Message 146380 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	barry
Recipients	barry, eric.araujo, janssen, nadeem.vawda, pitrou, vstinner
Date	2011-10-25.16:23:17
SpamBayes Score	8.443246e-14
Marked as misclassified	No
Message-id	<1319559798.65.0.0369489972126.issue13218@psf.upfronthosting.co.za>
In-reply-to

Content
I'm not sure I particularly like this patch, and I can't test it on anything other than Debian/Ubuntu right now, but it does "fix" the test (defined as: making it pass :). AFAICT, there's no way to tell openssl to revert back to trying SSLv2 client hello when the library has been compiled with no-ssl, but still setting OP_NO_SSLv2 or OP_NO_TLSv1 kind of seems like keeping a couple of tests that can't possibly succeed (because neither v2 nor v3, nor tlsv1 will be tried). The other thing is that testing the flags on the client context doesn't seem to work: Python 3.2.2+ (3.2:03ef6108beae, Oct 25 2011, 10:57:32) [GCC 4.6.1] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> cc = ssl.SSLContext(ssl.PROTOCOL_SSLv23) >>> cc.options & ssl.OP_NO_SSLv2 0 Now, the other way to go is to set OP_NO_SSLv2 on both tests and change the sense of it from False to True, so that we'd always expect the connection to succeed. I'll attach that patch next, and it does seem a bit more sane. Let me know what you think.

I'm not sure I particularly like this patch, and I can't test it on anything other than Debian/Ubuntu right now, but it does "fix" the test (defined as: making it pass :).

AFAICT, there's no way to tell openssl to revert back to trying SSLv2 client hello when the library has been compiled with no-ssl, but still setting OP_NO_SSLv2 or OP_NO_TLSv1 kind of seems like keeping a couple of tests that can't possibly succeed (because neither v2 nor v3, nor tlsv1 will be tried).

The other thing is that testing the flags on the client context doesn't seem to work:


Python 3.2.2+ (3.2:03ef6108beae, Oct 25 2011, 10:57:32) 
[GCC 4.6.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> cc = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
>>> cc.options & ssl.OP_NO_SSLv2
0

Now, the other way to go is to set OP_NO_SSLv2 on both tests and change the sense of it from False to True, so that we'd always expect the connection to succeed.  I'll attach that patch next, and it does seem a bit more sane.  Let me know what you think.

History
Date	User	Action	Args
2011-10-25 16:23:18	barry	set	recipients: + barry, janssen, pitrou, vstinner, nadeem.vawda, eric.araujo
2011-10-25 16:23:18	barry	set	messageid: <1319559798.65.0.0369489972126.issue13218@psf.upfronthosting.co.za>
2011-10-25 16:23:18	barry	link	issue13218 messages
2011-10-25 16:23:17	barry	create