@SSS
If I compare your _ssl.c with our _ssl.c (from PLi-4) after all the patches have been applied then I get the following:
--- a/Modules/_ssl.c 2017-05-24 12:37:25.765734114 +0200
+++ b/Modules/_ssl.c 2017-05-24 14:11:43.670726565 +0200
@@ -265,7 +265,7 @@
enum py_ssl_server_or_client socket_type,
enum py_ssl_cert_requirements certreq,
enum py_ssl_version proto_version,
- char *cacerts_file, char *ciphers)
+ char *cacerts_file, char *server_hostname, char *ciphers)
{
PySSLObject *self;
char *errstr = NULL;
@@ -372,7 +372,7 @@
/* ssl compatibility */
SSL_CTX_set_options(self->ctx,
- SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+ (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | SSL_OP_NO_SSLv3);
verification_mode = SSL_VERIFY_NONE;
if (certreq == PY_SSL_CERT_OPTIONAL)
@@ -385,6 +385,14 @@
PySSL_BEGIN_ALLOW_THREADS
self->ssl = SSL_new(self->ctx); /* New ssl struct */
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+ /* If SNI isn't supported, we just don't call it and fail silently,
+ * as there's not much else we can do.
+ */
+ if ((socket_type == PY_SSL_CLIENT) &&
+ (proto_version != PY_SSL_VERSION_SSL2) && server_hostname)
+ SSL_set_tlsext_host_name(self->ssl, server_hostname);
+#endif
PySSL_END_ALLOW_THREADS
SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */
#ifdef SSL_MODE_AUTO_RETRY
@@ -427,15 +435,16 @@
char *key_file = NULL;
char *cert_file = NULL;
char *cacerts_file = NULL;
+ char *server_hostname = NULL;
char *ciphers = NULL;
- if (!PyArg_ParseTuple(args, "O!i|zziizz:sslwrap",
+ if (!PyArg_ParseTuple(args, "O!i|zziizzz:sslwrap",
PySocketModule.Sock_Type,
&Sock,
&server_side,
&key_file, &cert_file,
&verification_mode, &protocol,
- &cacerts_file, &ciphers))
+ &cacerts_file, &server_hostname, &ciphers))
return NULL;
/*
@@ -448,13 +457,13 @@
return (PyObject *) newPySSLObject(Sock, key_file, cert_file,
server_side, verification_mode,
- protocol, cacerts_file,
+ protocol, cacerts_file, server_hostname,
ciphers);
}
PyDoc_STRVAR(ssl_doc,
"sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n"
-" cacertsfile, ciphers]) -> sslobject");
+" cacertsfile, ciphers, server_hostname]) -> sslobject");
/* SSL object methods */
Did you alter this yourself?
/* ssl compatibility */
SSL_CTX_set_options(self->ctx,
- SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+ (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | SSL_OP_NO_SSLv3);
Reason I'm asking is that I have patches explicitly disabling SSLv3.
Edited by MastaG, 24 May 2017 - 16:06.