2fc2073ecbc134d98 by Christian Heimes in branch 'master':
bpo-40457: Support OpenSSL without TLS 1.0/1.1 (GH-19862)
https://github.com/python/cpython/commit/6e8cda91d92da72800d891b2fc2073ecbc134d98
msg369022 - (view) Author: miss-islington (miss-islington) Date: 2020-05-16 08:33
New changeset a669443dfb79fc6aca2544b885895814798db15b by Miss Islington (bot) in branch '3.8':
bpo-40457: Support OpenSSL without TLS 1.0/1.1 (GH-19862)
https://github.com/python/cpython/commit/a669443dfb79fc6aca2544b885895814798db15b
msg369023 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-05-16 08:45
New changeset 43b355e53fd0796990a8810cd3461c197e20a3b9 by Miss Islington (bot) in branch '3.7':
[3.7] bpo-40457: Support OpenSSL without TLS 1.0/1.1 (GH-19862) (GH-20126)
https://github.com/python/cpython/commit/43b355e53fd0796990a8810cd3461c197e20a3b9
msg369024 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-05-16 08:45
Fixes have landed in 3.7 to 3.9.

Thanks for the report! :)
msg370525 - (view) Author: Manuel Jacob (mjacob) * Date: 2020-06-01 01:29
For the record, I’ve added a comment to the pull request about that ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 are now defined unconditionally.

https://github.com/python/cpython/commit/6e8cda91d92da72800d891b2fc2073ecbc134d98#r39569316
History
Date User Action Args
2020-06-01 01:29:21mjacobsetnosy: + mjacob
messages: + msg370525
2020-05-16 08:45:54christian.heimessetstatus: open -> closed
resolution: fixed
messages: + msg369024

stage: patch review -> resolved
2020-05-16 08:45:10christian.heimessetmessages: + msg369023
2020-05-16 08:33:50miss-islingtonsetmessages: + msg369022
2020-05-16 08:18:55miss-islingtonsetpull_requests: + pull_request19432
2020-05-16 01:33:26miss-islingtonsetpull_requests: + pull_request19431
2020-05-16 01:33:08miss-islingtonsetnosy: + miss-islington
messages: + msg368997
2020-05-03 03:00:16Mitch Lindgrensetmessages: + msg367952
2020-05-02 15:27:04christian.heimessetmessages: + msg367934
versions: + Python 3.9, - Python 3.5, Python 3.6
2020-05-02 15:24:48christian.heimessetkeywords: + patch
stage: patch review
pull_requests: + pull_request19176
2020-04-30 22:44:49Mitch Lindgrensetmessages: + msg367797
2020-04-30 22:41:34Mitch Lindgrencreate